Headline
CVE-2021-21263: illuminate/database - Packagist
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
README
The Illuminate Database component is a full database toolkit for PHP, providing an expressive query builder, ActiveRecord style ORM, and schema builder. It currently supports MySQL, Postgres, SQL Server, and SQLite. It also serves as the database layer of the Laravel PHP framework.
Usage Instructions
First, create a new “Capsule” manager instance. Capsule aims to make configuring the library for usage outside of the Laravel framework as easy as possible.
use Illuminate\Database\Capsule\Manager as Capsule;
$capsule = new Capsule;
$capsule->addConnection([ ‘driver’ => 'mysql’, ‘host’ => 'localhost’, ‘database’ => 'database’, ‘username’ => 'root’, ‘password’ => 'password’, ‘charset’ => 'utf8’, ‘collation’ => 'utf8_unicode_ci’, ‘prefix’ => '’, ]);
// Set the event dispatcher used by Eloquent models… (optional) use Illuminate\Events\Dispatcher; use Illuminate\Container\Container; $capsule->setEventDispatcher(new Dispatcher(new Container));
// Make this Capsule instance available globally via static methods… (optional) $capsule->setAsGlobal();
// Setup the Eloquent ORM… (optional; unless you’ve used setEventDispatcher()) $capsule->bootEloquent();
composer require “illuminate/events” required when you need to use observers with Eloquent.
Once the Capsule instance has been registered. You may use it like so:
Using The Query Builder
$users = Capsule::table(‘users’)->where('votes’, '>’, 100)->get();
Other core methods may be accessed directly from the Capsule in the same manner as from the DB facade:
$results = Capsule::select('select * from users where id = ?’, [1]);
Using The Schema Builder
Capsule::schema()->create('users’, function ($table) { $table->increments(‘id’); $table->string(‘email’)->unique(); $table->timestamps(); });
Using The Eloquent ORM
class User extends Illuminate\Database\Eloquent\Model {}
$users = User::where('votes’, '>’, 1)->get();
For further documentation on using the various database facilities this library provides, consult the Laravel framework documentation.