You sure deserve a KZbin play button. Your content seems to be coming out right when I need something specific like you release, ha
@rosselliot89712 жыл бұрын
Pov, this is good stuff. Can I suggest you do more videos with the theme of "common mistakes". Security is the obvious topic but there are many others where developers do things that while they do not expose security issues nevertheless create problems for the user experience and app stability. This is a serious thing and would increase views to your channel. Thanks for your hard work and I hope you hit 100K subs soon.
@LaravelDaily2 жыл бұрын
Thanks for the idea. I am actually doing more videos like this, just maybe never calling it specifically "common mistakes". Maybe need to make rebranding of the titles :)
@EdgarsVanags Жыл бұрын
@@LaravelDailyns S L 😊😂😮😢 Yo4
@G5STU2 жыл бұрын
As someone that’s been using Laravel since v4.2, I love your content , straight to the point, no dithering , no BS - I hope you get your silver platter soon :)
@KaydotOrigin2 жыл бұрын
Another: People using Raw DB queries and not binding parameters subsequently leading to an SQLi.
@daleryanaldover65452 жыл бұрын
Just wanted to add, never put sensitive data in cookies. An experienced attacker will thank you for leaking out information using cookies.
@fdelval22 жыл бұрын
* runs to double check all of my Code *
@eternalsoma2 жыл бұрын
I had the ugly experience of patch a php application that had the 5.x version, no framework and legacy code. it had no validation, no token, no escape variables and most important 0 documentation. It was a nightmare to patch up and migrate to php 8. Everything while the APP was under heavy attack from bad guys
@hollyhayes1102 жыл бұрын
Best wishes for getting that silver button soon! You deserve it. I can’t imagine putting out a video *daily*, and such quality content, and well-delivered, too. Your “hello guys” at the beginning is so friendly & familiar - love it. :)
@exintrovert13379 ай бұрын
Subscribed. Get that play button! You deserve it. Straightforward, clear, no fluff… I love your style.
@paulfontaine78192 жыл бұрын
When using livewire: if you have a model or collection of models defined as public class variable, their attributes are sent to the client and visible with a simple view source as are all the public variables.
@SinghatehAlagie2 жыл бұрын
Surely you will reach there soon sir, we always behind you and we will keep supporting to reach your goals. Thank you for the valuable contents.
@paulfontaine78192 жыл бұрын
If you can't "Imagine what could go wrong if any person could inject any javascript on your page.", think of a javascript initiated POST request changing data on the server using your credentials as it is you that sees the page in your browser.
@LaravelDaily2 жыл бұрын
Want more similar lessons? My Laravel courses membership: laraveldaily.com/courses
@parumhr12683 ай бұрын
Can you make a video about Content Security Policy (CSP) in livewire or laravel in general.
@raghavendrajangam39238 ай бұрын
Hi Sir please make one video on how to prevent unauthorized user to access of our code directly mainly from server side. For Example. How to secure server for Laravel projects as well as what are the loopholes how to prevent them etc.
@SXsoft99 Жыл бұрын
is Java secured? I am going to leave a general answer "If the developer is bad at coding and doesn't care about securing their application NO", but then again there is a job market for people that are paid to look at the code and yell at those developers that they should not hardcode security keys inside the client app (for example: 2 years ago I was listening to a podcast of a lady that said she found hardcoded security keys inside android banking applications, with comments in the code "stop putting security keys in the code") So to sum it up, most of the time the problem is between the chair and the screen
@tr4shcoookieees10 ай бұрын
I also want to tell my story. When I first started learning things like TypeScript, I didn’t quite understand how I could make a POST request to the server and pass the CSRF token from the TS file. For this reason, I (I still don’t understand why) made these requests through the api.php file. A little later I found out that requests that are processed in api.php are not protected against csrf attacks. This mechanism works in web.php, while api requests do not require any tokens to run controller methods. To be honest, I still don’t quite understand how I can correctly make such requests if they come from a .ts file. If anyone knows more about this, could you tell me what solutions there are?
@networkerbowofade84772 жыл бұрын
pls I am used to csrf but with the invention of livewire, is it necessary again because I dint even bother to include it because you can submit form without even form elements using livewire.
@LaravelDaily2 жыл бұрын
In Livewire csrf isn't needed, Livewire takes care of that, internally.
@networkerbowofade84772 жыл бұрын
@@LaravelDaily thanks for the clarification
@wildfireDZ2 жыл бұрын
One common mistake I see people doing, is not protecting the {id} in routes. Which means a user can affect data of another user
@konigkoudogbo6602 жыл бұрын
No, if you make validation in the backend
@kennedygitahi7 ай бұрын
What if you use UUID for the ID so that it is not sequential?
