How secure is laravel 5.1? [closed] - mysql

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
After reading about SQL injection I wonder how secure it is to create apps in Laravel and how to test if your security meets today's standards?

I've developed a few Laravel applications and found them to be pretty secure in my eyes.
I ran a variety of penetration tests, OWASP ZAP scanner, sqlsus and 5+ tools including bbqsql and similar things for DB pen tests, nmap for port scanning, then switched ZAP to attack mode to perform various XSS and CSRFs and found no vulnerabilities from Laravel itself - just a couple of things from my server itself which I patched up.
It's important to say that no application is 100% secure as it depends a lot on how you do things.
However, Laravel does do a pretty good job out of the box by protecting you from:
SQL injection: if you use Eloquent queries these will keep you safe. But you will be vulnerable if you use DB::raw() queries as these can open you up to injection.
CSRF: Laravel takes care of this with CSRF tokens that it checks on each POST request so make sure you use them, essentially this protects you from someone changing the nature of the request, i.e from POST to GET.
XSS: First sanitise user input. Variables are not escaped using the blade syntax {!! !!}, which resolves to <?= e($foo) ?> inside your HTML code, whereas {{ }} escapes the data.
This is a pretty short overview of Laravel security. Once you start opening yourself up with file uploads etc it can be a little bit more tricky, additionally doing unsafe things in PHP.
This article here, might be an interesting read to go a little more in depth with the above.
In short, I've found Laravel to be secure from all the attacks I've ever run by using Eloquent and sanitising input where required, along with the correct use of blade syntax and the CSRF token.

Related

What are the different use cases for using QueryBuilder vs. Repository in TypeORM? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I'm building an API using NestJS with TypeORM. I've been querying a MySQL database using the TypeORM Repository API mostly because the NestJS Database documentation section provided an example using this.photoRepository.find(). As I get further along, I've noticed many of my exploratory search results recommending using the TypeORM QueryBuilder API for performance and flexibility reasons.
I'm getting the sense that the Repository approach is easier to use for simple needs and a great abstraction if I ever decide to switch my database framework. On the other hand, it also seems to me that QueryBuilder is more performant and customizable.
Could we outline the different use cases for QueryBuilder vs. Repository in TypeORM?
The QueryBuilder API is very powerful and closer to SQL than the Repository API, so anything that is more complex or more SQL driven is more easily done through it. It is your last "tool" before going raw SQL with QueryRunner that you probably don't want to use everytime (as it makes development and refactoring longer).
Even if the repository is easier to do, maybe you don't want your codebase to allow the 2 API to be used as it "splits" the code but it all depends on your team preferences.
The point where the repository API is more friendly is about fetching relations, as eager / lazy relations are parsed from the decorators and you don't have to specify "joins" whereas the QueryBuilder implies you explicit those or it will fetch only the main table (it ignores the decorators, SQL is first citizen).
Anyway, even if you decide to abandon the Repository API or the QueryBuilder API, I recommand strongly that your queries are always easily found in a dedicated class (like a custom repository or a dedicated service) so you don't end up maintaining queries everywhere in your codebase, refactoring data access is dangerous if not controlled. I personally find the "find" method too powerful on Repository API for instance and disallow such API use outside of a dedicated service / class / whatever you decide.

