承接 mmeyer2k/laravel-sqli-guard 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

mmeyer2k/laravel-sqli-guard

Composer 安装命令:

composer require mmeyer2k/laravel-sqli-guard

包简介

SQL injection prevention plugin for laravel

README 文档

README

A Laravel plugin that forces usage of PDO parameterization and strongly protects against SQL injection attacks.

This package should not be used as a replacement for writing secure queries! See Caveats.

Install

composer require mmeyer2k/laravel-sqli-guard

The service provider is auto-discovered. No manual registration needed.

Configuration

Publish the config file to customize behavior:

php artisan vendor:publish --tag=sqliguard-config

This creates config/sqliguard.php with the following options:

Option Default Description
enabled true Master switch to enable/disable the guard
log_blocked true Log blocked queries at warning level
strict_mode false Enable additional patterns (char(, ;) that may cause false positives
extra_needles [] Additional patterns to block (strings or regex)
disabled_needles [] Built-in patterns to skip if they cause false positives

All options can be set via environment variables:

SQLIGUARD_ENABLED=true
SQLIGUARD_LOG=true
SQLIGUARD_STRICT=false

Usage

This plugin works by checking query strings for unsafe character sequences during the query preparation phase.

The query below will throw an Illuminate\Database\QueryException (caused by SqlInjectionException) due to the presence of the single quotation mark character in the query string.

DB::select("select * from users where id = '$unsafe'");

To make this query safe and avoid an exception, use parameterized queries:

DB::select("select * from users where id = ?", [$unsafe]);

Overriding Protection

Scoped (recommended)

Use withoutProtection() to temporarily disable the guard. Protection is always restored, even if an exception occurs:

use Mmeyer2k\LaravelSqliGuard\SqliGuard;

$result = SqliGuard::withoutProtection(function () {
    return DB::select("select version()");
});

Manual

use Mmeyer2k\LaravelSqliGuard\SqliGuard;

SqliGuard::allowUnsafe();
// Execute queries that would normally be blocked
SqliGuard::blockUnsafe();

Warning: If an exception is thrown between allowUnsafe() and blockUnsafe(), protection remains disabled for the rest of the request. Prefer withoutProtection() instead.

Forbidden Character Sequences

Default patterns (always active)

Pattern Reason
' The single quotation mark is the most fundamental SQL injection vector.
" Double quotes can also enable injection in certain contexts.
0x Hexadecimal literals are used to bypass WAFs looking for quoted sequences.
--, #, /*, */ Comments can manipulate query logic. Use raw PDO parameters for binary values.
@@ System variable access (@@version, @@datadir) used for enumeration.
sleep( Blind timing attacks and connection exhaustion DDoS.
benchmark( Timing attacks and CPU exhaustion DDoS.
version( Database version probing to refine attacks.
load_file( Read arbitrary files from the server filesystem.
into outfile / into dumpfile Write files to the server (webshell deployment).
extractvalue( XML error-based blind injection in MySQL.
updatexml( XML error-based blind injection in MySQL.
/\(.*select.*information_schema.*information_schema.*\)/ Blocks DDoS via compound information_schema subqueries.

Strict mode patterns (opt-in)

Enable with SQLIGUARD_STRICT=true or 'strict_mode' => true in config.

Pattern Reason
char( Construct strings from character codes to bypass quote filtering.
; Stacked queries / second-order injection.

Events & Logging

Logging

When log_blocked is enabled, blocked queries are logged at the warning level with the matched needle and full query string.

Events

A Mmeyer2k\LaravelSqliGuard\Events\QueryBlocked event is dispatched whenever a query is blocked. Listen for it to integrate with your alerting:

use Mmeyer2k\LaravelSqliGuard\Events\QueryBlocked;

Event::listen(QueryBlocked::class, function (QueryBlocked $event) {
    // $event->needle — the pattern that matched
    // $event->query  — the full query string
    // Send to Slack, PagerDuty, etc.
});

Exception handling

Blocked queries throw Mmeyer2k\LaravelSqliGuard\SqlInjectionException (wrapped in Laravel's QueryException). You can catch it specifically:

use Mmeyer2k\LaravelSqliGuard\SqlInjectionException;

try {
    DB::select($query);
} catch (\Illuminate\Database\QueryException $e) {
    if ($e->getPrevious() instanceof SqlInjectionException) {
        // Handle SQL injection attempt
    }
}

Laravel Octane Support

The guard automatically resets its state between Octane requests, preventing state leakage across long-lived workers. No additional configuration is needed.

Query Normalization

Queries are normalized before inspection to prevent evasion:

  • Null bytes are stripped (\0)
  • Converted to lowercase
  • Whitespace is collapsed
  • Spaces before parentheses are removed

Caveats

Unfortunately, not all SQL injection scenarios can be blocked by this inspection.

Queries that blindly accept user input can still be manipulated to subvert your application, leak data, or cause denial of service.

A query that returns data can be manipulated to leak records. Consider this poorly written hypothetical API controller route:

function users()
{
    $id = request('id');

    return json_encode(DB::select("select * from users where id = $id"));
}

If the query string ?id=1 or id > 1 is given, all records will be returned. Depending on the context, this could be a major security issue.

Another concern is that some DDoS attacks are possible if the attacker knows, or can guess, information about the data schema. Again using the above function as an example, but now the query string id= (SELECT COUNT(*) FROM users A, users B, users C, ...) is sent. CPU exhaustion can occur if there are many rows in the specified table(s), or if the number of junctions is high. A similar attack is possible against information_schema, but it requires no knowledge.

Requirements

  • PHP 8.1+
  • Laravel 9.x, 10.x, 11.x, or 12.x

mmeyer2k/laravel-sqli-guard 适用场景与选型建议

mmeyer2k/laravel-sqli-guard 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 2.46k 次下载、GitHub Stars 达 1, 最近一次更新时间为 2022 年 03 月 10 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 「laravel」 「sqli」 「waf」 「sql-injection」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 mmeyer2k/laravel-sqli-guard 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 mmeyer2k/laravel-sqli-guard 我们能提供哪些服务?
定制开发 / 二次开发

基于 mmeyer2k/laravel-sqli-guard 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 2.46k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 1
  • 点击次数: 20
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 1
  • Watchers: 1
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2022-03-10