Fix SQL Injection (Legacy & Modern) in Lumen

Lumen's lightweight nature doesn't excuse heavy-duty security failures. SQL Injection (SQLi) in this framework typically manifests when developers bypass the Eloquent ORM or use 'Raw' methods without parameter binding. Whether you're dealing with legacy DB::select calls or modern whereRaw expressions, the root cause is always the same: treating untrusted input as executable code instead of data.

The Vulnerable Pattern

// Legacy approach using raw concatenation
$id = $request->input('id');
$user = DB::select("SELECT * FROM users WHERE id = " . $id);
// Modern approach using whereRaw incorrectly
$status = $request->input(‘status’);
$results = User::whereRaw(“status = ’” . $status . ”’”)->get();

The Secure Implementation

The vulnerability exists because string interpolation allows an attacker to manipulate the query logic (e.g., passing '1 OR 1=1'). To remediate, use PDO parameter binding. By using '?' placeholders or named parameters and passing variables in a separate array, the database engine is instructed to treat the input strictly as a literal value. In Lumen, Eloquent handles this automatically for standard methods like find() or where(), but you must manually provide the bindings array when using any 'Raw' method.

// Modern Eloquent approach (Preferred)
$user = User::find($request->input('id'));
// Secure Parameterized Raw Query
$id = $request->input(‘id’);
$user = DB::select(“SELECT * FROM users WHERE id = ?”, [$id]);
// Secure whereRaw with Binding
$status = $request->input(‘status’);
$results = User::whereRaw(“status = ?”, [$status])->get();