Security Tip: Casting Request Values

[Tip #39] Why treat all user input as strings when you can pull out specific values and automatically cast them as the types you're expecting?

Security Tip: Casting Request Values

Laravel’s Request object (Illuminate\Http\Request) includes a number of methods for extracting user input. My personal favourite is the validate() method (see Security Tip: Don’t Trust User Input), however there are a number of others you can reach for instead, depending on your use case.

Sometimes you’ll need to pull out specific request values and transform them into specific types, such as integers or Booleans. Although you can do this manually, there is always the potential to forget or rely on type juggling and for subtle vulnerabilities to be introduced.

So instead, a safer way to do it is to ask the Request object to give you the input value in the type you need it in. It’ll return a properly typed value that you can use safely throughout your app.

The available methods are:

public function string($key, $default = null): \Illuminate\Support\Stringable;
public function boolean($key = null, $default = false): bool;
public function integer($key, $default = 0): int;
public function float($key, $default = 0.0): float;
public function date($key, $format = null, $tz = null): \Illuminate\Support\Carbon;
public function enum($key, $enumClass): <Enum>;

With the exception of string(), they are all pretty self-explanatory.

The string() method actually returns an instance of Illuminate\Support\Stringable, which you can easily manipulate via a fluent interface.

You won’t need this all the time, but it’ll save you some effort and reduce potential bugs when you do. 🙂

Want me to hack into your app and tell you how I did it, so you can fix it before someone else finds it? Book in a Laravel Security Audit and Penetration Test!
Looking to dive deeper into Laravel security? Check out Practical Laravel Security, my hands-on security course that uses interactive hacking challenges to teach you about how vulnerabilities work, so you can avoid them in your own code!