Good video. But in this case, the vulnerability is in the request-all() method without validation, not by using if-else inside blade. Even if you didnt use if-else and use a separete view for admin and normal user, you could "hack" changing the select values if there was no validation in the backend.
Thanks. Magnificent. These small, little security tips are so great for novices like us. And yes, of course we novices love these short and quick videos. We novices are always worried sick of security. Thank you again !! How about a video on hosting a Laravel app in production environment in a shared server with proper security configuration? Probably thousands of beginner level developers from around the world are thirsty for something like that. And, please keep up the great work you are doing !!
There are two problems with that: 1. I never recommend a shared server for any kind of Laravel project. For many reasons. 2. For non-shared servers, there are so so many different server environments and hostings that I can't shoot a video that would fit every hosting. But I've tried to list my recommendations in this article: laraveldaily.com/how-to-deploy-laravel-projects-to-live-server-the-ultimate-guide/
I usually build my validator in steps, so I can check the user permission and assign validator for that specific update. If (request()->user()->is_admin) { $rules[“is_admin”] = “required|boolean”; } request()->validate($rules);
4 года назад+10
I think this is important to let beginners know. But the video title is Click-Bait. And the same can be applied to the API without any Blade.
Well, in this case, the database field is just a string type, but there are multiple ways how you can store it in DB: enum field, foreign key to another table etc. This video explains more: ruclips.net/video/3CkkzH4J7xw/видео.html
Nice explanation, although i am not much experienced in laravel framework ( started learning it two weeks ago so i finnaly learn some php frameworks, been working with bona fide no framework php for years now.. :P ), i thought that is something normal and generaly acceptable practice, i mean anybody could write anything into html via browser inspector. Where i work and on ancient legacy library that kind of practice is normal, once you chack for display for user and another time you check before saving into db data that user inputed. Although we do not work in laravel I will show this to junior collegues when explaining why do they need to put validation while saving as well :D
@@Bevallalom You would be surprised how many non-beginners are too "lazy" to validate stuff on the back-end. So for them, this video is just a reminder.
@@PovilasKorop true. :) btw, I like your videos. I started using laravel in January so I'm a beginner to laravel. But not in PHP. Keep up the good work!
Thank you for these timely tips. Please, could you do a quick demo on how to do social authentication for RESTful API with Laravel and VUE SPA using Laravel Socialite? One of my main concerns is the callback URL. Would it be a URL pointing to the frontend or backend?
short videos is perfect👌👌 Please make short learn about how to make editable textarea based on markdown like ckeditor but small and customizable with livewire and alpinejs 🌹
Sería muy bueno si implementa una base de datos de validaciones de datos cuando un usuario cumple ciertas características en el perfil esto en el lado servidor
@@PovilasKorop my question doesn't mean anything , I just inquiry because it was a great tool for me to learn , specially I am fresh graduated . But it's great for you ❤️ Best regards ❤️❤️💪
Yep! Now rookies will start saying on twitter that Blade is not safe. The title should be: "Always validate user inputs, even if that comes from intranet apps users".
If you don't know about this "hack" then you're a bad dev. Also the truth is, the only "hack" in this scenario is the lazy dev hacking his way through his code to ship faster. It's lazy.
I really apricate your efforts and always find something new....Sir can you please make video on how can we integrate spatie's laravel-permission package. github.com/spatie/laravel-permission
I have a demo project for it: github.com/LaravelDaily/laravel-roles-permissions-manager Also older article: laravel-news.com/two-best-roles-permissions-packages
@@PovilasKorop Thank you for the help. Sir i saw there is one course for the same is offered by you...In that you have used this package only? Sir just want to know is there any discounts will be coming for Students for your courses?
@@MiteshBhanushali08 from what I remember, I've used no packages there to explain how roles/permissions work at all, and mentioned Spatie as an option only in one lesson. Regarding discounts, my courses are already the cheapest on the market, no discounts are planned at the moment: twitter.com/PovilasKorop/status/1293921004205543426
This is a bad code from the beginning and there is no vulnerability in this, please do not invent. It's just not the correct code. Everything must be validated by FormRequests!!!!! The author is wrong! Dislike for false information
I thought these videos are for advanced developers. Hmmm. If your code doesn't contain minimum security I shouldn't follow your courses. I still have no idea what quickadminpanel is for, however I've watched about 30 videos of it so far but if it produces code with such errors I'll stay away from it.
Good video. But in this case, the vulnerability is in the request-all() method without validation, not by using if-else inside blade. Even if you didnt use if-else and use a separete view for admin and normal user, you could "hack" changing the select values if there was no validation in the backend.
Thanks. Magnificent. These small, little security tips are so great for novices like us. And yes, of course we novices love these short and quick videos. We novices are always worried sick of security. Thank you again !!
How about a video on hosting a Laravel app in production environment in a shared server with proper security configuration? Probably thousands of beginner level developers from around the world are thirsty for something like that. And, please keep up the great work you are doing !!
There are two problems with that:
1. I never recommend a shared server for any kind of Laravel project. For many reasons.
2. For non-shared servers, there are so so many different server environments and hostings that I can't shoot a video that would fit every hosting. But I've tried to list my recommendations in this article: laraveldaily.com/how-to-deploy-laravel-projects-to-live-server-the-ultimate-guide/
@@PovilasKorop Thank you so VERY MUCH for the link.
You should be checking for permissions on the backend anyway when the form gets submitted...
