- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/laravel-raw-sql-injection
Language: PHP
Severity: Error
Category: Security
CWE: 89
Do not input variables directly into SQL statements. This is important due to the security vulnerabilities it can create. Raw SQL injections can expose your database to malicious attacks, potentially leading to data loss, data corruption, and unauthorized access to sensitive data.
A common way to inject malicious code is through user input fields, where an attacker can input SQL code that will be executed by the server. This can lead to various harmful actions such as data extraction, modification, or even deletion.
To avoid this, you can use prepared statements or parameterized queries. These techniques ensure that user input is always treated as plain text and not executable code. This way, even if an attacker attempts to input SQL code, it will not be executed by the server. Instead, it will be treated as a simple string, maintaining the security of your application.
<?php
class Test extends Controller
{
public function get($user)
{
$users = DB::table('users')->whereRaw('user = "'.$user.'"')->get();
return view('user.index', ['users' => $users]);
}
public function getAge($age)
{
$posts = Post::whereRaw('age = "'.$age.'"')->get();
return view('user.index', ['users' => $posts]);
}
}
class Bar
{
function getInfo(Request $request) {
$id = $request->input('id');
$items = DB::table('items')->selectRaw('price * where id = '.$id);
return organize($items);
}
}
class Baz extends FormRequest
{
public function getInfo(){
$id = $this->input('id');
$items = DB::table('items')->selectRaw('price * where id = '.$id);
return organize($items);
}
}
<?php
class Test extends Controller
{
public function get($user)
{
$users = DB::table('users')->where('user', $user)->get();
return view('user.index', ['users' => $users]);
}
public function getAge($age)
{
$posts = Post::where('age', $age)->get();
return view('user.index', ['users' => $posts]);
}
}
class Bar
{
function getInfo(Request $request) {
$id = $request->input('id');
$items = DB::table('items')->where('id', $id)->select('price')->get();
return organize($items);
}
}
class Baz extends FormRequest
{
public function getInfo(){
$id = $this->input('id');
$items = DB::table('items')->where('id', $id)->select('price')->get();
return organize($items);
}
}