How do you protect against SQL injection when using whereRaw?

[damiencamilleri]

What is the correct way to protect against SQL injection when using whereRaw? From the syntax in the documentation, new Query("Posts").WhereRaw("lower(Title) = ?", "sql"); , I would have expected escaping/handling/paramaterization of the value using the placeholder '?'; However, I believe this is just still string concatenated formation of the query and offers no protection?

Any advise?

[ahmad-moussawi]

The ? placeholders will be converted to params binding,
There is no string concatenation here.

make sure you are using the SqlResult.Sql and SqlResult.Bindings to execute your query (or use the SqlKata.Execution package)