Laravel使用DB façade执行数据库操作不会触发Eloquent ORM模型事件

使用DB façade执行数据库操作不会触发saving、saved等Eloquent ORM模型事件。当我们不想在事件监听器或队列任务中触发Eloquent ORM模型事件时,除了使用Eloquent ORM模型的saveQuietly、deleteQuietly等方法之外,还可以直接使用DB façade执行数据库操作。

在Eloquent ORM模型事件监听器和队列任务中,要避免使用Eloquent模型增删改查方法,例如create、update、save等。否则会陷入调用死循环 —— 模型事件监听器分发队列任务,队列任务触发模型事件,模型事件监听器再次分发队列任务,队列任务再次触发模型事件……死循环了。

Modify and Persist Model Instances in Laravel Using the saved Event, Not the saving Event

In Laravel, don’t call the save method on a model instance inside the saving event listener.

If you need to modify a model’s field and persist it within a model event listener, make sure you’re using the saved event, not the saving event. This is particularly important when your event listeners are queued for asynchronous execution.

The saving event occurs before the model is persisted to the database. If you try to modify a field and call save() within this listener, it won’t actually persist to the database, especially when the listener is queued for async execution. For example, modifying the slug field might not actually update in the database.

Instead, use the saved event listener and call saveQuietly to persist the changes, as shown in the example:

static::saved(queueable(function (Topic $topic) {
    // If the slug is empty, translate the title into a slug
    if (!$topic->slug) {
        $topic->slug = app(SlugTranslateHandler::class)->translate($topic->title);
        $topic->saveQuietly();
    }
}));

By using the saved event and saveQuietly, you ensure that your changes are made after the model is successfully persisted, avoiding any issues with asynchronous queue execution.

Laravel框架应该在saved而不是saving事件监听器中修改模型实例并持久化

不要在saving事件的监听器中运行模型实例的save方法。

要在模型事件的闭包监听器中修改模型实例的某个字段的值并持久化,当模型事件的闭包监听器作为队列任务异步执行时,不能监听saving事件,因为该事件表示模型实例还未持久化到数据库里,因此监听器作为队列任务异步执行的话,就会导致模型实例的某个字段(例如下例的slug字段)的值不能真正持久化到数据库里(记住,不应该在saving事件的监听器里调用模型实例的save方法)。应该在saved事件监听器里saveQuietly模型实例,例如:

static::saved(queueable(function (Topic $topic) {
    // 如果slug字段无内容,就使用翻译器对title字段进行翻译
    if (!$topic->slug) {
        $topic->slug = app(SlugTranslateHandler::class)->translate($topic->title);
        $topic->saveQuietly();
    }
}));

Learn a Marketable Skill

In your twenties, life can be tough. You might find yourself struggling in the workforce, dealing with PUA (Psychological Manipulation) from bosses, managers, or small business owners. You’re not making money, and you might blame your upbringing—coming from a poor family, lacking in material wealth, mental resources, and even knowledge. It’s not your fault, right?

But in your thirties or forties, if you’re still finding it hard to make ends meet, then the blame falls squarely on you. You’re not putting in enough effort, not being ruthless enough, and most importantly, you haven’t learned a skill that guarantees your survival. You’ve wasted too many years without picking up something practical.

By “skill,” I mean something that can be monetized—blue-collar jobs like welding, auto repair, hairdressing, cooking, forklift driving, or truck driving. Or white-collar jobs like programming, writing, sales, accounting, finance trading, or legal consulting. If you’re not a government official’s child or a rich heir, you’ll have to master at least one of these.

If you want both financial security and freedom—what people often call “making money while standing”—you need to acquire a marketable skill.

As a grassroots worker, if you depend on a specific boss, team, or organization to make a living, over time, you’ll develop an unhealthy dependency. You become their servant, at their mercy, afraid to even quit.

But if you’re living off a marketable skill, no one or organization can enslave you. Your skill is market-driven—if you’re unhappy with one company, you can quit and take a break. When you’re ready, you can join another company, or even start your own business.

Remember, happiness comes from freedom, and freedom comes from courage and perseverance.

