If you suspect that $slug might be getting improperly sanitized, make sure it is being passed as a string. You can manually ensure that the value is correctly escaped using addslashes() or mysqli_real_escape_string() (although Laravel should handle this automatically):

$slug = addslashes($slug);