@Ali Maldonado Heredia oh lol... I see. I thought it was a given and any experienced dev would have know that
That's the whole point of the video
I usually build my validator in steps, so I can check the user permission and assign validator for that specific update.
If (request()->user()->is_admin) {
$rules[“is_admin”] = “required|boolean”;
}
request()->validate($rules);
I think this is important to let beginners know. But the video title is Click-Bait. And the same can be applied to the API without any Blade.
Thank you. Can you give a little example of storing that (01:23) kind of thing in the database?
Well, in this case, the database field is just a string type, but there are multiple ways how you can store it in DB: enum field, foreign key to another table etc. This video explains more: ruclips.net/video/3CkkzH4J7xw/видео.html
This means whatever you do validation at the front, you should also do validation on the back.
What would be the best approach to avoid HTML code injections on *disabled* elements? Besides not showing them or changing them to a simple label
@@Ahmed-157 How policies would work in that scenario?
Great tip but I'm still trying to find out what injecting HTML has to do with Blade.
Hiding certain options dosnt mean they cant be made. So blade if and elses arent the only safe point.
This has nothing to do with blade. It could be any php file/temolate
Simple rule - all user input data should be ALWAYS validated on the server side.
Nice explanation, although i am not much experienced in laravel framework ( started learning it two weeks ago so i finnaly learn some php frameworks, been working with bona fide no framework php for years now.. :P ), i thought that is something normal and generaly acceptable practice, i mean anybody could write anything into html via browser inspector.
Where i work and on ancient legacy library that kind of practice is normal, once you chack for display for user and another time you check before saving into db data that user inputed.
Although we do not work in laravel I will show this to junior collegues when explaining why do they need to put validation while saving as well :D
You are right. Data validation is a must. He makes this video for beginners. It's possibly not new to you.
@@Bevallalom You would be surprised how many non-beginners are too "lazy" to validate stuff on the back-end. So for them, this video is just a reminder.
@@PovilasKorop true. :) btw, I like your videos. I started using laravel in January so I'm a beginner to laravel. But not in PHP. Keep up the good work!
By default you shouldn't trust to incoming request data.
Thank you for these timely tips.
Please, could you do a quick demo on how to do social authentication for RESTful API with Laravel and VUE SPA using Laravel Socialite? One of my main concerns is the callback URL. Would it be a URL pointing to the frontend or backend?
There are multiple ways to implement it. But currently I'm not planning a video on that topic, have a big list already for other topics.
@@PovilasKorop Okay. Thanks again for your wonderful tips.
I still don't understand with this, it's only admin who can get acces to that form anyway,
what admin theme do you use?
I use our own generator www.quickadminpanel.com - design theme is CoreUI - coreui.io
Very interesting! Thanks
that was very good and im assuming this can be done regardless of the language good to know i love ethical hacking
short videos is perfect👌👌
Please make short learn about how to make editable textarea based on markdown like ckeditor but small and customizable with livewire and alpinejs 🌹
this is not a Blade if-else problem. the problem is not double checking in the backend
HTML code injections, even juniors know how avoid that :).
dont think so . i have seen this issue in some serious companies apps . and it always work like charm
Sería muy bueno si implementa una base de datos de validaciones de datos cuando un usuario cumple ciertas características en el perfil esto en el lado servidor
Midlleware checking separatley for each function in controller.ithink this will not happen
Firstly, I would encrypt the value in options with the APP_KEY .That should prevent HTML injection in all cases.
thanku sir
Thank you so much
Wow I always thought PHP was server side enough that you couldn't do this :/
Wow good, I like it...
It's very good
But why the free plan are removed form quick admin panel 😃
Well, maybe because I personally invested $100k+ in building that software, and I have a family/team to feed? :)
@@PovilasKorop my question doesn't mean anything , I just inquiry because it was a great tool for me to learn , specially I am fresh graduated .
But it's great for you ❤️
Best regards ❤️❤️💪
Thanks ❤️
Beside not validating values using request all is extreme bad idea of writing functions.
Never trust a user input. And it comes from a user ...
The title is misleading
Yep! Now rookies will start saying on twitter that Blade is not safe. The title should be: "Always validate user inputs, even if that comes from intranet apps users".
If you don't know about this "hack" then you're a bad dev.
Also the truth is, the only "hack" in this scenario is the lazy dev hacking his way through his code to ship faster. It's lazy.
I really apricate your efforts and always find something new....Sir can you please make video on how can we integrate spatie's laravel-permission package. github.com/spatie/laravel-permission
I have a demo project for it: github.com/LaravelDaily/laravel-roles-permissions-manager
Also older article: laravel-news.com/two-best-roles-permissions-packages
@@PovilasKorop Thank you for the help.
Sir i saw there is one course for the same is offered by you...In that you have used this package only?
Sir just want to know is there any discounts will be coming for Students for your courses?
@@MiteshBhanushali08 from what I remember, I've used no packages there to explain how roles/permissions work at all, and mentioned Spatie as an option only in one lesson. Regarding discounts, my courses are already the cheapest on the market, no discounts are planned at the moment: twitter.com/PovilasKorop/status/1293921004205543426
This is a bad code from the beginning and there is no vulnerability in this, please do not invent. It's just not the correct code. Everything must be validated by FormRequests!!!!! The author is wrong! Dislike for false information
I thought these videos are for advanced developers. Hmmm. If your code doesn't contain minimum security I shouldn't follow your courses. I still have no idea what quickadminpanel is for, however I've watched about 30 videos of it so far but if it produces code with such errors I'll stay away from it.