学一门市场化的手艺

二十来岁,你在社会上混得很艰难,被别人(领导、上司、小老板)各种PUA,赚不到钱,大概是你的原生家庭太穷了,物质上穷,精神上穷,认知上也穷,不是你个人的原因。

但是三四十岁,如果你还是在社会上混得很艰难,赚不到钱,那就只能怪你自己了。不够努力,不够狠心,没有学会一门安身立命的手艺,白混了这么多年的社会。

手艺,例如蓝领的电焊、汽修、理发、厨师、叉车、货车等,白领的编程、写作、销售、会计、金融交易、法律咨询等,如果你不是官富二代,你总是要学会一门的。

如果你既想要获得金钱又要获得自由,也就是俗话说的“站着把钱赚了”,你就应该学一门市场化的手艺。

你作为一个草根,如果靠某个领导、某个团队或某个组织而生存的,久而久之你就会对他们形成人生依附,变成了他们的家奴,被他们肆意拿捏,都不敢辞职。

如果你靠一门市场化的手艺而生存,靠自己的手艺吃饭,这样没有人或组织能够奴役你。因为你的技能是市场化的,这个公司或单位干得不爽了,你完全可以辞职休息一段时间,然后去另一个公司或单位照样干活,甚至自己当老板。

记住,幸福源自自由,自由源自勇气和坚忍。

Cross-Site Scripting (XSS) Attacks and Mitigation Methods

XSS (Cross-Site Scripting) is a malicious attack where an attacker injects harmful JavaScript code into a web page. When a user visits the page, the embedded JavaScript executes, allowing the attacker to target the user with malicious actions.

A common form of XSS attack is cookie theft. Websites often use cookies to identify users. If an attacker can execute JavaScript on a page, they can read and steal the user’s cookies. Once the attacker has access to the cookies, they can impersonate the user and log in to the website.

There are three primary ways to mitigate XSS attacks:

  1. Filtering User Input: Implement a “whitelist” approach to filter out potentially dangerous HTML tags and attributes. Only allow the tags and attributes deemed safe to be sent to the server, blocking everything else. This method helps prevent various forms of XSS attacks.
  2. Special Handling of Data: Use methods like PHP’s htmlspecialchars() to escape potentially harmful characters when rendering data on the webpage, ensuring that JavaScript code is not executed.
  3. Content Security Policy (CSP): Implementing a Content Security Policy (CSP) can help prevent XSS attacks by specifying trusted sources for content, restricting the execution of untrusted scripts.

跨站脚本(Cross-site Scripting,XSS)攻击及防范方法

XSS 也称跨站脚本攻击 (Cross Site Scripting),恶意攻击者往 Web 页面里插入恶意 JavaScript 代码,当用户浏览该页之时,嵌入其中 Web 里面的 JavaScript 代码会被执行,从而达到恶意攻击用户的目的。

一种比较常见的 XSS 攻击是 Cookie 窃取。我们都知道网站是通过 Cookie 来辨别用户身份的,一旦恶意攻击者能在页面中执行 JavaScript 代码,他们即可通过 JavaScript 读取并窃取你的 Cookie,拿到你的 Cookie 以后即可伪造你的身份登录网站。

有三种方法可以避免 XSS 攻击:
第一种,对用户提交的数据进行过滤。使用『白名单机制』对 HTML 文本信息进行 XSS 过滤,只通过我们认为安全的标签和属性到服务器端,未知的全部过滤掉。这种过滤机制可以有效地防止各种 XSS 变种攻击。
第二种,Web 网页显示时对数据进行特殊处理,例如PHP使用htmlspecialchars()输出。
第三种,使用内容安全策略(Content Security Policy, CSP)防止XSS攻击。

参考
https://learnku.com/courses/laravel-intermediate-training/9.x/safety-problem/12512

When Clients Don’t Need to Initialize CSRF Tokens in Laravel

In Laravel, clients don’t need to initialize CSRF tokens under the following conditions:

  • Cookie and Session-based Authentication: When using cookie and session-based user authentication, and the route being accessed is part of web.php with the App\Http\Middleware\VerifyCsrfToken middleware enabled, CSRF tokens are required.

Authorization Points in the Laravel Framework (Where Authorization Takes Place)

In the Laravel framework, authorization can be implemented in the following places:

  • Using the can Middleware: This middleware allows for permission checks at the route level, providing an easy way to ensure that the user has the required authorization.
  • Using the authorize Method in Form Request Validation Classes: The authorize method is used to determine whether the user is authorized to make a given request. Note that if you generate a form request validation class using the php artisan command, it will come with a default return false in the authorize method.
  • Using authorize, can, or cannot Methods in Controller Actions: Within controller methods, you can use these methods to check if the user has the required permissions before performing an action.
  • Using @can and @cannot Directives in Blade Templates: These Blade directives allow you to conditionally display content based on whether the user has a specific ability or permission.
  • Using Sanctum Token Abilities: When using Sanctum for API authentication, you can define and check token abilities to manage access at a granular level.