How to sanitize raw data in Laravel

When doing a raw data query from user input like this:

$someVariable = Input::get("some_variable");

$results = DB::select( DB::raw("SELECT * FROM some_table WHERE some_col = '$someVariable'") );

we are at risk of SQL injection , to avoid that we can bin parameters to our query like this:

$someVariable = Input::get("some_variable");

$results = DB::select( DB::raw("SELECT * FROM some_table WHERE some_col = :somevariable"), array(
   'somevariable' => $someVariable,
 ));

 

Another point is that if we want to do a raw that doesn’t return a value, we can do it like this

DB::statement( 'ALTER TABLE HS_Request AUTO_INCREMENT=1111' );

and that way can take parameters as well

DB::statement( 'ALTER TABLE HS_Request AUTO_INCREMENT=:incrementStart', array('incrementStart' => 1111) );

 

Leave a Reply

Your email address will not be published. Required fields are marked *