All Products

PHP Framework

Starter Kits

Packages

Developers

Resources

Upcoming Events

Learn

Watch series
Laracasts

Featured products

Cloud

Cloud New

A fully managed application platform for deploying and hosting Laravel applications.

Pay as you go pricing
Nightwatch

Nightwatch New

Unparalleled monitoring and insights into your application's performance.

Get started for free
Forge

Forge

Provision VPS servers and deploy on DigitalOcean, Akamai, Vultr, Amazon, Hetzner, and more.

Plans from $12 / month
Nova

Nova

The simplest and fastest way to build production-ready administration panels using Laravel.

Licenses from $99

PHP Framework

Starter Kits

Packages

Developers

Resources

Upcoming events

Learn

Watch series
Laracasts
Blog / General

Unique Rule SQL Injection Warning

Yesterday I received an email from a security researcher pointing out the possibility of SQL injection when user controlled input is passed as the "exclude ID" parameter of Laravel's unique rule, such as:

Rule::unique('users')->ignore($request->input('id'))

The <strong>unique</strong> rule's "exclude ID" feature is intended to only accept system-generated IDs, such as auto-incrementing IDs or UUIDs generated by your application, which is the only way the documentation demonstrates using the rule:

Rule::unique('users')->ignore($user->id)

However, if users depart from the documented usage of the feature and allows user controlled data to specify the "exclude ID" value or column, a maliciously crafted request could lead to an SQL injection attack.

Therefore, we have added a red warning to the unique validation rule documentation pointing out that the rule should only be used as documented and warning users against allowing user controlled input as a parameter to this rule.

It may be possible for the framework to prevent SQL injection even when developers accidentally allow user controlled input to be passed to this rule. We will explore this thoroughly in an upcoming Laravel release.

The documentation for this rule may be viewed here: https://laravel.com/docs/5.8/validation#rule-unique

Keep reading

General April 4, 2024

Encryption and the In-between

Last year, we introduced a simple but surprisingly useful feature to Laravel Forge: the ability to add notes to servers. While checking the uptake of this feature, we noticed that customers were often storing sensitive data in the field. We hadn’t designed notes to store sensitive information, so we found ourselves in a situation where we now needed to encrypt existing unencrypted data, while also allowing for new data to be inserted as encrypted data - at the same time, the dashboard needed to be able to show the notes correctly whether they had been encrypted or not. Our migration process looked like this: 1. Run a command that encrypts all existing unencrypted server notes. 2. Update our model to cast the `notes` field, encrypting or decrypting as required. To do this, we leaned on [Laravel’s custom casts](https://laravel.com/docs/11.x/eloquent-mutators#custom-casts) feature to handle this “sometimes encrypted” data. We created a new cast `SometimesEncrypted` that allowed us to gracefully decrypt the encrypted notes, or simply return the plaintext version which may have been available during the migration: ```php

James Brooks

General December 19, 2022

Laravel Loves PHP 8.2

Last week saw the official release of PHP 8.2, bringing with it features such as read-only classes, DNF types, and much more. As you may have noticed, we've been busy preparing the Laravel framework, first-party packages, and the surrounding ecosystem to provide support for this exciting new release of PHP. ## Laravel If you want to use PHP 8.2 with your Laravel project, you should update your dependencies to use the latest versions of the framework as well as the latest versions of all first-party packages such as Cashier, Passport, Scout, etc. ![image](https://laravel-blog-assets.s3.amazonaws.com/cuNz2q7vmF8us0h934JhSY5hprK8lAAZPXw0siF4.png "image") Of course, you should also ensure you update any third-party packages accordingly. ## Forge If you use Forge to provision servers and deploy your applications, you may now select PHP 8.2 when creating a server. ![image](https://laravel-blog-assets.s3.amazonaws.com/yB1Yo6zGuJFpwyQIJeOW1SoD5ZWwiU7Tdh23c1cC.png "image") You may also install PHP 8.2 on existing servers from the "PHP" tab of your server's management dashboard. ![image](https://laravel-blog-assets.s3.amazonaws.com/PeQjgVeQlbYkqJGMyEw4N6eZVb8Q8nfVL7wAdzlR.png "image") ## Vapor We have also updated Vapor to provide PHP 8.2 support for our native and Docker runtimes. To update your native runtime to PHP 8.2, set the `runtime` option of your application's `vapor.yml` file to `php-8.2:al2` and redeploy your application. ![image](https://laravel-blog-assets.s3.amazonaws.com/O3QpHQ2GEvCxUCvkw59b8xiDvInhFqsOwIHd5PfV.png "image") If you are using the Docker runtime, you may update the base image in your Dockerfile to `laravelphp/vapor:php82` and redeploy your application. ![image](https://laravel-blog-assets.s3.amazonaws.com/6Lfm3nfio9eUHv9z0oNdEzfdrZH5NOyuOHxbps9I.png "image") ## Envoyer If you use Envoyer to manage your application's deployments, you may now select PHP 8.2 from your server's settings. ![image](https://laravel-blog-assets.s3.amazonaws.com/FswmEfdErIUr7iFQKQZkKM5TyEWEs3jbNawQOQfI.png "image") At Laravel, we're committed to providing you with the most robust, modern, and developer-friendly PHP experience. We hope you're as eager as we are to get started with PHP 8.2. With these updates to the ecosystem, it really couldn't be simpler!

Joe Dixon

General August 9, 2022

Laravel: New DB Commands

Following last week's release, which again focused on Artisan, this week Laravel v9.24 introduces three new DB commands and more.

Taylor Otwell

Stay connected with the latest Laravel news

Laravel is the most productive way to
build, deploy, and monitor software.

Products

Packages

Resources

Partners