Unique Rule SQL Injection Warning

Taylor Otwell
Taylor Otwell
Share:
  • ...
  • ...
  • ...

Yesterday I received an email from a security researcher pointing out the possibility of SQL injection when user controlled input is passed as the "exclude ID" parameter of Laravel's unique rule, such as:

Rule::unique('users')->ignore($request->input('id'))

The unique rule's "exclude ID" feature is intended to only accept system-generated IDs, such as auto-incrementing IDs or UUIDs generated by your application, which is the only way the documentation demonstrates using the rule:

Rule::unique('users')->ignore($user->id)

However, if users depart from the documented usage of the feature and allows user controlled data to specify the "exclude ID" value or column, a maliciously crafted request could lead to an SQL injection attack.

Therefore, we have added a red warning to the unique validation rule documentation pointing out that the rule should only be used as documented and warning users against allowing user controlled input as a parameter to this rule.

It may be possible for the framework to prevent SQL injection even when developers accidentally allow user controlled input to be passed to this rule. We will explore this thoroughly in an upcoming Laravel release.

The documentation for this rule may be viewed here: https://laravel.com/docs/5.8/validation#rule-unique

Latest Stories

Here’s what we've been up to recently.

Request a code sample

Certified Quality. Great Prices

We use cookies to improve your experience and to help us understand how you use our site. By using this site, you accept our use of cookies. Cookie Infox