Possible risks of the limit method

[huangdijia]

Laravel Version

latest

PHP Version

8.x

Database Driver & Version

No response

Description

framework/src/Illuminate/Database/Query/Builder.php

Lines 2767 to 2776 in a306193

	public function limit($value)
	{
	$property = $this->unions ? 'unionLimit' : 'limit';
	if ($value >= 0) {
	$this->$property = ! is_null($value) ? (int) $value : null;
	}
	return $this;
	}

The example codes:

User::where(...)->limit($request->input('limit'))->update(...);

If "limit" is mistakenly passed as -1, it means that all data will be updated.

I believe that when the input value is less than 0, it should not be ignored directly but should throw an exception instead.

Steps To Reproduce

No need to provide reproduction steps

[macropay-solutions]

Hi.
You SHOULD ALWAYS validate the request.
Example https://github.com/macropay-solutions/laravel-crud-wizard-free/blob/670949aeb85f4067825838e86569bd649ed2c708/src/Http/Controllers/ResourceControllerTrait.php#L366

About the exception part, it is better to put it 0 than to throw something.

[macropay-solutions]

In our example the limit being array or file will throw php exception which will result in empty response. For string or integer it will use the max response.

[huangdijia]

In our example the limit being array or file will throw php exception which will result in empty response. For string or integer it will use the max response.

I very much agree with you. Never trust user input.

But I still feel that a method should not have two functions that violate a single principle of design principles.

[flc1125]

From past experience, helping users make choices can sometimes hide the problem, making it undetectable.

Therefore, I also agree with the approach of throwing exceptions. Or bringing the "problem" to SQL to decide how to handle it.