数据库::语句(); 在 Laravel (5.5)

Question

I'm building an application with Laravel 5.5 and I have to run some SQL queries for extended PostgreSQL which are not supported by Eloquent ORM (PostGIS). Instead, I use DB::statement($queryString); to insert data into database. $queryString is built from input variables concatenated with pre-built SQL statement.

Here is the code from my controler (note that actual query is more complex, this is just an example):

/**
 * Store a newly created resource in storage.
 *
 * @param  \Illuminate\Http\Request  $request
 * @return \Illuminate\Http\Response
 */
public function store(Request $request)
{   
    $id= $request->input('id');
    $name= $request->input('name');
    $geom = $request->input('geom');

    $geom = DB::raw("ST_TRANSFORM(ST_GeomFromGeoJSON('".$geom."'), 3857)");


    $statement = "INSERT INTO tableName(id, name) VALUES ('".$id."', '".$name."', ".$geom.");";
    DB::statement($statement);
    return 'Insert Successful';
}

I have two question about this approach:

1. How can I protect my application from SQL injection attacks?

2. How can I check if query ran successfully? DB::statement doesn't seem to return anything.

Answer 1

In general, according to OWASP , there are four ways to protect against SQL injection.

1. Prepared Statements
2. Stored Procedures
3. White list/ input validation
4. Escape ALL user supplied input

In your case, for Laravel 5+ where the Eloquent ORM will not work directly, I think the best option is #1, Prepared Statements .

More specifically, in Laravel you can achieve it's built in Query Builder to either iteratively build statements or execute a completely raw SQL statement with

DB:: select ( [raw query string] )

SOURCE

SO Post: Laravel, execute raw queries

Answer 2

1, use parameter bindings to safeguard your queries. Example:

$users = DB::select('select * from users where active = ?', [1]);

https://laravel.com/docs/5.5/database#running-queries

As for #2, wrap your queries in database transactions . That will protect against failures. Example:

DB::transaction(function () {
    DB::table('users')->update(['votes' => 1]);

    DB::table('posts')->delete();
});

Answer 3

you can make this after importing

use Illuminate\Support\Facades\DB;

you can right your query like that

$quert=DB::insert('insert into tablename (columnname1,columnname2,) values (?,?)',[$id,$username]);

and if you wanna insert whole data to table but when is there is no data in table except id and user name

$quert=DB::insert('insert into tablename values (?,?)',[$id,$username]);

the question mark is question mark ? :D dont put any input here and you are welcome

edited:

about How can I protect my application from SQL injection attacks? you can make this from middlewares ,using Cross-Site Scripting like

{% raw %} {{}} {% endraw %}

with CSRF

<form ...>
{!! csrf_field() !!}
</form>

for second question you have multi thing

1- easy way

you can return your query if you select it will return selection if it inserted/updated/deleted it will be true if not it will be false

                return response()->json([
                'Message'=>'what ever you wanna write',
                'Data' => $query,
                 ], 200);

2- hard way (i prefered :D)

you can use DB::listen for debugging

DB::listen(function ($query) {
// $query->sql
// $query->bindings
// $query->time
});