I have started to learn Laravel 5.* and currently I'm working on some basic admin panel. Create users/delte/edit etc.
I've got this for update user details
public function update( UserRequest $request){
$user = User::find( $request['id'] );
$hasuser = User::where('email','=',$request['email'])->where('id','!=',$request['id'])->first();
if($hasuser){
$request->session()->flash('alert-error','User with given email address already exist. Plese try with another email address!!.');
return redirect()->route('admin.users');
}
$user->name = $request['name'];
$user->email = $request['email'];
$user->phone = $request['phone'];
$user->role = $request['role'];
if(!empty($request['password'])){
$password = bcrypt($request['password']);
$user->password = $password;
}
if($user->save())
$request->session()->flash('alert-success','User updated successfully.');
else
$request->session()->flash('alert-error','Can not update User now. Please try again!!.');
return redirect()->route('admin.users');
}
What I'm not sure is the query
$hasuser = User::where('email','=',$request['email'])->where('id','!=',$request['id'])->first();
Is it good from security and sql injection point of view this variable there i.e. $request['email'], $request['id']
If not can you show me what is a good approach here?
Laravel's Eloquent ORM uses PDO binding to avoid SQL injection, but that's not to say it's not good practice to validate user input before you do anything with it.