Summer is finally here!

Why Skipping Eloquent Doesn't Mean Skipping SQL Injection Protection

I wrote a LinkedIn post about ORMs and got some pushback. The most common objection was that if you skip Eloquent and you're opening yourself up to SQL injection. That's not true. The safety comes from prepared statements, not from the ORM sitting on top of them. This article walks through what unsafe raw SQL looks like, how prepared statements fix it, and how to use Laravel's DB facade without shooting yourself in the foot.

Stop Passing File Paths as Strings: A Quick Introduction to SplFileInfo

This one came from a real bug I hit years ago where string manipulation on a file path blew up silently because the file had no extension. PHP's built-in SplFileInfo class wraps a path in an object with typed methods, so your function signatures are more honest and bad input gets caught earlier. If you're still handing raw strings to file-handling functions, give this a few minutes.

The Creators Who 'Made It' Didn't Have a Breakthrough. They Just Never Stopped.

This one's over on The Steady Pack. Most advice about building an audience is really just advice about chasing a viral moment, but the creators still publishing three years from now aren't the ones who got discovered. They're the ones who built systems that made showing up easier than not showing up. Worth a read if you make any kind of content.

See you next Monday.