Laravel Group By RAW Sql Injection Question

I have used eloquent with raw statements to get group by results using a date format. This is to feed into a chart. Some Laravel documentation talks about using binding variables as a parameter to avoid SQL injection risk. However, I'm not sure how that would be applied here as I'm not passing hardcoded number values into the string. Any risk to what I have below? Potential workaround to eliminate the risk, if there?

    $data = [
        Lead::where('created_at', '>=',Carbon::now()->submonths(12))
            ->selectRaw('monthname(leads.created_at) as month_name, last_day(leads.created_at) as created_month_end,count(*) as total')
            ->groupByRaw("monthname(leads.created_at),last_day(leads.created_at)")
            ->orderByRaw("2 asc")
            ->get()
    ];

Tray2

3 years ago

Best Answer

Level 73

Since you don't seem to be using any input from the user, you should not need to worry about sql injection

kieferjs

3 years ago

Level 3

Thanks! @Tray2

Please or to participate in this conversation.