Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
SQL injection or bad documentation #2428
The Laravel documentation states :
The Query Builder only protect the where('', '') binding statment but not the others. By others parameters I mean orderBy, groupBy, limit and so.
If a user follow the Laravel documentation, he may think the following statement are secured :
or with Eloquent:
However they are not secure and they lead to sql injection, the user must sanitize the input before usage. (intval() for limit, in_array() of valid columns for order by and group by).
So I think the Laravel documentation should be more complete about this problem.
EDITED: removed reference to DBAL/Doctrine because it's not used but the problem is still here.
The better would be to say the binding in where/like statement are safe to use without sanitization but not the others.
Or we could make the ORM/QueryBuilder more secure by removing backtick/backquote in orderBy/groupBy/... (or triggering an exception) and forcing cast to int in limit()/offset() ?