Adding transform and filter method to FormRequests

[rummykhan]

Hi everybody,

I've worked on multiple laravel projects and for some simple forms we usually do something like this

Model

class App{
    protected $fillable = [
        'app_name', 'app_id', 'app_secret'
    ];
}

Blade:

<form>
    <input type="text" name="app_name">
    <input type="text" name="app_id">
    <input type="text" name="app_secret">
</form>

Controller

public function addApp(AddAppRequest $request){

    return (new App())->fill($request->all())->save();

    return back()->with('success', 'app added to your account');
}

Benefit of this approach is

• the more team works on these scenarios, they understand db structure
• It's cleaner to write
• It feels so good to do things in laravel way

Problem with this approach is

• It exposes the real database keys to the users (that may also include malicious users)
• Incase of a any vulnerability in the system, a hacker will quickly chain it to another by understanding database structure and columns.

Idea Proposal / Idea is to add public function transform() in the FormRequest where we can transform these parameters in the FormRequest and still able to enjoy the laravely way.

class AddAppRequest extends FormRequest
{

    public function authorize(){}

    public function transform()
    {
        return [
            'name' => 'app_name',
            'id' => 'app_id',
            'key' => 'app_secret'
        ];
    }

    public function rules(){}
}

[bert-w]

I never heard of an attack that solely benefited from knowing that some property of a user was named password, is_admin, app_secret or whichever. The issue would be that the hacker was able to change those properties, not that he knew what the property was called.

Also, the transform example you are showing is only giving synonyms to your properties which does not help much anyway in hiding the true name of the property. I personally wouldn't bother with building such feature.

[amir9480]

Hi @rummykhan

You can use $request->validated() instead of $request->all() to only fill attributes that you validated in your request class and ignore any other request inputs that the user sends to application including your important database fields.