Laravel's ddRawSql() is handy for debugging queries.
It shows you a complete SQL statement with values interpolated for your Eloquent query.
User::where('email', '[email protected]')->ddRawSql();
// Outputs: select * from `users` where `email` = '[email protected]'
That output looks ready to paste into your MySQL console, but keep in mind it's not using prepared statements like Eloquent does.
The values are interpolated directly into the SQL string. Laravel escapes them, but it's not the same as proper parameter binding.
For debugging, this is usually fine. But a couple notes of caution to consider:
Don't assume the output is injection-safe. The escaping is meant for display, not for protecting against malicious input.
Don't use it to build queries. That's not it's intended use.
ddRawSql() is great for quick debugging during development.
Just be thoughtful about where that output ends up.
Here to help,
Joel
P.S. Security is about small decisions made consistently. Get our free security book for more Laravel security tips.
