Laravel : Raw Queries,

Raw Queries in Laravel :

A key concern when writing our own queries is protecting our application from SQL injection attacks. Normally, the query builder does this for us. However, when we write our own SQL, we need to make sure we don’t inadvertently remove this protection.

Here’s what we want to avoid:

$someVariable = Input::get(“some_variable”);

$results = DB::select( DB::raw(“SELECT * FROM some_table WHERE some_col = ‘$someVariable'”) );

In the above query, we’re directly adding user input into the query without sanitizing it. This leaves us open to attack!

DB::raw() is used to make arbitrary SQL commands which aren’t parsed any further by the query builder. They therefore can create a vector for attack via SQL injection.

How to execute raw queries with Laravel 5 :

B logbook : PHP | Javascript | Laravel | CodeIgniter | VueJs | ReactJs | WordPress

Translate »