SQL Injection

[sergio91pt]

sluggable/src/HasSlug.php

Line 172 in 29b0599

return static::whereRaw("{$this->slugOptions->slugField} LIKE '$slug%'")

If the "slug name" is based on user input, since $slug is not properly escaped, it can be used for SQL injection.
You should consider using the where method instead of whereRaw, or alternatively use the binding param.

[bpocallaghan]

Hi @sergio91pt
Thanks for the feedback and information - I did not know that (was under the impression the raw queries also gets escaped - silly me)

I've changed it to the where method and published a new release v1.2.2.

Please shout if you notice anything else, thanks for consider using the package!