Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

JeroenVanOort's avatar

EloquentJS: hidden treasure or nono?

I was alerted to this package: http://parsnick.github.io/eloquentjs/ . It aims to provide the ability to query Eloquent models from JS. This includes using where(), orderBy, etc. It's meant to be used in an environment where you would have a JS front end application which communicates with it's back end via JSON REST endpoints provided by Laravel. Which happens to be exactly what we do for many projects.

To me and a colleague it appears to be a great alternative to something we've developed ourselves: an Angular library fiddled into ng-table that translates the front end filtering and sorting parameters to HTTP parameters and a stack of Eloquent scopes that process these parameters to ultimately return the entities over a REST API. If it weren't so tightly coupled to our projects and it wasn't so hacky, we'd have open sourced it. But we're looking move to VueJS, so we won't develop it any further.

Anyway, a great alternative, so it seems. But EloquentJS has only had 442 composer installs at the time of writing and hasn't been updated for some years. Should we decide to use it, we'd be happy to contribute, so the lack of upkeep wouldn't be a major problem. We could even fork it if the current 'maintainer' does not co-operate.

But the few installs and therefore usages of EloquentJS can mean two things: A, it's a hidden treasure, or B, there's something inherently wrong with it. We can't decide and we'd really like a broader view on it.

What do you think of EloquentJS? Would you use it and why (not)? Can you recommend any alternatives?

0 likes
1 reply
lostdreamer_nl's avatar

These things have their place, but it's a minimum one.

The first thing in my mind was: Damnit, are we back in the days where we get to see stuff like:

GET /query.php?query=SELECT+*+FROM+table;

When will people learn NOT to TRUST userdata.

What is to stop someone from writing the following in their JS console?:

Eloquent.User.destroyAll();

And it seams they warn against this themselves as well: " Route::eloquent() allows any query to be executed. If you need finer control over which queries are allowed, this can be easily achieved with your own resource controller - see below. "

So my advice: Stay clear from things like these unless you are absolutely sure you need them. Most of the times: When you are letting your frontend create your queries, you are doing it wrong and are going down the anti-pattern rabbit hole.

IF you decide you need them, go over ALL code, understand it before using it, there might be very big security holes in these kind of things.

Please or to participate in this conversation.