You can pass an array of bindings to most raw query methods to avoid SQL injection.
This is vulnerable to SQL injection
$fullname = request('full_name');
User::whereRaw("CONCAT(first_name, last_name) = $fullName")->get();
Use bindings
User::whereRaw("CONCAT(first_name, last_name) = ?", [request('full_name')])->get();
Top comments (0)