mmeyer2k/laravel-sqli-guard
Composer 安装命令:
composer require mmeyer2k/laravel-sqli-guard
包简介
SQL injection prevention plugin for laravel
README 文档
README
A Laravel plugin that forces usage of PDO parameterization and strongly protects against SQL injection attacks.
This package should not be used as a replacement for writing secure queries! See Caveats.
Install
composer require mmeyer2k/laravel-sqli-guard
The service provider is auto-discovered. No manual registration needed.
Configuration
Publish the config file to customize behavior:
php artisan vendor:publish --tag=sqliguard-config
This creates config/sqliguard.php with the following options:
| Option | Default | Description |
|---|---|---|
enabled |
true |
Master switch to enable/disable the guard |
log_blocked |
true |
Log blocked queries at warning level |
strict_mode |
false |
Enable additional patterns (char(, ;) that may cause false positives |
extra_needles |
[] |
Additional patterns to block (strings or regex) |
disabled_needles |
[] |
Built-in patterns to skip if they cause false positives |
All options can be set via environment variables:
SQLIGUARD_ENABLED=true SQLIGUARD_LOG=true SQLIGUARD_STRICT=false
Usage
This plugin works by checking query strings for unsafe character sequences during the query preparation phase.
The query below will throw an Illuminate\Database\QueryException (caused by SqlInjectionException) due to the presence of the single quotation mark character in the query string.
DB::select("select * from users where id = '$unsafe'");
To make this query safe and avoid an exception, use parameterized queries:
DB::select("select * from users where id = ?", [$unsafe]);
Overriding Protection
Scoped (recommended)
Use withoutProtection() to temporarily disable the guard. Protection is always restored, even if an exception occurs:
use Mmeyer2k\LaravelSqliGuard\SqliGuard; $result = SqliGuard::withoutProtection(function () { return DB::select("select version()"); });
Manual
use Mmeyer2k\LaravelSqliGuard\SqliGuard; SqliGuard::allowUnsafe(); // Execute queries that would normally be blocked SqliGuard::blockUnsafe();
Warning: If an exception is thrown between allowUnsafe() and blockUnsafe(), protection remains disabled for the rest of the request. Prefer withoutProtection() instead.
Forbidden Character Sequences
Default patterns (always active)
| Pattern | Reason |
|---|---|
' |
The single quotation mark is the most fundamental SQL injection vector. |
" |
Double quotes can also enable injection in certain contexts. |
0x |
Hexadecimal literals are used to bypass WAFs looking for quoted sequences. |
--, #, /*, */ |
Comments can manipulate query logic. Use raw PDO parameters for binary values. |
@@ |
System variable access (@@version, @@datadir) used for enumeration. |
sleep( |
Blind timing attacks and connection exhaustion DDoS. |
benchmark( |
Timing attacks and CPU exhaustion DDoS. |
version( |
Database version probing to refine attacks. |
load_file( |
Read arbitrary files from the server filesystem. |
into outfile / into dumpfile |
Write files to the server (webshell deployment). |
extractvalue( |
XML error-based blind injection in MySQL. |
updatexml( |
XML error-based blind injection in MySQL. |
/\(.*select.*information_schema.*information_schema.*\)/ |
Blocks DDoS via compound information_schema subqueries. |
Strict mode patterns (opt-in)
Enable with SQLIGUARD_STRICT=true or 'strict_mode' => true in config.
| Pattern | Reason |
|---|---|
char( |
Construct strings from character codes to bypass quote filtering. |
; |
Stacked queries / second-order injection. |
Events & Logging
Logging
When log_blocked is enabled, blocked queries are logged at the warning level with the matched needle and full query string.
Events
A Mmeyer2k\LaravelSqliGuard\Events\QueryBlocked event is dispatched whenever a query is blocked. Listen for it to integrate with your alerting:
use Mmeyer2k\LaravelSqliGuard\Events\QueryBlocked; Event::listen(QueryBlocked::class, function (QueryBlocked $event) { // $event->needle — the pattern that matched // $event->query — the full query string // Send to Slack, PagerDuty, etc. });
Exception handling
Blocked queries throw Mmeyer2k\LaravelSqliGuard\SqlInjectionException (wrapped in Laravel's QueryException). You can catch it specifically:
use Mmeyer2k\LaravelSqliGuard\SqlInjectionException; try { DB::select($query); } catch (\Illuminate\Database\QueryException $e) { if ($e->getPrevious() instanceof SqlInjectionException) { // Handle SQL injection attempt } }
Laravel Octane Support
The guard automatically resets its state between Octane requests, preventing state leakage across long-lived workers. No additional configuration is needed.
Query Normalization
Queries are normalized before inspection to prevent evasion:
- Null bytes are stripped (
\0) - Converted to lowercase
- Whitespace is collapsed
- Spaces before parentheses are removed
Caveats
Unfortunately, not all SQL injection scenarios can be blocked by this inspection.
Queries that blindly accept user input can still be manipulated to subvert your application, leak data, or cause denial of service.
A query that returns data can be manipulated to leak records. Consider this poorly written hypothetical API controller route:
function users() { $id = request('id'); return json_encode(DB::select("select * from users where id = $id")); }
If the query string ?id=1 or id > 1 is given, all records will be returned.
Depending on the context, this could be a major security issue.
Another concern is that some DDoS attacks are possible if the attacker knows, or can guess, information about the data schema.
Again using the above function as an example, but now the query string id= (SELECT COUNT(*) FROM users A, users B, users C, ...) is sent.
CPU exhaustion can occur if there are many rows in the specified table(s), or if the number of junctions is high.
A similar attack is possible against information_schema, but it requires no knowledge.
Requirements
- PHP 8.1+
- Laravel 9.x, 10.x, 11.x, or 12.x
mmeyer2k/laravel-sqli-guard 适用场景与选型建议
mmeyer2k/laravel-sqli-guard 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 2.46k 次下载、GitHub Stars 达 1, 最近一次更新时间为 2022 年 03 月 10 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「laravel」 「sqli」 「waf」 「sql-injection」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 mmeyer2k/laravel-sqli-guard 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 mmeyer2k/laravel-sqli-guard 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 mmeyer2k/laravel-sqli-guard 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Provide a way to secure accesses to all routes of an symfony application.
It's a barebone security class written on PHP
A Laravel Artisan SQL Interactive Interface
Contao CMS integrity check for some files
A simple but very effective PHP firewall. It enables you to easily block most SQL and XSS injections. It also includes a white-/blacklisting of IP's and throttling request using Leaky Bucket.
A PHP security linter to detect insecure functions like var_dump, print_r, and other dangerous functions in your codebase
统计信息
- 总下载量: 2.46k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 1
- 点击次数: 20
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2022-03-10