Vulny-Code-Static-Analysis/vulns/laravel-api-route-sql-injec...

27 lines
817 B
PHP
Raw Normal View History

2022-04-30 13:00:48 +00:00
<?php
// https://www.cloudways.com/blog/laravel-security/
Route::get('this-is-prone-to-sql-injection', function($name) {
return DB::select(
// ruleid: laravel-api-route-sql-injection
DB::raw("SELECT * FROM users WHERE name = $name"));
});
Route::get('this-is-also-prone-to-sql-injection', function($name) {
return DB::select(
// ruleid: laravel-api-route-sql-injection
DB::raw("SELECT * FROM users WHERE name = " . $name));
});
Route::get('this-is-prone-to-sql-injection-too', function($name) {
return DB::select(
// ruleid: laravel-api-route-sql-injection
DB::raw("SELECT * FROM users WHERE name = $name AND someproperty = foo"));
});
Route::get('safe-from-sql-injection', function($name) {
return DB::select(
// ok: laravel-api-route-sql-injection
DB::raw("SELECT * FROM users WHERE name = ?", [$name]));
});
?>