Are laravel $request parameters sanitized by default?

No if you mean strip_tags, you have to to it your self. But blade uses htmlspecialchars

For more detail see https://symfony.com/components/HttpFoundation

If you want to see exactly what's happening here you go: https://github.com/symfony/http-foundation/blob/master/Request.php

I'm fine as long as queries are processed through prepared statements, but I'm not sure if this is fully implemented in Laravel, for instance does query builder support them?

Yes except when using raw, there you need to bind the parameters yourself if needed. Taylor has a warning about that in that chapter.

You need to look into validating your request.

Good to know, thanks @jlrdw

@klm113 if answered, could you show it answered.

no, the request is not sanitized

Can't see such option.

You must be on mobile, on laptop or desktop, there is a best answer to click, show when you hover over.