Laravel - Prevent SQL Injection attacks with global change

Laravel - Prevent SQL Injection attacks with global change.md

Laravel - Prevent SQL Injection Attacks - Global Change

Create a Middle called PreventSQLInjection.php

This code basically takes in a request and add escape quotes to the input data, thus data passing to controllers will be filtered and incase of base64 encoded data coming as input we are avoiding that to be filtered

Registering your Middleware

When registering your middleware you have 3 choices.

1. First choice is that you add the middleware to be run on every request handled by your app. You can do that by opening up App\Http\Kernel.php and adding it to your $middleware array like so:

/**
 * The application's global HTTP middleware stack.
 *
 * These middleware are run during every request to your application.
 *
 * @var array<int, class-string|string>
 */
protected $middleware = [
    \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
    \App\Http\Middleware\EncryptCookies::class,
    \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
    \Illuminate\Session\Middleware\StartSession::class,
    \Illuminate\View\Middleware\ShareErrorsFromSession::class,
    \App\Http\Middleware\VerifyCsrfToken::class,
    // our new class. 
    \App\Http\Middleware\PreventSQLInjection::class,
];

2. Second choice is to have the middleware run on registered routes only, you can register it like so:

/**
 * The application's route middleware.
 *
 * These middleware may be assigned to groups or used individually.
 *
 * @var array<string, class-string|string>
 */
protected $routeMiddleware = [
    'auth' => \App\Http\Middleware\Authenticate::class,
    'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
    'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
    // our new class. 
    'sql' => \App\Http\Middleware\PreventSQLInjection::class,
];

And then add the middleware to the specific routes like so:

Route::get('/ip', ['middleware' => 'sql', function() { return "IP"; }]);

3. The last option would be adding it directly to the route group

Route::group(['namespace' => 'Api', 'middleware' => [\App\Http\Middleware\PreventSQLInjection::class]], function () {
    Route::get('/app-basic-details', [HomeController::class, 'applicationBasicDetails']);
    Route::get('/terms-conditions', [HomeController::class, 'termsConditions']);
    // And all other routes will be here ...
});

PreventSQLInjection.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Http\Response;

class PreventSQLInjection
{
    /**
     * Handle an incoming request.
     *
     * @param Request $request
     * @param Closure(Request): (Response|RedirectResponse)  $next
     * @return Response|RedirectResponse
     */
    public function handle(Request $request, Closure $next)
    {
        $input = $request->all();
        array_walk_recursive($input, function (&$input) {
            $input = $this->xss_clean($input);
        });
        $request->merge($input);
        return $next($request);
    }


    public function xss_clean($data)
    {
        if (base64_decode($data, true)) {
            return $data;
        }
        $data = app('db')->getPdo()->quote($data);
        return substr($data, 1, -1);

    }
}