Most production Laravel bugs fall into five buckets.
1. SQL injection
Bad:
DB::select("SELECT * FROM users WHERE email = '$email'");
Good:
DB::select('SELECT * FROM users WHERE email = ?', [$email]);
// or: User::where('email', $email)->first();
The query builder always parameterises. whereRaw and DB::raw do not — use bindings.
2. Mass assignment
Bad:
User::create($request->all());
A malicious user can include is_admin=1 in their POST. Define $fillable on the model, or validate explicitly and pass $request->validated().
3. Missing CSRF
Every state-changing form (POST/PUT/DELETE) needs @csrf. The middleware rejects with 419 otherwise — don't disable CSRF to make the error go away. For APIs, use Sanctum tokens instead of CSRF.
4. XSS via {!! !!}
Dangerous:
{!! $userBio !!}
Safe:
{{ $userBio }} {{-- escaped --}}
Only use {!! !!} for HTML you produced yourself (e.g. Markdown-rendered output you trust).
5. Weak password hashing
Bad:
'password' => md5($input)
Good:
'password' => Hash::make($input) // bcrypt by default
// or cast: protected $casts = ['password' => 'hashed'];
Use Hash::check() to verify; never compare hashes with ===.