Level 75
See the example query here. https://laracasts.com/discuss/channels/laravel/sql-native-to-query-builder
Shows good bindings.
Jan 18, 2020
2
Level 4
Is this an SQL injection bug or am I using param binding wrong in MATCH AGAINST raw query
DB::select('SELECT * FROM answers WHERE MATCH(search_terms) AGAINST( :term IN BOOLEAN MODE)', ['term' => $term]);
It seems parameter is not escaped with this query (closing parenthesis breaks query). Is this an SQL injection bug or am I using parameter binding wrong in this raw SQL.
Laravel: 5.8.36 MySQL: 8 PHP: 7.3
Parameter binding should offer protection against SQL injection: https://laravel.com/docs/5.8/database#running-queries
//edit:
Same issue when using parameter binding by position/index (with ? symbol)
Level 4
This seems to be an mySQL bug with parameter binding in MATCH AGAINST (affecting InnoDB engine): https://bugs.mysql.com/bug.php?id=78485
Some of the problematic symbols that I identified were: ( ) -
Shout out to the unofficial Laravel Discord https://discord.gg/VB3drhA for identifying the bug!
Please or to participate in this conversation.