Do not input variables directly into SQL statements. This is important due to the security vulnerabilities it can create. Raw SQL injections can expose your database to malicious attacks, potentially leading to data loss, data corruption, and unauthorized access to sensitive data.
A common way to inject malicious code is through user input fields, where an attacker can input SQL code that will be executed by the server. This can lead to various harmful actions such as data extraction, modification, or even deletion.
To avoid this, you can use prepared statements or parameterized queries. These techniques ensure that user input is always treated as plain text and not executable code. This way, even if an attacker attempts to input SQL code, it will not be executed by the server. Instead, it will be treated as a simple string, maintaining the security of your application.
Non-Compliant Code Examples
<?phpclassTestextendsController{publicfunctionget($user){$users=DB::table('users')->whereRaw('user = "'.$user.'"')->get();returnview('user.index',['users'=>$users]);}publicfunctiongetAge($age){$posts=Post::whereRaw('age = "'.$age.'"')->get();returnview('user.index',['users'=>$posts]);}}classBar{functiongetInfo(Request$request){$id=$request->input('id');$items=DB::table('items')->selectRaw('price * where id = '.$id);returnorganize($items);}}classBazextendsFormRequest{publicfunctiongetInfo(){$id=$this->input('id');$items=DB::table('items')->selectRaw('price * where id = '.$id);returnorganize($items);}}