问题描述

在Laravel 4中的Builder类delete函数中的Illuminate\Database\Query接受null作为id参数.这个函数的行为暗示着，如果我有类似的东西:

In Laravel 4 Illuminate\Database\Query in a Builder class delete function accepts null as an id parameter. And behaivor of this function implies that if I have something like:

DB::table('users')->where('id', $id)->delete();

如果$id将作为null传递，它将截断整个表.这意味着除了标准验证外，我还必须使用! is_null($id)验证包装每个delete语句.是安全漏洞还是被视为标准做法?

And if $id will be passed as a null, it will truncate the whole table. Which means that besides standard validation, I have to wrap every delete statement with ! is_null($id) validation. Is it a security breach or it's considered as a standard practice?

推荐答案

我认为您误会了该参数的用途.对于您显示的示例，这只是一个快捷方式.如果您有用户ID，则可以在不编写where子句的情况下将其删除.

I think you're misunderstanding what that parameters purpose is. It's simply a shortcut for the example you have shown. If you have a users ID you can delete them without writing that where clause.

DB::table('users')->delete($id);

以上与此相同:

DB::table('users')->where('id', $id)->delete();

您显然会在使用任何这些方法之前执行检查，以确保提供了有效的ID.我不会说这是一个安全漏洞，只是开发人员在开发应用程序时需要注意的事项.您不仅会故意不先删除内容而无需先验证输入内容.

You'd obviously perform a check prior to using any of these methods to ensure that a valid ID has been supplied. I wouldn't say it's a security breach, just something you as a developer needs to be aware of when developing your application. You don't just go willy nilly deleting things without first validating the input.

这篇关于Laravel删除查询生成器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！