SQL injection from HTTP request data in Laravel query builder

Critical Risk sql-injection

phplaraveleloquentquery-buildersql-injection

What it is

SQL injection vulnerability where user input flows into raw SQL or dynamic identifiers without binding or whitelisting, bypassing Laravel escaping and enabling attacker-controlled SQL syntax, potentially allowing attackers to read or alter sensitive data, escalate privileges, or run destructive statements, causing data breaches and compromising system integrity.

Language:

Example:

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

User input is directly incorporated into raw SQL queries without parameter binding.

Root causes

Raw SQL with User Input

User input is directly incorporated into raw SQL queries without parameter binding.

Dynamic Identifier Injection

User-controlled data is used to build column names, table names, or other SQL identifiers without validation.

Fixes

Use Parameter Binding and Prepared Statements

Always use Laravel's parameter binding with placeholders for user input in raw SQL.

View implementation

DB::select('SELECT * FROM users WHERE name = ?', [$name]) instead of concatenation

Whitelist Dynamic Identifiers

Validate column names, table names, and other identifiers against strict allow-lists.

View implementation

$allowedColumns = ['name', 'email']; if (in_array($column, $allowedColumns)) { ... }

Use Eloquent Query Builder Methods

Prefer Laravel's Eloquent methods that handle parameter binding automatically.

View implementation

User::where('name', $name)->get() instead of raw SQL with concatenation

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from http request data in laravel query builder and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities

SQL injection from HTTP request data in Laravel query builder

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

Raw SQL with User Input

Dynamic Identifier Injection

Fixes

Use Parameter Binding and Prepared Statements

Whitelist Dynamic Identifiers

Use Eloquent Query Builder Methods

SQL injection from user data in manual SQL string in PHP

SQL injection from request parameters in manually built SQL in Rails

SQL Injection

Detect This Vulnerability in Your Code

SQL injection from HTTP request data in Laravel query builder

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

Raw SQL with User Input

Dynamic Identifier Injection

Fixes

Use Parameter Binding and Prepared Statements

Whitelist Dynamic Identifiers

Use Eloquent Query Builder Methods

Related Vulnerabilities

SQL injection from user data in manual SQL string in PHP

SQL injection from request parameters in manually built SQL in Rails

SQL Injection

Detect This Vulnerability in Your Code