'Hack' Demo: Blade if-else is not Security

Good video. But in this case, the vulnerability is in the request-all() method without validation, not by using if-else inside blade. Even if you didnt use if-else and use a separete view for admin and normal user, you could "hack" changing the select values if there was no validation in the backend.

morfer

Thanks. Magnificent. These small, little security tips are so great for novices like us. And yes, of course we novices love these short and quick videos. We novices are always worried sick of security. Thank you again !!

How about a video on hosting a Laravel app in production environment in a shared server with proper security configuration? Probably thousands of beginner level developers from around the world are thirsty for something like that. And, please keep up the great work you are doing !!

shumit

You should be checking for permissions on the backend anyway when the form gets submitted...

Laflamablanca

This means whatever you do validation at the front, you should also do validation on the back.

RobbyAJM

Nice explanation, although i am not much experienced in laravel framework ( started learning it two weeks ago so i finnaly learn some php frameworks, been working with bona fide no framework php for years now.. :P ), i thought that is something normal and generaly acceptable practice, i mean anybody could write anything into html via browser inspector.
Where i work and on ancient legacy library that kind of practice is normal, once you chack for display for user and another time you check before saving into db data that user inputed.
Although we do not work in laravel I will show this to junior collegues when explaining why do they need to put validation while saving as well :D

DreamskyDance

This has nothing to do with blade. It could be any php file/temolate

bardhylfejzullahu

I think this is important to let beginners know. But the video title is Click-Bait. And the same can be applied to the API without any Blade.

What would be the best approach to avoid HTML code injections on *disabled* elements? Besides not showing them or changing them to a simple label

jonatanla

Thank you. Can you give a little example of storing that (01:23) kind of thing in the database?

msdeav

Great tip but I'm still trying to find out what injecting HTML has to do with Blade.

Sería muy bueno si implementa una base de datos de validaciones de datos cuando un usuario cumple ciertas características en el perfil esto en el lado servidor

kristhianortizarteaga

By default you shouldn't trust to incoming request data.

ДоминикБеляшов

short videos is perfect👌👌
Please make short learn about how to make editable textarea based on markdown like ckeditor but small and customizable with livewire and alpinejs 🌹

alimahdavi

Simple rule - all user input data should be ALWAYS validated on the server side.

poplach

Thank you for these timely tips.

Please, could you do a quick demo on how to do social authentication for RESTful API with Laravel and VUE SPA using Laravel Socialite? One of my main concerns is the callback URL. Would it be a URL pointing to the frontend or backend?

eokwukwe

that was very good and im assuming this can be done regardless of the language good to know i love ethical hacking

artificallead

this is not a Blade if-else problem. the problem is not double checking in the backend

namoudnormand

I still don't understand with this, it's only admin who can get acces to that form anyway,

rudikurniawan

Wow I always thought PHP was server side enough that you couldn't do this :/

JamesAutoDude

Firstly, I would encrypt the value in options with the APP_KEY .That should prevent HTML injection in all cases.

christoherright