Laravel Security In Depth

Share this post

Security Tip: Casing Request Values

larasec.substack.com

Security Tip: Casing Request Values

[Tip#39] Not a new feature, but definitely worth knowing about.

Stephen Rees-Carter
Mar 6
2
Share this post

Security Tip: Casing Request Values

larasec.substack.com

Greetings friends! It looks like last week’s Timebox security tip was a bit of an eye-opener for everyone - new technologies like HTTP/2 bring all sorts of new concerns. This week we’re going back to basics and looking at a feature of Laravel’s Request object that isn’t strictly a “security feature”, but can reduce vulnerabilities and produce more robust code.

I’ve had some availability open for my Laravel Security Audits and Penetration Tests in the next few weeks, so reach out if you’d like me to test the security of your app! I’ve found vulnerabilities in every app I’ve worked on, and it’s not simply enough to just “follow best practices” - vulnerable code can easily slip in and be missed if you’re not looking for it.

Laravel Security In Depth is a bestselling reader-supported publication. Join over 1,900+ Laravel developers, learning about keeping their apps secure each week.

Looking to learn more?
⏩ Security Tip #23: Scoping Bindings
▶️ In Depth #9: Signed URLs

Casing Request Values

Laravel’s Request object

1
(`Illuminate\Http\Request`) includes a number of methods for extracting user input. My personal favourite is the `validate()` method
2
, however there are a number of others you can reach for instead, depending on your use case.

Sometimes you’ll need to pull out specific request values and transform them into specific types, such as integers or booleans. Although you can do this manually, there is always the potential to forget or rely on type juggling and for subtle vulnerabilities to be introduced

3
.

So instead, a safer way to do it is to ask the Request object to give you the input value in the type you need it in. It’ll return a properly typed value that you can use safely throughout your app.

The available methods are:

public function string($key, $default = null): \Illuminate\Support\Stringable;
public function boolean($key = null, $default = false): bool;
public function integer($key, $default = 0): int;
public function float($key, $default = 0.0): float;
public function date($key, $format = null, $tz = null): \Illuminate\Support\Carbon;
public function enum($key, $enumClass): <Enum>;

With the exception of `string()`, they are all pretty self-explanatory. The `string()` method actually returns an instance of `Illuminate\Support\Stringable`

4
, which you can easily manipulate via a fluent interface.

You won’t need this all the time, but it’ll save you some effort and reduce potential bugs when you do. 🙂

1

See: https://laravel.com/docs/10.x/requests

2

Which we talked out back in Security Tip #7: Validating User Input.

3

Check out Security Tip #26: Type Juggling

4

To learn about Stringable, see : https://laravel.com/docs/10.x/helpers#fluent-strings

Share this post

Security Tip: Casing Request Values

larasec.substack.com
Previous
Next
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Stephen Rees-Carter
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing