Difference between DB::Table and DB::Select

php mysql laravel pdo
22,953

No, the only difference here is the syntax. Yes, a DB::select doesn't protect against SQL injection. But SQL injection is only a risk when you pass in user input. For example this is vulnerable to SQL injection:

DB::select('SELECT * FROM users WHERE name = "'.Input::get('name').'"');

Whereas this is not:

DB::table('users')->where('name', Input::get('name'))->get();

But also this isn't: (Using bindings "manually")

DB::select('SELECT * FROM users WHERE name = ?', array(Input::get('name')));

The great advantage of the query builder (besides automatically protecting against SQL injection) is it's flexible syntax. For example you could use a loop to add where statements:

$query = DB::table('users');

foreach($names as $name){
    $query->orWhere('name', 'LIKE', $name.'%');
}

$result = $query->get();
Share:
22,953
Loko
Author by

Loko

26 years old top 5% of php top 10% of mysql and html top 20% of laravel http://data.stackexchange.com/stackoverflow/query/52751/tag-rankings Software Developer September 2019 - Currently Software developer - Laravellaravel Reactjsreactjs Magentomagento Wordpresswordpress NextJSnextjs Typescripttypescript Sasssass November 2016 - August 2019 Software developer - PHPphp April 2016 - October 2016 Junior PHP Developer - PHPphp Symfonysymfony July 2015 - September 2015 Software developer - Laravellaravel PHPphp Finished school and got a degree in software engineering in June 2015 January 2015 - June 2015 Intern - Laravellaravel PHPphp June 2013 - January 2014 Intern - C#c# Oracleoracle GISgis PHP CSS HTML MYSQL Javascript Basic Linux Very little Gis and Oracle experience

Updated on July 09, 2022

Comments

  • Loko
    Loko almost 2 years

    At the moment I am using:

    DB::select('select * from users ');

    but now I'm reading on http://laravel.com/docs/4.2/queries

    about:

    $users = DB::table('users')->get();

    Both give back the same. Is there something different between these two?

    In the documentation it does say: Note: The Laravel query builder uses PDO parameter binding throughout to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.

    For the second method. Does this mean the first method doesn't protect you against SQL injection? Is the second method a better way? Both return the results in a different way as well right?

    Can I get some explanation about this?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

PDOException: could not find driver when using phpunit
mysql server has gone away error during installing migration (laravel)
PHP Laravel: No connection could be made because the target machine actively refused it
Laravel 5.4 on PHP 7.0: PDO Exception - Could not find driver (MySQL)
Escape raw SQL queries in Laravel 4
php artisan migrate throwing [PDO Exception] Could not find driver - Using Laravel
PDOException SQLSTATE[HY000] [2002] No such file or directory
How to bind parameters to a raw DB query in Laravel that's used on a model?
How to output data when using $stmt->fetch(PDO::FETCH_ASSOC);
Laravel 5.1 - Connecting to MySQL Database (MAMP)