I want to know if there is a way to remove eval()
from my code.
In this function I load by POST some vars to update or insert a new user on my DB based on what the admin has inserted on the form.
public function alterUser() { $name = $_POST['name']; //required field $contact = $_POST['contact']; //required field $password = $_POST['password']; //required field $string = "DB::table('users')"; if(isset($_POST['id'])){ $string = $string."-> where ('id', $_POST['id']) ->update(["; }else{ $string = $string."-> insert(["; } $string = $string."'name' => $_POST['name'],"; if (isset($_POST['email'])) $string = $string."'email' => $_POST['email'],"; $string = $string."'password' => Hash::make($password),'contacto' => $contact,"; if (isset($_POST['nif'])) $string = "$string.'nif' => $nif,"; $string = $string."]);"; eval($string); return redirect('/user'); }
As this opens some security vulnerabilities there are any other alternatives to get this working?
Advertisement
Answer
It seems like you could simplify your code a lot, and remove the need for eval()
which you shouldn’t use unless it is a last resort.
There is no need for all the IF blocks had in your code, because if the value isn’t set, it also won’t be added to the $values
array.
Just assign your $_POST
variable to a $values
variable, Laravel does most of the heavy lifting for you.
public function alterUser() { $values = $_POST; //remove _token variable created by Laravel in all POST requests unset($values['_token']); //perform any actions needed on values before being send to database $values['password'] = Hash::make($values['password']); if(!empty($values['id'])) { DB::table('users')->insert($values); } else { DB::table('users')->where('id', $values['id'])->update($values); } return redirect('/user'); }
I see in your code that you rename the contact
variable to contacto
. I recommend changing your form to match this variable name, but if that isn’t possible, you can still rename it after setting $values = $_POST
like this:
$values['contacto'] = $values['contact']; unset($values['contact']);
Also, if your form sends any variables that you do NOT want to send to the database, such as a “password verify” field or something like that, then you can unset them after setting $values = $_POST
like this:
unset($values['VALUE_TO_REMOVE']);