Support the ongoing development of Laravel.io →
devmark
posted 9 years ago
Security
Last updated 1 year ago.
0
barryvdh
replied 9 years ago

SQL injection is not possible, as Laravel uses prepared statements/parameter binding.

Last updated 1 year ago.
0
bromtec
replied 9 years ago

I was curious about this as well... looks like an issue when using raw queries. Found a great article and wanted to pass it along for anyone else that may need it.

http://fideloper.com/laravel-raw-queries

Laravel does use prepared statements as barry mentioned, but it looks like you need to specifically pass variables in an array of bindings for this to happen with raw queries.

$someVariable = Input::get("some_variable");

$results = DB::select( DB::raw("SELECT * FROM some_table WHERE some_col = :somevariable"), array(
   'somevariable' => $someVariable,
 ));
0

Sign in to participate in this thread!

Eventy

Your banner here too?

devmark devmark Joined 17 May 2014

Moderators

We'd like to thank these amazing companies for supporting us

Eventy
Fathom
Forge
Envoyer
Beyond Code
Skynet Technologies
Steadfast Collective
BairesDev
Remotely Works

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X Twitter GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2024 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise