Last month, I had a client in Abu Dhabi—a mid-sized logistics company—ask me to secure their Laravel/Next.js platform before launch. They wanted SQL injection, XSS, and CSRF defense done in a single two-week sprint. I told them it was possible but warned it’d require breaking some code and rerouting workflows. By the end? The app wasn’t just secure; it became a template for future projects.
SQL Injection: Why I Stop Using Raw Queries Cold Turkey
Every time I see DB::select in a Laravel app, I cringe. Yes, Eloquent is slower for complex queries, but parameterized statements are non-negotiable. For this sprint, I replaced all raw SQL with $request->input() filters and where() clauses. When I had to keep a raw query for a reporting dashboard (against my better judgment), I forced myself to test it with 1=1-- injection payloads. It failed gloriously—thankfully in staging.
To sanitize inputs further, I added regex rules in Laravel’s FormRequest files. For example:
'invoice_number' => 'required|regex:/^\w{8,20}$/' If I had to use raw SQL, I’d use PostgreSQL’s pg_escape_string() function instead of hoping Laravel’s query builder would handle it.
I also made it a rule: no exceptions. If a query required dynamic SQL, we refactored it. No “just this once” moves.
XSS Prevention: React Native and Next.js Are My Allies
This client’s app had a user-generated reviews section in React Native and a bilingual booking form in Next.js. Both areas were vulnerable to