== How to fix it in Laravel

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,php,diff-id=11,diff-type=noncompliant]
----
namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\DB;

class UserController extends Controller
{
    public function authenticate(Request $request)
    {
        $user = $request->input('user');
        $pass = $request->input('pass');

        $query = "SELECT * FROM users WHERE user = '" . $user . "' AND pass = '" . $pass . "'";

        $users = DB::select($query); // Noncompliant

        if (count($users) != 1)
        {
            abort(401);
        }

        return view('authenticated.index');
    }
}
----

==== Compliant solution

[source,php,diff-id=11,diff-type=compliant]
----
namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\DB;

class UserController extends Controller
{
    public function authenticate(Request $request)
    {
        $user = $request->input('user');
        $pass = $request->input('pass');

        $user_exists = DB::table('users')
                        ->where('user', $user)
                        ->where('pass', $pass)
                        ->exists();

        if (!$user_exists)
        {
            abort(401);
        }

        return view('authenticated.index');
    }
}
----

=== How does this work?

:secure_feature: Illuminate
:unsafe_function: DB::raw()

include::../../common/fix/secure-by-design.adoc[]