Mar, 19 2019

Yesterday I received an email from a security researcher pointing out the possibility of SQL injection when user controlled input is passed as the "exclude ID" parameter of Laravel's unique rule, such as:

Rule::unique('users')->ignore($request->input('id'))

The unique rule's "exclude ID" feature is intended to only accept system-generated IDs, such as auto-incrementing IDs or UUIDs generated by your application, which is the only way the documentation demonstrates using the rule:

Rule::unique('users')->ignore($user->id)

However, if users depart from the documented usage of the feature and allows user controlled data to specify the "exclude ID" value or column, a maliciously crafted request could lead to an SQL injection attack.

Therefore, we have added a red warning to the unique validation rule documentation pointing out that the rule should only be used as documented and warning users against allowing user controlled input as a parameter to this rule.

It may be possible for the framework to prevent SQL injection even when developers accidentally allow user controlled input to be passed to this rule. We will explore this thoroughly in an upcoming Laravel release.

The documentation for this rule may be viewed here: https://laravel.com/docs/5.8/validation#rule-unique