@morteza55510Ай бұрын
That's why we have authorization And you can also use route model binding {user}
@lovietech38852 жыл бұрын
all() is one of my bad. Thank you so much for this tips. I will correct myself
@khakimovnodir2 жыл бұрын
I really appreciate your every single video. They are so helpful to me.
@nabeelyousafpasha2 жыл бұрын
Respect from Pakistan 🇵🇰 Rate Limiting is left from my side, all other stuff is my daily routine.
@djnkuli2 жыл бұрын
If there's anyone who deserves 100K + subscribers and that youtube sliver play button, its got to be you brother man
@mohsen-n9j8 ай бұрын
I forgot to say that the Laravel 10 I am using
@ghazyy12 жыл бұрын
i wonder if you can make the same video for developers who use laravel just for API as a backend and tell us about security concerns we may face
@ngocatnguyen57712 жыл бұрын
I have to clean up one project before. Using CORS * on production, doesn't turn off app debug, render directly the db column name to table instead of using alias, only validation on the client size. It took me only 10 seconds to figure it out how to break into the database.
@emekatimothyiloba6992 жыл бұрын
YOU WIll surely go beyond 200K subscribers Sir, you are really doing a great job. Thanks and God bless
@jelajahmania2 жыл бұрын
excuse me sir, how to install laravel vue js with tailwind css .. same as using npm?
@programmeryk5659 Жыл бұрын
please make one about file upload exploit
@aphelioschenik31622 жыл бұрын
never played a full tutorial video without x2 speed outside work. very good video i subed
@hanymax2 жыл бұрын
Thanks Sir you helping so much .... i really appreciate it
@icantchosemyname2 жыл бұрын
I didn't know about rate limiting feature, thank you a lot. I've just shared your video
@vaibhavhalcyon2 жыл бұрын
gr8 video ,which i listen till date..
@kirayamato61282 жыл бұрын
Me who use REST API'S: 🤷
@sahirkhan5304 Жыл бұрын
love from pakistan
@felipe-e6t2 жыл бұрын
Last week analyzing my apache log I found some requests to /.env, so make sure that your .env file is not public, you never will be 100% safe, so do your best
@artificallead4992 жыл бұрын
where do you find the .env in production i can never find mine myself i see it in testing but it seems to disappear during live server upload
@opeyemiilesanmi20592 жыл бұрын
@@artificallead499 You may not see it on your repo if you hide it in .gitignore but on your live server it will be there
@rejowanahmed6819 Жыл бұрын
Why are you so good? 💚💚💚
@MAAZKHAN-xv1lc Жыл бұрын
You are just awesome
@ayenewyihune Жыл бұрын
Very informative
@soniablanche56722 жыл бұрын
There is a case that isn't handled by laravel blade: the href property of the "a" tag. the href value could be equal to something like javascript:alert(1). If the href value comes from users you don't trust you have to make sure it doesn't start with "javascript:" or you could make sure it has a valid URL format
@guccilive1002 жыл бұрын
That’s a good idea Sonia. But how will you check that?
@soniablanche56722 жыл бұрын
@@guccilive100 Laravel validation has a "url" validation rule, you can use that to force href values to only be valid urls
@chiraghvyas34622 жыл бұрын
Thank you for this great stuff. I'll more thankful if you also create video of how to overcome this issues specially file access or .env access from shared hosting or public folders.
@LaravelDaily2 жыл бұрын
I don't work with shared hosting (and I don't recommend anyone else doing it), so I can't make a video on it.
@johnnyokito63566 ай бұрын
Great video!
@DarylLegion2 жыл бұрын
Thanks. very informative, while watching I thought of .. what if there's a video version (course?) of the Laravel documentation, that's too much though 😅
@LaravelDaily2 жыл бұрын
Would you watch all those 23 hours? :) www.omnicalculator.com/everyday-life/reading-time?c=EUR&v=reading_speed_descrip:0.5,pages_read:700
@yungifez2 жыл бұрын
But I feel like request except is also a security loophole
@LaravelDaily2 жыл бұрын
Yes if you don't provide the dangerous properties in except
@yungifez2 жыл бұрын
@@LaravelDaily which in most cases is all other fields in dB
@sherzod_kudratov Жыл бұрын
First of all, big thanks, what about xml attack? And sql injections? Have any vulnerability for sql injections in laravel? If yes, how can it be safer?
@AMoktar2 жыл бұрын
Thanks bro
@eloquent22002 жыл бұрын
Thank you!
@LoganathanNatarajanlogudotcom2 жыл бұрын
Thank you!
@msdeav2 жыл бұрын
thank you...
@kiumarsbabolhavaeji79822 жыл бұрын
thank you
@kyjovs77462 жыл бұрын
How to perform vulnerability assessment?
@hermawansafrin86022 жыл бұрын
Thank you sir, i think your videos is very usefull. Thanks for your dedication.
