SQL Injection
sergio91pt opened this issue · 1 comments
sergio91pt commented
Line 172 in 29b0599
If the "slug name" is based on user input, since $slug
is not properly escaped, it can be used for SQL injection.
You should consider using the where
method instead of whereRaw
, or alternatively use the binding param.
bpocallaghan commented
Hi @sergio91pt
Thanks for the feedback and information - I did not know that (was under the impression the raw queries also gets escaped - silly me)
I've changed it to the where
method and published a new release v1.2.2.
Please shout if you notice anything else, thanks for consider using the package!