How to Prevent SQL Injection in Laravel
SQL injection vulnerabilities in raw queries and improper Eloquent usage can expose your database. Learn how to write secure queries.
The Problem
SQL injection allows attackers to execute arbitrary SQL commands on your database by injecting malicious input through your application. While Laravel's Eloquent ORM uses parameterized queries by default, SQL injection vulnerabilities are introduced when developers use raw queries, DB::raw(), whereRaw(), or string concatenation with user input. A successful SQL injection can read, modify, or delete all data in your database.
How to Fix
-
1
Use parameterized queries instead of string concatenation
Never concatenate user input into SQL queries. Replace:
{{ trim($paragraph)); ?>With parameterized binding:
{{ trim($paragraph)); ?>{{ trim($paragraph)); ?> -
2
Secure raw query methods
When using whereRaw(), orderByRaw(), or DB::raw(), always use bindings:
{{ trim($paragraph)); ?>{{ trim($paragraph)); ?>{{ trim($paragraph)); ?>{{ trim($paragraph)); ?> -
3
Validate and sanitize all input
Use Laravel validation to restrict input before it reaches queries:
{{ trim($paragraph)); ?>{{ trim($paragraph)); ?>Validation prevents unexpected input types and lengths from reaching your database layer.
-
4
Use Eloquent ORM whenever possible
Eloquent automatically parameterizes all queries:
{{ trim($paragraph)); ?>Avoid raw queries unless Eloquent genuinely cannot express what you need. For complex queries, use the query builder with bindings rather than raw SQL strings.
How to Verify
Test your forms by submitting SQL injection payloads in input fields:
' OR '1'='1 '; DROP TABLE users; -- 1 UNION SELECT * FROM users
Your application should handle these as normal (invalid) input without errors or unexpected behavior. If you see database errors or unexpected data returned, you have a SQL injection vulnerability.
Prevention
Establish a coding standard that prohibits string concatenation in queries. Use static analysis tools like PHPStan or Psalm to detect unsafe query patterns. Code review all uses of DB::raw(), whereRaw(), selectRaw(), and havingRaw(). Run regular security audits of your codebase.
Frequently Asked Questions
Is Eloquent completely safe from SQL injection?
Standard Eloquent methods (where, find, create, update) are safe because they use parameterized queries. However, methods that accept raw SQL (whereRaw, orderByRaw, DB::raw, selectRaw) can be vulnerable if you pass unsanitized user input. Column names and table names cannot be parameterized and must be whitelisted.
Can SQL injection happen through URL parameters?
Yes. Any user-controlled input that reaches a database query is a potential injection point, including URL parameters, query strings, form fields, headers, cookies, and even uploaded file names. Always validate and parameterize regardless of the input source.
How do I audit my existing code for SQL injection?
Search your codebase for DB::raw, whereRaw, selectRaw, orderByRaw, havingRaw, DB::select, DB::statement, and DB::unprepared. Check each usage for user input being concatenated rather than bound. Tools like PHPStan with the Larastan extension can help identify some patterns automatically.
Related Security Terms
Related Guides
How to Prevent Cross-Site Scripting (XSS) in Laravel
XSS vulnerabilities allow attackers to inject malicious scripts into your Laravel pages. Learn how to prevent XSS with proper output encoding.
How to Fix Missing Rate Limiting in Laravel
Your Laravel login and API endpoints have no rate limiting, enabling brute-force attacks and API abuse. Add throttling now.
How to Fix Missing CSRF Protection in Laravel
Your Laravel forms are missing CSRF tokens, leaving users vulnerable to cross-site request forgery attacks. Learn how to fix this.
Detect This Automatically with StackShield
StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.
Start Free Trial