Recently the folks from Spatie released a security update for their
laravel-query-builder package. Turns out it was vulnerable to SQL Injection.
At the core of the vulnerability is the fact that Laravel offers a shorthand for querying only certain fields of JSON data, but that these do not get escaped when converted to a
Brent has a detailed writeup on this:
Instead of manually writing
json_extract, we can use the simplified
->syntax, which Laravel will convert to the correct SQL statement.
SELECT json_extract(`title`, '$."en"') FROM blogs;
Be careful though: Laravel won’t do any escaping during this conversion.
If you were to change
title->en – which could come from a URL or user input – to
title->en'#, you’re in …
Thankfully by now a fix authored by Brent has landed in Laravel 5.8.11 🙂