SQL injection using length input

[Ahmed-Elrayes]

Summary of problem or feature request

So my friends are using this package and seems like someone have been using sql injection on them after tons of investigations and using telescope to see what's going on, seems like the length input isn't validated as numeric at all.

Code snippet of problem

System details

• Operating System: Windows Server 2022
• PHP Version: 8:0:30
• Laravel Version: 8.0
• Laravel-Datatables Version: 1.5
• Laravel Datatables Oracle Version: 9.8

[yajra]

Thanks for reporting, I think this is already fixed in versions 10 & 11 as it ensures that int is returned for length.

    public function length(): int
    {
        $length = $this->request->input('length', 10);

        return is_numeric($length) ? intval($length) : 10;
    }

Please upgrade to at least 10.x version.

[yajra]

If you can't upgrade for some reason, feel free to submit a PR to the 9.0 branch. Thanks!

[jonjieviduya]

@yajra Is there any breaking changes when we upgrade to 10.x version? I'm currently using laravel8. And I also noticed that the website documentation is down.

[yajra]

The docs site is fixed. I think there is not much-breaking change from 9.x to 10.x and 11.x

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.