Addressing SQL Injection Vulnerabilities with Raw Methods
Closed this issue · 2 comments
Ref the suggestion to Laravel core for Addressing SQL Injection Vulnerabilities with Raw Methods.
I'm happy to create a PR, where I've created this issue to discuss the implementation.
I note that you're currently using Rules, but this one might be easier to implement with Stubs; if so, I assume new folders /src/Stubs/ and /tests/Stubs/?
Also, I might need some guidance on how you would like to conditionally include these Stubs... I've only done this bit once before, using a StubFilesExtension class to conditionally getFiles().
Hi,
I thought about this today again. And there is a problem. PHPStan does not support stub merging or overriding. And since Larastan already provides stubs for query builder, we can't have new stubs here. So this feature needs to go to Larastan itself.
About implementation, yeah Larastan already has a StubFilesExtension, so we need to add a new parameter to config (enableStrictStubs or something, defaulting to false), and if it is true, in the extension we include the folder with the stubs we want.
A side note, Larastan supports both Laravel 9 and 10. And in Laravel 10 some method definitions changed in query builder to accept \Illuminate\Contracts\Database\Query\Expression instead of \Illuminate\Database\Query\Expression. There is already an issue about it: larastan/larastan#1547 So if you want to use this typehint, then we need to also check the Laravel version and include the correct stubs for that.
I can also help with the implementation if you need any 👍🏽 And thanks in advance! I believe this will be very useful! Excited to see how it will come along 🤩
Thanks, I think you're right, while there might be a way to get Larastan to load in custom stubs, because stubs cannot be merged (currently) that will make things complicated; so I'll continue the conversation over there, and look at the 9 vs 10 issue.