46

In Laravel 4 Illuminate\Database\Query in a Builder class delete function accepts null as an id parameter. And behaivor of this function implies that if I have something like:

DB::table('users')->where('id', $id)->delete();

And if $id will be passed as a null, it will truncate the whole table. Which means that besides standard validation, I have to wrap every delete statement with ! is_null($id) validation. Is it a security breach or it's considered as a standard practice?

Sergey Tsibel
  • 1,595
  • 1
  • 18
  • 31

2 Answers2

103

I think you're misunderstanding what that parameters purpose is. It's simply a shortcut for the example you have shown. If you have a users ID you can delete them without writing that where clause.

DB::table('users')->delete($id);

The above is identical to this:

DB::table('users')->where('id', $id)->delete();

You'd obviously perform a check prior to using any of these methods to ensure that a valid ID has been supplied. I wouldn't say it's a security breach, just something you as a developer needs to be aware of when developing your application. You don't just go willy nilly deleting things without first validating the input.

Jason Lewis
  • 18,537
  • 4
  • 61
  • 64
0
 DB::table('table_name')->where('table_id', $request['request_id'])->delete();
Suraj Rao
  • 29,388
  • 11
  • 94
  • 103
PARTHA SAKHA ADHIKARY
  • 1
  • 1
  • 1
    While this code may solve the question, [including an explanation](//meta.stackexchange.com/q/114762) of how and why this solves the problem would really help to improve the quality of your post, and probably result in more up-votes. Remember that you are answering the question for readers in the future, not just the person asking now. Please [edit] your answer to add explanations and give an indication of what limitations and assumptions apply. – Yunnosch Jan 02 '23 at 13:11