Use of MYSQL to edit elements in HTML [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
So, I'm making a website for a music collective that I'm in, and on that site there's a page where you can see all the albums (a simple 300 x 300px hyper link image) that redirects you to a bandcamp page.
As of now, if I want to add another album I must go into the HTML file and manually add it. My question is, is it possible to use MYSQL to add albums?
And by that I mean that everytime I "add an album" in MYSQL it will edit the HTML automatically? And if so, how do I do?
This is how the code looks:
HTML
<div class="product-box fade-in-drop">
<!-- album -->
<div class ="album">
<img src="exmaple.com">
</div>
</div>
EDIT:
It might be worth noting that I use a web hosting service that has a cPanel so I have database access, I just don't know how to write the code to make my plan possible.
I apologize if I am assuming too much here.
Your question implies that you want to move from a static website to a dynamic one where, instead of the HTML having static data, your information comes to the page by way of a web server making a connection to a database via some sort of intermediary, third party software. This is much more complicated than what you are doing now, but it is certainly not the most difficult task for creating a simple website that has outgrown the needs of a static page.
Here is a nice tutorial I have found, for an introduction. But I would recommend getting a book on LAMP development, particularly one that is more current than that article. You also might want to look into Drupal, though that might be overkill depending upon how simple your needs are.
It's not possible with pure HTML. You need some server side logic to query the database, like PHP, python, perl etc., and use the data to build the HTML dynamically.
You can't use HTML5 / Javascript dynamics because they are run by the client, your database is on the server.
What you can do based on the information you have given us is take the data that exists currently in the cPanel database access and find some way to copy that data into MySQL whether it's importing it directly, using Excel, or whatever. That would be the best way to go and then set up a connection to the MySQL database server. As mentioned you can use PHP, python, etc. to manipulate that data and have access to read/write that data through your site. Just by googling the basics you should be set on the right path to get a working dynamic website.

What type of backend to use for iOS app [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I've created an app for iOS using Swift that is essentially a Latin dictionary. Users have the ability to create new words that aren't included in the app. The data is stored locally in the app's document directory in two SQLite databases. The first one holds the words that ship with the app. The second holds the words that are created by the user.
I want to have each word created by the user uploaded to a server at runtime and added to a master database of words. That server would then compare each incoming entry to William Whitaker's Words to see if it is in fact a valid Latin word and then to see if it is already in the master database. If it is valid and not already in the master DB, then the word would be added.
After every new entry to the master database, the server would generate a new SQLite database that includes the new word. Every time the app runs it will check for a newer version of the StandardData.sqlite file and if there is one, it is downloaded. Words that are common to the Standard library and the user's custom library would then be deleted from the custom library to prevent duplicates.
Over time a large library of Latin words would be created without me having to manually enter them in from a dictionary.
I'm somewhat familiar with MySQL (When using it with MySQL workbench) but beyond that I'm mostly unfamiliar with today's web programming tools: HTML5, CSS, JavaScript, Java, Ruby, Rails, PHP, etc. My budget is 0$ and ideally I would like to host the server on my own hardware. What is the best way to add a backend to my app?
This is a question of opinion, so I'm not sure this is the best forum. However you have several options, including some that could be completely free.
Rails and PHP as you have mentioned can be used to create a backend using mysql as the data layer. If you are new to both of those languages, you might look at Python using one of the many frameworks for it. If your app is completely iOS based, you might also look into using CloudKit, which is free up to certain sizes (which it sounds like you could easily stay below). The advantage of CloudKit would be that you don't even have to host the service on your own hardware. There are a few other similar options as well, included Firebase and Parse which both have free tiers that likely would provide all the storage you need.
With any of these three, you'd be using the API in swift in your iOS project, and not having to learn a new language.

iOS Login Screen For External Sqlite Server [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
Ok, so say I wanted to have a sign up form similar to the iOS apps of Facebook, Gmail, Dropbox etc. I don't mean I want to have the users be able to login using those services (although that would be nice) but I want to actually have something similar to a SQL server as the web service https://parse.com/ would use.
It seems like a great service and very easy to setup, but I would like to go the extra mile and take advantage of the servers I have available in the cloud to create my own custom version of the following. I understand that mySQL isn't very usable within the iOS development platform, however sqlite3 is. Say I've created my storyboard layout and I think I have an idea of what it is I would like to do. I just don't know what I need to do to achieve it! Essentially what would be ideal is to to create statistical models based on the combined data from all of the users.
Properties of the application:
I would like the users also to be able to go online and download the data they entered into the iOS app by importing it into excel. However it would be very important that I nor any other user could identify the source of the data. As most of my users are going to know of each other in real life. Think of the app as something to do with drag racing, and the users enter in there race results and information about their setup and then upload it to my server. It is very important that I cannot see which user the information derived from, but at the same time would like to access the data and retrieve a list of the users and their respective emails!
User Interface of application:
Here is a screenshot of what the storyboard ideally might look like. Nothing is linked together yet these are just the screens that I originally had in mind! I'm not asking for anyone to give me any serious help as I want to do it on my own, I just need the resources in order to do it myself. It seems as if there is nothing online that could explain how the website parse's framework was created!
STORYBOARD 1: i39.tinypic.com/fbz7n6.jpg
STORYBOARD 2: i41.tinypic.com/dewoau.jpg
How can I make a service similar to parse (JSON format) by using my own server in the cloud?
You can use MySQL on the server and SQLite on the client (preferably wrapped in Core Data) without any issue. The two shouldn't directly interact or have any knowledge of each other. Because the server will present an API for the client to use. And that API should divulge no information about the internal setup of the server.
For the API, think about a RESTful interface, probably implemented with JSON.
This caters for all of your uploading and downloading capability.
Your other things are built around this. You have good intentions for keeping the data anonymous - but that is a facet of what you send and how you structure the data storage in the server.
Finally, doing it yourself will be error prone and take a long time. Creating a Parse.com account and configuring the database will be relatively error free and will take very little time. What do you make money from? (hint: leveraging the work of others).

