Earlier this week, I explored whether user input in LIKE queries is properly escaped.
We saw that Eloquent properly uses prepared statements to prevent SQL injection, but one thing I didn't mention is that these prepared statements allow users to pass in % characters in their search term.
Is this a security issue?
No, it's not.
While % does influence the query behavior, it can only affect pattern matching within the LIKE clause itself.
It cannot break out of the string context, inject additional SQL statements, or access data outside the query's intended scope.
The OWASP SQL Injection cheat sheet confirms that parameterized queries protect against injection, regardless of special LIKE characters.
Thinking about this even further, I realized the unescaped % actually opens up a useful feature for power users of your application.
Let's say you have a search input for names, and we're doing a like operator in our where clause so it will search for their search term anywhere in the data.
Now think about a scenario where a user can't remember if the person was "Michael" or "Miguel".
Understanding how this all works, they could search for Mi%l and find both.
The like query we're running doesn't block them for inserting their own wildcard characters on top of the ones we bake into the query.
Most users will never discover or need this, but for those who know about it and have a specific need, it could be just the tool to help them get the result they're looking for.
Here to help,
Joel
P.S. Do you have an application you'd like reviewed for architecture and security? Our code reviews are affordable and you'll get results within a week. Learn more about our Laravel code review service.
