Validation SQL Injection Analyzer PRO

Category	Severity	Time To Fix
🛡️ Security	⚠️ Critical	10 minutes

Class: Enlightn\EnlightnPro\Analyzers\Security\ValidationSQLInjectionAnalyzer

Introduction

This analyzer scans your application code to detect possible validation rule SQL injection vulnerabilities.

If your application passes user controlled request input to the ignore method of the unique rule, your application will be vulnerable to a SQL injection attack.

Consider the following code:

use Illuminate\Validation\Rule;

Rule::unique('users')->ignore($request->input('user_id'));

The code above is vulnerable to SQL injection attacks because it passes user input to the ignore method of the unique rule.

Passing user data to the second parameter will also result in a SQL injection vulnerability:

use Illuminate\Validation\Rule;

Rule::unique('users')->ignore(5, $request->get('userid_col'));

How To Fix

To fix this issue, do not pass any user input data to the ignore method:

use Illuminate\Validation\Rule;

Rule::unique('users')->ignore(auth()->id());

Related Analyzers

• Raw SQL Injection Analyzer
• SQL Injection Analyzer

References

• Laravel Documentation on Unique Rule Validation (opens new window)
• OWASP SQL Injection Guide (opens new window)
• OWASP SQL Injection Prevention Cheatsheet (opens new window)
• OWASP Blind SQL Injection Guide (opens new window)