SQL Server migration to mySQL, tips & potential issues? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I'm looking into whether a move from SQL Server is a viable option. To help me with this decision, I have some questions:
Is it possible to use asp.net membership on a MySQL server ?
Are there many/any useful tools to migrate tables/databases/etc and which ones are the best?
What are the Main disadvantages in moving to MySQL from SQL Server?
As it stands I have a large enough project but it doesn't avail of many MS features so if it's possible I'd like to move.
My company did this a couple years ago with a pretty big project. On thing that made it easier for us is that we mostly used very plain standards compliant SQL. No Linq, no Entity Framework, only a little T-SQL, and only a few stored procedures.
As far as getting your data into MySQL, We ended up creating our own tool for doing this. None of the existing stuff including "MySQL Migration Assistant" can anywhere close to being fully functional. Once you can recreate the schema on MySQL, Getting the data back in, is a matter of exporting to CSV and importing with LOAD DATA INFILE. Tranferring the schema was actually the hardest part. With so many tables, we couldn't just do it by hand. We wrote some code in .Net by starting off using this VBScript that we found, and upgraded it to use the tools in "Microsoft.SqlServer.Management" Namespace available for .Net.
For functions that exist in SQL Server but don't exist in MySQL, such as GetDate, it's easy enough to write your own functions in MySQL that map to these functions, instead of trying to find all the instances of this stuff in the code. There are quite a few syntax differences between MySQL and SQL Server, even with just using basic SQL. For instance MSSQL allows DELETE TABLENAME WHERE ...., but MySQL insists you use DELETE FROM TABLENAME WHERE..... That's just one, there are many other differences.
Anyway, it was quite an adventure, but it worked out well for us. It is do-able, but you have to be committed, and not be afraid to write your own migration tools.
Couple of things off the top of my head.
MySQL doesn't support CHECK constraints. Usually, if your dbms does support CHECK constraints, your tables use them.
Depending on the constraint, you might be able to rewrite it in one of these ways.
As a foreign key to a new table
As a trigger
As a daily (or hourly, whatever) exception report
As a module in application code (which could be part of an exception report)
Something else I haven't thought of.
MySQL's timestamps have a resolution of one second.
Microsoft has a SQL Server Migration Assistant but, naturally, it is designed to help users move in the other direction.
You may want to check out this whitepaper from the MySQL site (you'll need to register - I did not, so I don't know how valuable the paper will be compared to the knowledge you already possess):
http://www.mysql.com/why-mysql/white-papers/mysql_wp_mssql2mysql.php
There are also some products and guides that can be found with a fairly simple search, e.g.
http://www.spectralcore.com/fullconvert/tutorials/convert-mssql-sql-server-to-mysql.php
http://www.haidongji.com/2009/02/23/moving-data-from-sql-server-to-mysql/
I don't know that the ASP.NET Membership can be ported directly to MySQL but I am confident you could replicate its functionality (it is more a question of how much effort it will take, not whether or not it is possible).