Assure Strings with Input::all()

I wonder and worry a bit about the following situation:

I have a form with a few inputfields, lets say one of them is named test.

Within the handler, I validate this field for being a string:
'test' => 'string',

And we all know the process: If the validator fails, you should abort etc etc.

And now comes the issue: If a hacker change the name of the input field to an array with the Dev Tools and you submit the handler, the following message appears:
"Array to string conversion" on line 336 of [...]\vendor\twig\twig\src\Template.php

<input id="test" type="text" name="test[]">

Usually, I avoid this with the following code:
$test = trim(((array) Input::get('test'))[0] ?? '');

But somehow I cannot believe this is the best approach. I mean: If I validate for a string, I dont want arrays to be passed, especially since there’s an array validation rule.

Did I missread this validation rule?

I think it would be much saver if this “string” validation rules assures a string is passed and not an array and throws a proper validation message if not.

Any tip or plan on a better and more save solution are welcome.

This is a question for the Laravel community, how do they handle it natively? For the most part, I will check that the input is indeed a string or an array as expected.

1 Like