You can pass an array of bindings to most raw query methods to avoid SQL injection.
// This is vulnerable to SQL injection$fullname = request('full_name');User::whereRaw("CONCAT(first_name, last_name) = $fullName")->get(); // Use bindingsUser::whereRaw("CONCAT(first_name, last_name) = ?", [request('full_name')])->get();
Tip given by @cosmeescobedo
Enjoyed This Tip?
Get access to all premium tutorials, video and text courses, and exclusive Laravel resources. Join our community of 10,000+ developers.
Recent Courses on Laravel Daily
Practical Laravel Security: Packages, Secrets, Supply-Chain Attacks
7 lessons
43 min read
Laravel 13 Starter Kit Teams and Customizations
10 lessons
33 min
Testing in Laravel 13 For Beginners
26 lessons
1 h 41 min read