@mohdanas80272 жыл бұрын
Great
@EdgarsVanags Жыл бұрын
S
@pabloescobarparis65862 жыл бұрын
Well done Povi ! May I ask if you can do a video on how to approach a php/laravel upgrade task. So for example, upgrading from laravel 8 to 9, and what steps you would take.
@LaravelDaily2 жыл бұрын
kzbin.info/www/bejne/o4GlnIyap7R4mrM this is my video on a similar topic. Also I recommend laravelshift.com
@pabloescobarparis65862 жыл бұрын
@@LaravelDaily Oh awesome you already have this covered. Nice 👌
@hassanfazeel23542 жыл бұрын
This is sooo goood..awesome work! this channel deserve a "varified tick". thanks a lot.
@sawcenmaamri1889 Жыл бұрын
About what you said at 11:15 ("do not use get requests for anything that should be changing the data" ) : we can use a middleware (like "authenticate" or any custom middleware to authorise the get route call.
@MapleLeafYT2 жыл бұрын
Need to know more about file upload security
@emekatimothyiloba6992 жыл бұрын
Wow this is very insightful sir. Thanks for sharing
@Rapid-eraser2 жыл бұрын
Rate limit is a good option to negotiate delayed payments :P
@elmarzougui2 жыл бұрын
amazing stuff thank you Povilas
@timoteobega Жыл бұрын
👋👋
@infosond2 жыл бұрын
7 Mistakes beginners devs make :)
@عبدالعزيزالمخلافي-ص4ج2 жыл бұрын
I always enjoy your content ♥️.
@Landrynadre2 жыл бұрын
Hello! Maybe you recording video on laravel Policy? How block any action in another user when user is not the same Group. Or how user can get only our post when he post another id in request. I have problem with this and no were information how do this. I have two model Clients and Users, Clientis Group amd have more users. Now when i send GET REQUEST id another client i can get users another client.
@LaravelDaily2 жыл бұрын
I don't have a video specifically for your situation, but I have a general one: kzbin.info/www/bejne/oYuymHtpYpV1odE
@kevinsada78402 жыл бұрын
Hello Povilas, Great video! Just 1 question regarding the first example. What about the cases I have a WYSIWYG in my blog post and the user can enter a html? I am forced to escape it. what's the solution?
@kevinsada78402 жыл бұрын
@laravel daily
@adesanoyesamson6682 жыл бұрын
Amazing mentions. Thank you
@muhammedrafia88812 жыл бұрын
Hi povilaz....can you make one video about laravel project hosting in shared server, it's very helpful to all Thanks in advance.
@LaravelDaily2 жыл бұрын
I don't use shared hosting and don't recommend it to anyone.
@waseemAlhabash2 жыл бұрын
Does using Eloquent and Query builder safe enough to prevent SQL injection ?
@LaravelDaily2 жыл бұрын
Yes
@FindWebX2 жыл бұрын
Thanks a lot for sharing knowledge with us
@chlouis-girardot2 жыл бұрын
You are legit ! Definitly !
@bboydarknesz2 жыл бұрын
thank you. please make this video more advanced. maybe for example, case someome is attacking you by register 2 user every minutes with valid otp (this crazy but it reals dont know how they have random phone number otp), then you block its IP but he changes his IP and last you use recaptcha to prevent the attack.
@LaravelDaily2 жыл бұрын
I don't want to get deeper into hacking topic, that's not my topic or my strong skill.
@mangtri96802 жыл бұрын
Nice info sir, thanks!
@0x0456 Жыл бұрын
Great video as always, would love to see more of these!
@МиткоЖечев2 жыл бұрын
What do we do when we use wyswyg form editor and finally we have to show unescaped data?
@ChrisT-ib1zh2 жыл бұрын
Validate the content first for accepted tags. Disable script tags etc
@robwolters74012 жыл бұрын
I am using json in a crud app. Still a bit unsure about possible vulnerabilities. Do you have any information?
@LaravelDaily2 жыл бұрын
I don't like or personally use json so can't advise really
@robwolters74012 жыл бұрын
@@LaravelDaily What's not to like? Thanks anyway.
@LaravelDaily2 жыл бұрын
kzbin.info/www/bejne/b6bLiXxqo6mjhbM my video about it
@robwolters74012 жыл бұрын
@@LaravelDaily I didn't know all those json queries, so not using that. Putting id's in json should slow thing down, wouldn't do that. My question is more about decoding json in api calls, and the associated security problems.
@LaravelDaily2 жыл бұрын
Oh THAT json. Then the main thing is to validate the data from that json, for whatever malicious things you may find there.
@alessandrofuda9652 жыл бұрын
very very top! :)
@alaaalssadh23622 жыл бұрын
Thank you so much sir
@p30mehrdad2 жыл бұрын
WooooW, thank you.
