Raw Query inside query builder can secure for sql injection using laravel query builder?

Question

I would like to know when we use raw query inside query builder in laravel query builer as the following.

   $salesdata = DB::table('HEADER')
                ->join('BRANCH', 'HEADER.BRANCHCODE', '=', 'BRANCH.BRANCHCODE')
                ->select('HEADER.BRANCHCODE','BRANCH.BRANCHNAME',
                    DB::raw('SUM("HEADER"."AMT") as netamt'),
                    DB::raw('SUM("HEADER"."AMT") + SUM("HEADER"."DISCOUNT")- SUM("HEADER"."TAX1")- SUM("T_CASH_HEADER"."TAX2") as grossamt'),'BRANCH.BRANCHNAME',
                    DB::raw('SUM("HEADER"."COVER") as NetCover'),
                    DB::raw('SUM("HEADER"."DISCOUNT") as discount'),DB::raw('SUM("HEADER"."TAX1") as tax'),DB::raw('round(SUM("HEADER"."AMT")/SUM("HEADER"."COVER"),2) as avg'))
                ->whereBetween('HEADER.INVOICEDATE', [$fromDate, $toDate])
                ->groupBy('BRANCH.BRANCHCODE','BRANCH.BRANCHNAME','HEADER.BRANCHCODE')
                ->orderBy('AMT','ASC')
                ->get();

I would like to know above query can sure for sql injection using laravel.

you'd have to look at the laravel source code and see what it does with the variables you give it. Hopefully it parameterises them. — ADyson

Morteza Rajabi Morteza Rajabi · Accepted Answer · 2017-09-25T09:46:40

No, you didn't pass any user input to your select statement except in ->whereBetween('HEADER.INVOICEDATE', [$fromDate, $toDate]) statement and this will use PDO parameter binding to prevent SQL injection. So, it is safe!

Raw Query inside query builder can secure for sql injection using laravel query builder?

1 Answers