Unsafe SQL functions in Laravel

stitcher.io

My colleague Brent offers some more details on the intricacies of Laravel's query builder.

I recently learned that not all query builder functionality in Laravel is "safe". This means that user input shouldn't be passed directly to it, as it might expose your application to SQL injection vulnerabilities.

Read more [stitcher.io]

An important security release for laravel-query-builder original

by Freek Van der Herten – 4 minute read

Our laravel-query-builder package exposed a serious security issue: it allowed SQL injection attacks. Laravel Query Builder v1.17.1, which is now available, fixes the vulnerability. If you're using the package, stop reading now and upgrade to the latest version first. For Laravel 5.6, 5.7 and 5.8…

Read more

Join 9,500+ smart developers

Get my monthly newsletter with what I learn from running Spatie, building Oh Dear, and maintaining 300+ open source packages. Practical takes on Laravel, PHP, and AI that you can actually use.

No spam. Unsubscribe anytime. You can also follow me on X.

Laravel event projector v2 has been released original

by Freek Van der Herten – 18 minute read

Laravel event projector is a package that aims to be the entry point for event sourcing in Laravel. It can help you setting up aggregates, projectors and reactors. Earlier today our team released v2. This version streamlines the projectors and reactors from v1 and adds support for aggregates.

In this blogpost I'd like to explain a potential problem with traditionally built applications. After that we'll take a look at what projectors and aggregates are. Finally we'll walk through an example how you can create an aggregate laravel-event-projector.

Read more

The end of Extended Validation certificates

ma.ttias.be

Mattias Geniar argues that you shouldn't buy extended validation certificates.

You know those certificates you paid 5x more for than a normal one? The ones that are supposed to give you a green address bar with your company name imprinted on it? It's been mentioned before, but my take is the same: they're dead.

Read more [ma.ttias.be]

20 unknown gems of Laravel

meramustaqbil.com

KH. Jebran Ali lists a few cool Laravel tricks

Laravel is full of hidden gems that I have discovered during working on different tasks. Some of these gems were less-known or un-documented features, functions parameters and hacks. In this blog post I will share those hidden gems with you, let’s get started.

Read more [meramustaqbil.com]

Fake PHP version in composer

afilina.com

Anna Filina explains the handy platform option you can use in composer.json. It's a good idea to just use this in all of your projects.

Say you run the latest PHP version on your machine, but the server runs PHP 5.5. This means that when you decide to add a Composer package, it might propose a version that may not be installable on the server. The solution is surprisingly easy. You can instruct Composer to see the PHP version of your choosing.

Read more [afilina.com]

Tidying Up Your PHPUnit Tests with Data Providers

tighten.co

Over at the Tighten blog, Chris Trombley published a new post on how to use data providers in PHPUnit.

PHPUnit gives us a way to consolidate this common logic while varying our setup data, without losing the benefit of dedicated, smaller test methods. In this post, we'll explore PHPUnit's data providers. While data providers are available in any PHPUnit test suite, let's look at how they can help us tidy up our tests in a Laravel application.

Read more [tighten.co]

These cookie warning shenanigans have got to stop

www.troyhunt.com

I fully agree with Troy Hunt here.

So in summary, everyone clicks through cookie warnings anyway, if you read them you either can't understand what they're saying or the configuration of privacy settings is a nightmare, depending on where you are in the world you either don't get privacy or you don't get UX hell, if you understand the privacy risks then it's easy to open links incognito or use an ad blocker, you can still be tracked anyway and finally, the whole thing is just conditioning people to make bad security choices.

Read more [www.troyhunt.com]

Introducing Interia.js

reinink.ca

Jonathan Reinink is creating a library that'll make it easy to create server-driven single-page apps. Super cool idea!

I wanted to blend the best parts of classic server-side apps (routing, controllers, and ORM database access) with the best parts of single-page apps (JavaScript rendering and no full page reloads). Or, at least the best parts as I see them. ?

That journey has led me to a pretty interesting new pattern, which this article explains in detail. In short, I've created a Turbolinks inspired library that makes it super easy to create server-driven single-page apps. I am calling this library Inertia.js.

Read more [reinink.ca]