Level 75
Your example is db facade. Yes bind when needed in raw.
There's a difference in query builder and db facade.
Jan 28, 2024
2
Level 5
Eloquent parameter binding to avoid SQL injections
Hi there, I'm in a confussion about parameter binding. Based on documentation, Laravel as default use PDO parameter binding. So that means this query should be safe from sql injection right? https://laravel.com/docs/8.x/queries#introduction
DB::select(select * from orders where order_id = 123 and customer_name = 'john' and email = '[email protected]')
Or in a case like above a need to manually binding like this?
DB::select(select * from orders where order_id = ? and customer_name = ? and email = ?, [123,'john','[email protected]'])
Again based on the documentation, only DB::raw thats vulnerable to sql injection.
https://laravel.com/docs/8.x/queries#raw-methods
So the bottom line, do I need manually binding only when using DB::raw or any query builder I have to?
Thanks!
Level 50
The 1st method is vulnerable if you're using data from the client because you're executing a raw SQL query. The 2nd method is safe because you're executing a parameterized query. Always bind the parameters.
I prefer Eloquent queries because they're less prone to errors. Both of these statements do the same thing as your 2nd method:
Order::where('order_id', 123)->where('customer_name', 'john')->where('email', '[email protected]')->get();
Order::whereOrderId(123)->whereCustomerName('john')->whereEmail('[email protected]')->get();
I don't know why you'd need all those conditions though. I assume that order ID is a unique so that should suffice.
Please or to participate in this conversation.