Level 7
I would suggest to use addBinding() for security purposes. Bindings is the key way to defend against mysql injection laravel using.
1 like
Jan 4, 2017
3
Level 1
Laravel Raw Expression and SQL Injection
I found some code that allows me to generate a raw expression: $this->getConnection()->raw();. It returns an \Illuminate\Database\Query\Expression object, but I'm not sure if this will be safe and I'm not creating a SQL injection point.
Will Laravel do something to prevent this? Or should I sanitize the input before? How can I do this?
Level 1
Thanks @leber, could you please elaborate on this? Perhaps with an example? I don't have experience with this, thank you!
Level 7
Example:
DB::select(DB::raw("SELECT id FROM users WHERE id = ?"), [1]);
Here binding is accepted as parameter (you have to check which functions accept binding as parameter)
Please or to participate in this conversation.