As per unique rule, such as:
Rule::unique('users')->ignore($request->input('id'))
The unique
rule’s “exclude ID” feature is intended to only accept system-generated
IDs, such as auto-incrementing IDs or UUIDs generated by your
application, which is the only way the documentation demonstrates using
the rule:
Rule::unique('users')->ignore($user->id)
However, if users depart from the documented usage of the feature and allows user controlled data to specify the “exclude ID” value or column, a maliciously crafted request could lead to an SQL injection attack.
Therefore, we have added a red warning to the unique validation rule documentation pointing out that the rule should only be used as documented and warning users against allowing user controlled input as a parameter to this rule.
It may be possible for the framework to prevent SQL injection even when developers accidentally allow user controlled input to be passed to this rule. We will explore this thoroughly in an upcoming Laravel release.
The documentation for this rule may be viewed here: https://laravel.com/docs/5.8/validation#rule-unique
Source: Laravel Blogs
No Comments - be the first.