What your framework never told you about SQL injection protections

We’ve discovered that SQL injection is to this day not a fully solved problem, even in most popular frameworks. In this post, we’ll explain how these frameworks fail at escaping parts of a query, culminating in the discovery of a critical vulnerability in the popular Laravel framework which affects a large percentage of applications. Let’s start with an innocent example, which provides the starting point of our journey. This is a typical simple use case: a filterable, sortable list.