As mentioned here http://laravel.com/docs/queries:

Note: The Laravel query builder uses PDO parameter binding throughout to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.

If you are concerned with HTML being inserted into database you can simply escape it when outputing in your views using {{{}}} syntax in blade e,g:

{{{$title}}}

@usm4n the op is talking about sql injections, you are talking about XSS.

thanks usm4n!

do you have any suggestions how to store html in db, and show it as html in the pages.

but still to check for malicious xss scripts from the user?

@antoniofrignani the first part of the answer got the answer I needed :)

tzookb said:

@antoniofrignani the first part of the answer got the answer I needed :)

Yes, is the second part that is about escaping strings to prevent XSS.

antoniofrignani said:

@usm4n the op is talking about sql injections, you are talking about XSS.

Yes i know what he was talking about, the quote from the documentation was the answer. Not the other part, I just thought may be he was concerned!

someone has an answer how can I store user html from wysiwyg editor, I want to make sure he hadn't sent any scripts there.

@tzookb https://github.com/mewebstudio/Purifier