Fix SQL Injection (Legacy & Modern) in Slim

Slim Framework is a lightweight target for attackers when developers treat it like a raw PHP script. SQL Injection in Slim usually stems from direct string concatenation within routes or middleware. Whether you are using raw PDO or an ORM like Eloquent, the goal is simple: decouple the SQL command from the user-supplied data to neutralize the injection vector.

The Vulnerable Pattern

$app->get('/api/users/{id}', function ($request, $response, $args) {
    $id = $args['id'];
    // VULNERABLE: Direct concatenation of route arguments into the query string
    $sql = "SELECT username, email FROM users WHERE id = " . $id;
    $db = $this->get('db');
    $stmt = $db->query($sql);
    $user = $stmt->fetch();
    return $response->withJson($user);
});

The Secure Implementation

The vulnerability exists because the database engine cannot distinguish between the developer's SQL commands and the attacker's data when they are concatenated into a single string. By using PDO prepared statements, we send the SQL template and the data in separate packets; the data is bound as a literal and never executed. In modern Slim stacks, using an ORM like Eloquent abstracts this process entirely by using parameterization under the hood. Always validate that $args['id'] matches the expected type (e.g., integer) before processing to add a secondary layer of defense.

// Method 1: PDO Prepared Statements (Legacy/Standard)
$app->get('/api/users/{id}', function ($request, $response, $args) {
    $db = $this->get('db');
    $stmt = $db->prepare("SELECT username, email FROM users WHERE id = :id");
    $stmt->execute(['id' => $args['id']]);
    $user = $stmt->fetch();
    return $response->withJson($user);
});
// Method 2: Eloquent ORM (Modern)
$app->get(‘/api/v2/users/{id}’, function ($request, $response, $args) {
$user = User::findOrFail($args[‘id’]);
return $response->withJson($user);
});