@syedshariqueahmed90392 жыл бұрын
Thanks for the info sir
@pauliuxxx1412 жыл бұрын
Hello, Povilas I have a question. Lets say there is a blog post site and user can make a post that contains all those html tags like link, table and so on, how the content should be displayed if {!! $content !!} is a security issue? Should developer write a some code that checks if there are strings like or
@LaravelDaily2 жыл бұрын
Yes you should enable only certain tags. I'm planning to shoot a video about it, some time later in 2022.
@weiwendeng74862 жыл бұрын
I think in this situation, always wrap the content with PHP htmlspecialchars() function before saving it to the database. By doing so it will convert all the tags to special characters. Now when showing, you can use the {!! $content !!} and you will be fine. Even if a user pass a malicious script, it will not execute
@bumblebity29022 жыл бұрын
How store data written by text editors, safely?
@ChrisT-ib1zh2 жыл бұрын
strip script tags.
@santorehman89602 жыл бұрын
What's the best secured way to upload laravel project in shared hosting?
@LaravelDaily2 жыл бұрын
I don't use shared hosting and don't recommend it to anyone
@opeyemiilesanmi20592 жыл бұрын
I won't recommend it too. You have to change the root folder directory and change the app boot directory. I don't like the hack. it's not easily maintainable
@phoenixedge40492 жыл бұрын
Good stuff. Would you ever consider doing a course on security in Laravel, PHP, and Livewire, or even just more videos on it? It's a huge concern that I feel like doesn't get enough attention, and even as a mid-level developer and working with Laravel over 5 years, I'm not always sure how to be sure my code is 100% secure other than avoiding some of the obvious like you point out in this video. Like a good example of content you could cover is how supposedly we should be using UUIDs for our models, but it's not always clear the best way to do that or when to do that
@LaravelDaily2 жыл бұрын
Well, I've covered the main things in this video, so not sure what I would say in a course. For UUIDs, I have that covered in other courses, like here: laraveldaily.teachable.com/courses/how-to-structure-database-in-laravel/lectures/31520548
@ricko132 жыл бұрын
awesome 👍
@eliabekun2 жыл бұрын
Show!
@magmaticly2 жыл бұрын
Is it a mistake to add data in a migration, or should migrations only change the database structure? For example, we keep our translations in a database table. If we need another word translated, should we add this in a migration? Or should we use a seeder? Or something else?
@albert_vds2 жыл бұрын
Every database structure and data that makes the application usable from the start should go in migrations. Seeders are for testing or even demo purposes.
@LaravelDaily2 жыл бұрын
Totally fine in migrations
@mdasifiqbal89122 жыл бұрын
Thank you so much for your video. Please make a video on passing {id} value in route. We are using direct id which is the primary key for the Post, Put method and Laravel also use the same in resource controller. Please make a video with this topic and security issues.
@LaravelDaily2 жыл бұрын
Already scheduled for the next week
@mdasifiqbal89122 жыл бұрын
@@LaravelDaily Thanks a lot
@opeyemiilesanmi20592 жыл бұрын
@@LaravelDaily Have you done this? if yes, please where's the link?
@aachan132 жыл бұрын
nice video! are there any chance you make a video about microservice with laravel?
@LaravelDaily2 жыл бұрын
I haven't used microservices in Laravel so can't make a video about it
@aachan132 жыл бұрын
@@LaravelDaily ok thanks
@abdulllahbutt51192 жыл бұрын
great info.
@NotBeHaris2 жыл бұрын
Awesome topic sir.
@jayjolupoi888912 жыл бұрын
noice
@GergelyCsermely2 жыл бұрын
Thanks
@linasgutauskas55282 жыл бұрын
We disable @csrf on sale forms. Customer might leave browser open for the whole day and only then can submit the form. I know, that there is some javascript packages, which updates csrf codes, but that doesn't gurantee in 100% and we do not want to lose a sale. (not perfect from security side, but sales are more important)
@ChrisT-ib1zh2 жыл бұрын
Better to extend the lifetime of the csrf token. m
@artificallead4992 жыл бұрын
@@ChrisT-ib1zh good point
@yasark63472 жыл бұрын
How to upload a image via mobile camera in website from mobile browser using laravel livewire ? I have tried by adding attribute capture in file input and opened a site in mobile browser and trying to upload it shows file manager and camera option i selected the camera and taken the image and upload livewire showing failed to upload image
@LaravelDaily2 жыл бұрын
Sorry it's impossible to blindly debug your situation in a KZbin comment
@yasark63472 жыл бұрын
@@LaravelDaily thanks for your reply . Is there a way to upload a image from mobile camera from website using laravel livewire. ?
@PovilasKorop2 жыл бұрын
@@yasark6347 I don't think Livewire is different from Laravel, it's the back-end framework, the question is what tools you use on the front-end for the upload - a simple input or something more complex. Again, hard to answer in a comment. But yes, it's possible, mobile browser is still a browser.