validation unique()->ignore SQL injection

[mshamaseen]

According to the documentation:

You should never pass any user controlled request input into the ignore method. Instead, you should only pass a system generated unique ID such as an auto-incrementing ID or UUID from an Eloquent model instance. Otherwise, your application will be vulnerable to an SQL injection attack.

I was in a case where I needed to pass a user input to the ignore method, so I first tried to make a malicious input to make SQL injection, but no SQL injection happened!
After digging more into this, I can see the SQL parameters binding in the debug bar.

Which I assume means, the documentation is outdated, and the ignore does prevent SQL injection on user-controlled input.
Am I right? Or I'm missing anything?

[valorin]

It's possible the value passed into the ignore() method wasn't parameterised previously and documentation is outdated, but I'd still classify this as SQLi, since you can control what column is used within the query. Being able to manipulate the column in the query could then be abused to bypass the validator, or even to extract information from the database about other columns & records within the table.

[mshamaseen]

Do you mean choosing the column on the second argument of the ignore method?

I mean, if I'm just passing a user-controller variable in the first argument only, which checks for the match (Exactly like the where), it should be secure, am I right?

[valorin]

Ah! Yeah, I was referring the column input. Sorry, that what I thought you meant originally.

If your value is an numeric ID, I'd suggest casting to an int to to be paranoid. 🙂