DEV Community


Posted on • Originally published at

Laravel shorts - Old inputs are still inputs

If you need some inspiration for designing a 500 error page, all you need to do is to find a stylish site that is built on Laravel and navigate to its login page. Then you open up the developer tools and change the name attribute of the email input field from email to email[]. Enter some random credentials and submit.

Image description

Disclaimer: Doesn't work on all Laravel sites and the example isn't all that pretty. If you actually did manage to log into someone's account, don't do anything silly.

What happened?

Laravel has a feature where it lets you carry over inputs from an old request to a new request.

As the documentation states:

This feature is particularly useful for re-populating forms after detecting validation errors.

Here's a quick example:

<form method="POST">
    <input name="email" type="email" value="{{ old('email') }}"><br>
    <input name="password" type="password"><br>
    <input type="submit">
Enter fullscreen mode Exit fullscreen mode

Now, Laravel also has another useful feature that let's you send array inputs via form fields.

<input name="email[]" type="text" value="">
Enter fullscreen mode Exit fullscreen mode
class FooController {
    public function handleForm(Request $request) {
        // array:1 [▼
        //   0 => ""
        // ]
Enter fullscreen mode Exit fullscreen mode

Combine the two and somewhere down the pipe you end up with something like htmlspecialchars(['trololo' => 'lololo']) which throws an exception because htmlspecialchars does not take arrays.


Is this a real problem? Probably not, at least not in this example. But I wanted to showcase that old inputs are still inputs and should be treated with zero trust until they are validated. Maybe somewhere in your project you have a bit more complex logic that deals with old inputs. It would not hurt to check that what you think is there is actually there.

The post Laravel shorts – Old inputs are still inputs appeared first on hbgl.

Latest comments (0)