Difference between DB::Table and DB::Select
No, the only difference here is the syntax. Yes, a DB::select
doesn't protect against SQL injection. But SQL injection is only a risk when you pass in user input. For example this is vulnerable to SQL injection:
DB::select('SELECT * FROM users WHERE name = "'.Input::get('name').'"');
Whereas this is not:
DB::table('users')->where('name', Input::get('name'))->get();
But also this isn't: (Using bindings "manually")
DB::select('SELECT * FROM users WHERE name = ?', array(Input::get('name')));
The great advantage of the query builder (besides automatically protecting against SQL injection) is it's flexible syntax. For example you could use a loop to add where
statements:
$query = DB::table('users');foreach($names as $name){ $query->orWhere('name', 'LIKE', $name.'%');}$result = $query->get();