Laravel has a security hole

If you give them your .env file then probably yes. But how would they get it? Where is the security hole you speak of?

I don't know but he can hack into the database

describe the situation in more detail. Also, if that is your actual production .env file and database, please remove the screenshot and change all login credentials

no problem

what? You do realise you've posted up enough information in those screenshots for anyone to log into the site? Edit your original post, take it down and change ALL passwords

This appears to be a Whoops page. This is not a security hole, it is a lack of understanding of the difference between a development and production environment.

The APP_ENV environment variable is set to local and APP_DEBUG is true, which means Laravel will render a developer friendly exception page to facilitate debugging an exception *during development, it is not intended to be seen in production where those environment variables should be production and false respectively.

Maybe a bit of reading would help? https://laravel.com/docs/8.x/configuration#hiding-environment-variables-from-debug

@datlechin It’s not a security hole if you deploy a Laravel application to a server, leave APP_DEBUG set to true in your .env file, which in turn exposes sensitive information when a user encounters an error.

You have misconfigured your server, therefore the fault lies with you, not the framework. The Laravel documentation even tells you to set APP_DEBUG to false in production environments: https://laravel.com/docs/8.x/errors#configuration

For local development, you should set the APP_DEBUG environment variable to true. In your production environment, this value should always be false. If the value is set to true in production, you risk exposing sensitive configuration values to your application's end users.