Resource Center  >  Blog

SQL Injection in Laravel: Everything You Need to Know

November 14, 2023
Nedim Maric

Laravel is growing and becoming one of, if not the most popular PHP framework present today. In fact, Cloudways ranks Laravel as the best PHP framework, even though the competition at the top is fierce when you take into consideration that PHP powers the majority of websites online. 

Just like Laravel is the top framework in its own domain, SQL Injection is perhaps the most popular vulnerability, partially because of its simplicity, but also because of the simple fact that a lot of websites rely on SQL, making them all a prime target for this vulnerability. 

Oftentimes, you’ll find that the developers take security for granted, especially when working with frameworks. The logic is that the framework already has the security aspect covered and that any potential vulnerabilities are taken care of by themselves.

Unfortunately, that couldn’t be farther from the truth.

Eloquent ORM in Laravel

SQL queries in Laravel are inherently safe – you’ll usually utilize Eloquent ORM to fetch the data. Eloquent comes built-in with the framework, and it’s very intuitive to use. 

Not only that, but the MVC pattern allows seamless integration with the database where the models are automatically connected to the database, so you don’t even need to waste time writing pure SQL queries in order to create tables & rows initially. All you need to do is simply generate the model, migrate the database and you’re good to go!

The database communication is very straightforward, too: for example, if you have a database of cars, you can simply fetch the ones you want with the following command:

$powerfulCars = Car::where('horsepower', '>', 150)->take(50)->get();
foreach ($powerfulCars as $car)

You can also shortcut your way to finding a record if you have the id you’re looking for with:

$car = Car::find(5);

There’s a ton of documentation on Eloquent ORM you can read here. You’ll quickly realize that these features offer many pre-made options where you don’t have to reinvent the wheel.

And this is where however comes in.

SQL Injection in Laravel

The idea with Eloquent ORM is that it helps you streamline database calls, but what it also does is give you the flexibility to create raw database queries, and that’s where the trouble starts.

If you’re more of a visual type, don’t miss out on a great short guide by Povilas Korop:

For example, here’s a very dangerous query you could write::

$users = DB::select("SELECT id FROM users WHERE username='" + user + "' AND password='" + pass + "'");

In this scenario, we’re giving a wide-open passage to a potential SQL Injection happening.

SELECT id FROM users WHERE username='user' AND password='pass' OR 5=5'

Some of these potential vulnerabilities might seem obvious at first glance, but things change when developing complex and large applications, especially in a team-based environment with multiple developers, each of whom might not be aware of the pitfalls. You could easily get carried away with writing dangerous code such as this one. 

How to Prevent SQL Injection in Laravel

Just like in real life, preventing vulnerabilities always seems so simple, and yet, the simplest advice usually works a lot of the time. 

The general rule you can apply is using ORM for general database queries only, and then working with & shaping the data in the application itself. While this approach is very safe, it gets pretty impractical as your application scales, requiring more speed and faster database responses, which is simply impossible with this concept.

However, what you can always do in order to prevent SQL Injection when using Laravel, is actively avoiding using raw queries unless they’re an absolute necessity, in which case you should use SQL bindings, a method that Eloquent uses to keep its own queries safe. That way, you get the best of both worlds – the speed of the Eloquent ORM and the scalability of your application.


In conclusion, Laravel has established itself as a leading PHP framework, renowned for its versatility and robust features. However, just as it rises to the top in its domain, SQL Injection remains a prevalent and dangerous vulnerability, particularly given the widespread use of SQL in web development.

It is a common misconception among developers that Laravel’s framework inherently guarantees security, leading them to neglect proper precautions. In reality, this assumption couldn’t be further from the truth.

Using Laravel’s Eloquent ORM enables developers to freely communicate with the database and build new features on the fly without having to think or worry about security issue. And while it’s always recommended to avoid using raw queries, it’s not an impossible task to use them and still be on the safe side – it only takes a bit more time, but in the long run – it’s always worth it!

Related topics

Understanding the Emerging Threat to Your Applications and APIs In today’s digital-driven world, applications and APIs are the linchpins of

See more

Artificial intelligence (AI) has emerged as a transformative force in today’s business landscape, touching virtually every industry with its disruptive

See more

The alarming rise in Software Supply Chain (SSC) attacks has catapulted this issue into a hot topic in the cybersecurity

See more

Test Your Web App for 10,000+ Attacks

  • Find & fix vulnerabilities fast
  • Zero false positives
  • Developer friendly
See Our Dynamic Application Security Testing (DAST) in Action
and see how easy AppSec can be
Get Started
Read Bright Security reviews on G2