Prevent raw SQL injections

Metadata

ID: php-security/laravel-raw-sql-injection

Language: PHP

Severity: Error

Category: Security

CWE: 89

Description

Do not input variables directly into SQL statements. This is important due to the security vulnerabilities it can create. Raw SQL injections can expose your database to malicious attacks, potentially leading to data loss, data corruption, and unauthorized access to sensitive data.

A common way to inject malicious code is through user input fields, where an attacker can input SQL code that will be executed by the server. This can lead to various harmful actions such as data extraction, modification, or even deletion.

To avoid this, you can use prepared statements or parameterized queries. These techniques ensure that user input is always treated as plain text and not executable code. This way, even if an attacker attempts to input SQL code, it will not be executed by the server. Instead, it will be treated as a simple string, maintaining the security of your application.

Non-Compliant Code Examples

<?php
class Test extends Controller
{
  public function get($user)
  {
    $users = DB::table('users')->whereRaw('user = "'.$user.'"')->get();
    return view('user.index', ['users' => $users]);
  }

  public function getAge($age)
  {
    $posts = Post::whereRaw('age = "'.$age.'"')->get();
    return view('user.index', ['users' => $posts]);
  }
}

class Bar
{
  function getInfo(Request $request) {
    $id = $request->input('id');
    $items = DB::table('items')->selectRaw('price * where id = '.$id);
    return organize($items);
  }
}

class Baz extends FormRequest
{
  public function getInfo(){
    $id = $this->input('id');
    $items = DB::table('items')->selectRaw('price * where id = '.$id);
    return organize($items);
  }
}

Compliant Code Examples

<?php
class Test extends Controller
{
  public function get($user)
  {
    $users = DB::table('users')->where('user', $user)->get();
    return view('user.index', ['users' => $users]);
  }

  public function getAge($age)
  {
    $posts = Post::where('age', $age)->get();
    return view('user.index', ['users' => $posts]);
  }
}

class Bar
{
  function getInfo(Request $request) {
    $id = $request->input('id');
    $items = DB::table('items')->where('id', $id)->select('price')->get();
    return organize($items);
  }
}

class Baz extends FormRequest
{
  public function getInfo(){
    $id = $this->input('id');
    $items = DB::table('items')->where('id', $id)->select('price')->get();
    return organize($items);
  }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: esther/docs-9518-update-example-control-sensitive-log-data