How to run raw queries safely in Laravel

Tram Ho

Sometimes, there may be some requirements that need to run raw queries in Laravel. In this article, you will learn how to run raw queries in Laravel and how to prevent SQL injection with it.


  • Working with Laravel application and enthusiastic learning
  • Here I will introduce simple examples that must give you detailed information on how to run complex queries

Running RAW Queries Syntax

To run raw queries, use the DB::select() method with the following syntax:

Problem (SQL Injection)

You must run the raw queries as follows.

For example, I want to get posts that have author and published_on that are larger than a number of days

There is nothing wrong with the query. Everything works well.

What about security issues? Security plays an important role in your application, even if you run the application for internal purposes, there may be a need to publish it somewhere for remote access.

Observe published_on >= $publishedDate and author = $author are hardcoded, this is the real vulnerability where SQL Injection and your database are vulnerable.

Solution (Positional Bindings & Named Bindings)

Positional Bindings (?)

At the binding position we will use ? make room for the values ​​and then convert these values ​​in the second argument to a regular array and must follow the same sequence of positions.

NOTE: What I mean is that for the same sequence of locations in the example, published_on appears first in the query, so $publishedDate appears first in the second argument array and then the corresponding author & $author application.


Named Binding (:)

In named bindings, we use : with name is placeholder. For example :publishedOn . There is no need to be in the first and second order as before

This helps you avoid SQL injection.



You can run your CRUD operations in the DB:select() . But should not do so. Because Laravel has given the DB:select DB::insert DB::update DB::delete DB::statement for it.


CRUD OPERATIONS (DB :: select (), DB :: update (), DB :: insert (), DB :: delete (), DB :: statement ())

Tip: I usually prefer Bindings named with :name because it will be more visible and maintainable in the future without much hassle.


Fetch Details – DB :: select ()

To retrieve any details from the database, you use this method as you saw earlier. This returns the resulting array.


Insert Details – DB :: insert ()

To insert into your database table, you use this method, which takes the query in the first parameter and the values ​​in the second parameter:


Update Details – DB :: update ()

To update existing records we use the following. update returns the number of rows affected.


Delete Details – DB :: delete ()

To delete any records from the database use the following way. delete will return the number of rows affected.


Generic Statements – DB :: statement ()

Many queries do not return results, so running general statements will use this method.



Hope you really enjoyed this article, if so share it with your friends.



Share the news now

Source : Viblo