Eloquents attach association doesn't prevent sql injection

[SengPhirum]

When

// inject single quote in array
$partIds = ["1'", "2'"];

$model->cars()->attach($partIds);

Query will crash, so vulnerabilities will able to attack by sql injection

[mantas-done]

Seems fine. Your example doesn't show sql vulnerability.

[SengPhirum]

@mantas-done Can you test by pass role ids in request role_ids[]=1%27&role_ids[]=2%27
Then use like this
$user->roles()->attach($request->get('role_ids'))

Thanks for checking

[mantas-done]

No crash or sql injection.

[SengPhirum]

@mantas-done , are you test on Laravel Framework or Lumen? what laravel version you test?

I'm using : "laravel/lumen-framework": "5.8.*",

[mantas-done]

Laravel 5.8 isn't supported anymore (from yesterday). https://laravel.com/docs/master/releases

[SengPhirum]

@mantas-done , okay, I got it thanks

[robert-moore96]

When you say it crashed, what error did it give?

[SengPhirum]

@rs-sliske
[2020-02-27 08:59:29] local.ERROR: PDOException: SQLSTATE[01000]: Warning: 1265 Data truncated for column 'category_id' at row 1 in /var/www/html/service_source/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOStatement.php:117 Stack trace: #0 /var/www/html/service_source/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOStatement.php(117): PDOStatement->execute(NULL) #1 /var/www/html/service_source/vendor/illuminate/database/Connection.php(458): Doctrine\DBAL\Driver\PDOStatement->execute() #2 /var/www/html/service_source/vendor/illuminate/database/Connection.php(657): Illuminate\Database\Connection->Illuminate\Database\{closure}('insert into an...', Array)
#3 /var/www/html/service_source/vendor/illuminate/database/Connection.php(624): Illuminate\Database\Connection->runQueryCallback('insert into an...', Array, Object(Closure)) #4 /var/www/html/service_source/vendor/illuminate/database/Connection.php(459): Illuminate\Database\Connection->run('insert into an...', Array, Object(Closure))
#5 /var/www/html/service_source/vendor/illuminate/database/Connection.php(411): Illuminate\Database\Connection->statement('insert into an...', Array) #6 /var/www/html/service_source/vendor/illuminate/database/Query/Builder.php(2646): Illuminate\Database\Connection->insert('insert into an...', Array)
#7 /var/www/html/service_source/vendor/illuminate/database/Eloquent/Relations/Concerns/InteractsWithPivotTable.php(259): Illuminate\Database\Query\Builder->insert(Array)
#8 /var/www/html/service_source/app/Repositories/AnnouncementRepository.php(67): Illuminate\Database\Eloquent\Relations\BelongsToMany->attach(Array)
#9 /var/www/html/service_source/app/Http/Controllers/V1/AnnouncementController.php(83): App\Repositories\AnnouncementRepository->create(Array)
#10 [internal function]: App\Http\Controllers\V1\AnnouncementController->store(Object(Laravel\Lumen\Http\Request))`

[robert-moore96]

that error doesnt indicate sql injection, it is just that you dont have any validation to ensure that the values are correct type/size