Search code examples
laravel-4

How to prevent SQL injection in Laravel?


In my controller I have this code:

public function create($brand_id)
{
    Brand::findOrFail($brand_id);
}

and this:

public function search() 
{
    $q = Input::get('q');
    $brands = Brand::where('title', 'LIKE', '%'.$q.'%')->take(80)->get();

Is this code safe? By "safe" I mean SQL injection safe. Or should I do some variable clean up here? And what is the best way for cleaning up user input? Thanks a lot for helping me :)


Solution

  • yes Eloquent uses parameter binding behind the scene, which safely escapes any input used in where().