Laravel shorts – Old inputs are still inputs

If you need some inspiration for designing a 500 error page, all you need to do is to find a stylish site that is built on Laravel and navigate to its login page. Then you open up the developer tools and change the name attribute of the email input field from email to email[]. Enter some random credentials and submit.

Disclaimer: Doesn’t work on all Laravel sites and the example isn’t all that pretty. If you actually did manage to log into someone’s account, don’t do anything silly.

What happened?

Laravel has a feature where it lets you carry over inputs from an old request to a new request.

As the documentation states:

This feature is particularly useful for re-populating forms after detecting validation errors.

https://laravel.com/docs/8.x/requests#old-input

Here’s a quick example:

<form method="POST">
    <h1>Login</h1>
    @csrf
    <input name="email" type="email" value="{{ old('email') }}"><br>
    <input name="password" type="password"><br>
    <input type="submit">
</form>

Now, Laravel also has another useful feature that let’s you send array inputs via form fields.

<input name="email[]" type="text" value="foo@bar.com">
class FooController {
    public function handleForm(Request $request) {
        // array:1 [▼
        //   0 => "foo@bar.com"
        // ]
        dd($request->email);
    }
}

Combine the two and somewhere down the pipe you end up with something like htmlspecialchars(['trololo' => 'lololo']) which throws an exception because htmlspecialchars does not take arrays.

Takeaways

Is this a real problem? Probably not, at least not in this example. But I wanted to showcase that old inputs are still inputs and should be treated with zero trust until they are validated. Maybe somewhere in your project you have a bit more complex logic that deals with old inputs. It would not hurt to check that what you think is there is actually there.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.