Support the ongoing development of →
Security Requests Input
Last updated 2 years ago.

I would say that it is totally safe to not sanitize your subDomain name. In the domain name you are not allowed to use characters like * or () etc. Hence, you cannot create SQL queries and so on. Other thoughts?


If you are not using DB::raw or other raw database functions (like whereRaw), you are safe.

But remember that "subdomain" is just another header in an HTTP request and thus can be manipulated by user. Whether a web server sanitizes it before passing to PHP, or if PHP does it itself, I'm not sure, but subdomain should be treated as any other user input.


Thanks Xum, thats what i am worries about because it is just, as you stated, HTTP.

However based on your first statement, Laravel sanatizes it through its PDO?


Yep, unless you specifically use raw DB functions, Laravel sanitizes everything.


Sign in to participate in this thread!


Your banner here too?


We'd like to thank these amazing companies for supporting us

Your logo here?

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 - All rights reserved.