Home>

I am a beginner who started learning laravel. I would like to ask two questions. When I was looking at eloquant, I thought, for example, if there are users table and posts table with Auth function,

The first is if I want to get user information
To UserController
$items = User :: where ('user_id', $request->user_id)->get ();(I made my own column called user_id)
return view ('userpage', ['items' =>$items]);
If i write, you will also get information such as password and email, but is there any problem if you do not display it in the view folder (userpage)?

The second question is similar, but
If I want to get the user information posted on the web page of a certain post

In the model Post.php
public function user ()
{
return $this->belongsTo ('App \ Models \ User');
}
However, even in this case, is there any problem if it is not displayed in the view folder without limiting the columns to be acquired?


Thanks for your answer and correction request.
When I asked this question, I was thinking of an application such as a simple blog that could be posted by a large number of users. In this case, I understand that there is no security problem.
As an additional question, I was curious about what the safest form is when retrieving information from a DB under strict security requirements. It is assumed that you will use the front SSR or provide the API as pointed out in the answer. I don't know about node.js (what to use when using vue.js etc.?) And API, so it will be a vague question, but I would appreciate it if you could answer.

  • Answer # 1

    Items that can never be published even when unintentionally output with json are hidden with $hidden.

      protected $hidden = [
            'password',
            'remember_token',
        ];;

    Basically, you don't have to worry about what you're doing on the server side.
    The framework is taking appropriate measures.
    However, it is a recent event that a person who is too accustomed to this causes an accident.
    When SSR at the front and front is involved, an accident occurs in which data that should not be shown can be seen.
    It may be better to get into the habit of getting only the necessary data with select () from now on.

  • Answer # 2

    User :: where ('user_id', $request->user_id)->get ()

    Post :: where ~Is it a mistake?

    Information such as password and email is also acquired, but is it okay if it is not displayed in the view folder (userpage)?

    No problem as long as you don't provide an API.

    Is there any problem if it is not displayed in the view folder without limiting the columns to be fetched?

    No problem as long as you don't provide an API.