Laravel API Security: Triple-Check Request TYPES (example 'hack')

preview_player
Показать описание
One potential security issue in your application may be comparing strings with loose comparison. Let me show the example.

Links mentioned in the video:

Support the channel by checking out my products:

Other places to follow:
  1. Laravel Daily
Рекомендации по теме
Laravel API Security: 0:08:16

Laravel API Security: Triple-Check Request TYPES (example 'hack')

Example of Laravel 0:05:06

Example of Laravel Sanctum with API Tokens

Secure Your Laravel 0:20:32

Secure Your Laravel API with Sanctum - User Authentication and Token Management

Laravel Security: Top 0:11:16

Laravel Security: Top 7 Mistakes Developers Make

Laravel 11 API 0:18:42

Laravel 11 API CRUD app with Authentication using Laravel Sanctum course 2024 | Part 1/2

Laravel SPA Authentication 0:16:55

Laravel SPA Authentication - setup and common mistakes

How to Build 0:17:23

How to Build Secure REST API in Laravel 9 with Sanctum Authentication

Laravel security Tip 0:02:53

Laravel security Tip : Don't use env() directly with reason .

Advanced Laravel | 0:05:02

Advanced Laravel | let's write authorize inside form request @laravelboy

Laravel 9 Build 1:10:39

Laravel 9 Build a rest api authentication - Build a chat app using React Native and Laravel

Laravel: 3 Places 0:04:24

Laravel: 3 Places to Check Gates or Permissions

New in Laravel 0:05:05

New in Laravel 9.35: Model shouldBeStrict with 3 Local Checks

Session vs Token 0:02:18

Session vs Token Authentication in 100 Seconds

#13 Laravel API 0:17:02

#13 Laravel API Tutorial | Laravel API Authentication (I) | Secure Laravel API without Passport

Laravel 9x API 0:00:52

Laravel 9x API Login Authentication with Sanctum #laravel9 #laravel #sanctum

Laravel 11 API 0:13:49

Laravel 11 API in 13 minutes | Sanctum

Junior Code Review: 0:19:57

Junior Code Review: Laravel Routes, Middleware, Validation and more

#9 - Laravel 0:11:00

#9 - Laravel Sanctum and Vue.js - SPA Authentication - How to secure API routes

#3 - Refresh 0:10:42

#3 - Refresh tokens in Laravel Passport OAuth2

Token Based Authentication 0:21:22

Token Based Authentication with Laravel Sanctum | API Authentication using JWT token

Exploring Laravel Rate 0:06:42

Exploring Laravel Rate Limiters: Control Traffic & Secure Actions ⛔

PROTECT Your Laravel 0:28:57

PROTECT Your Laravel App from Hackers with These Top Security Tips!

Laravel: 3 Ways 0:07:11

Laravel: 3 Ways to Protect Records from Access By Other Users

Laravel API vs 0:05:42

Laravel API vs Web Validation Errors: How Does It Work?

Комментарии
Автор

This is ultra useful, thanks for pointing that out Povilas!

milosb
Автор

For PHP/Laravel developers out there: You should always use strict comparisons and set strict types in your files and you should always know exactly what data types you have (if you don't, then cast your variables to what data type you need). If a variable is not 100% boolean, you should never write: if ($variable) or if (!$variable), but compare it to the boolean value that it can be: if (false !== $variable). If you don't understand why, you are not senior enough :) To use "if ($array['key'])" is a huge mistake, as you don't know the data type for sure so you need to cast it if you know what you are doing or compare it to strict values if you can.

the-code-reviewer
Автор

Before thinking about if you use == or ===, USE Validations, you should always write validation rules on every request, never trust the user, there is a reason in laravel docs that's under the basics chapter.

fcolecumberri
Автор

I think query params will always be a string type, so those are No return.
But yeah, maybe it is a security issue if the logic is something like could bypass the check or can bypass the authorization stuff.

So always remember validation, and strict type :D

bboydarknesz
Автор

How about reviewing the new features of the upcoming PHP8.4 as a video theme.

ゲンスルー-gq
Автор

PHP becomes stricter and stricted with each new version and that is wonderful, so don't write something just because it works in current PHP version. Most of the issues with Legacy Code is developers wrote code that worked, but very bad code, like: using not declared properties, comparing strings with integers/floats, summing strings with floats etc. Even empty function is abused by Laravel/PHP developers and that is a bad habbit. Instead of if (empty($variable)) you should compare it to the case you have: if (null === $variable) / if ([] === $variable) etc

the-code-reviewer
Автор

Good morning sir, what level of JS is required to work with PHP ?

gustavosandoval
Автор

Please also make a video on secure endpoint specially parameters in url I know post method other than post

mushtaqrahimvideos
Автор

wow i didn't know that, thank you su much

ricko
Автор

Hey please can you do a video about eager loading pivot tables ?

gtsmeg
Автор

Always validate the request, never trust user input

$request->validate(["api_key" => "required|string"]);

if($request->api_key == "secret") return "working";
return "not working";

mituts
Автор

They are also missing the FormRequest Validation for types as well and pull values from validated.

Getting raw data from request and blaming Laravel 😮

AtiqSamtia
Автор

triple check is just a good bad habit to have, specially when dealing with user input data

Автор

Upload videos from a security point of view...

mushtaqrahimvideos
Автор

What is the effect on computational power spent with == instead of ===?
Hate to waste resources.

maflones