Sample reportBook an audit
Case studies / SQL injection
Raw queries opened a SQL injection

Marketplace, Laravel 10

Redacted case study. How unparameterised search queries on a live marketplace were found and replaced during a security sprint.

Close-up of server rack nameplates
11
findings
2
critical
4 days
turnaround

The challenge

A marketplace platform processing thousands of daily product searches wanted a security review ahead of Series A. Search, filter, and sort endpoints used raw DB::select calls composed from unvalidated request parameters.

The approach

A four-day Laravel Security Audit covering database-layer code, route middleware, auth flows, and third-party package versions.

What we found

The product search endpoint interpolated sort and category parameters directly into the query string:

// flagged DB::select("SELECT * FROM products WHERE category = '{$request->category}' ORDER BY {$request->sort}"); // fix DB::select('SELECT * FROM products WHERE category = ?', [$request->category]);

Sending category=' OR '1'='1 returned the full product catalogue. The unwhitelisted sort column made stacked read exploitation trivial.

The result

Every raw query replaced with bound parameters or query builder equivalents. The sort column restricted via an allowed-list helper. Retested and passed within the sprint window.

Get the same review for your app.

Book an AI-Code Audit Sprint.

Book an auditSee a sample report