Added ` escapes around dynamic field names for db::raw calls

quentin.schmick · quentin.schmick · commit 63d080ed0382 · 2022-07-22T16:16:00.000-04:00
diff --git a/src/BaseFeatures/Filters/BaseFilter.php b/src/BaseFeatures/Filters/BaseFilter.php
@@ -146,4 +146,9 @@ public function toArray() : array
             'key' => $this->key(),
         ];
     }
+
+    protected static function escapeFieldName(string $field) : string
+    {
+        return '`' . implode('`.`', explode('.', $field)) . '`';
+    }
 }
diff --git a/src/BaseFeatures/Filters/ContainsFilter.php b/src/BaseFeatures/Filters/ContainsFilter.php
@@ -28,7 +28,7 @@ public function apply(Builder $builder, array $options = []) : Builder
      */
     public static function build(Builder $builder, mixed $field, mixed $value, string $action = 'where') : Builder
     {
-        return $builder->$action(DB::raw('COALESCE(' . $field . ", '')"), 'like', '%' . $value . '%');
+        return $builder->$action(DB::raw('COALESCE(' . self::escapeFieldName($field) . ", '')"), 'like', '%' . $value . '%');
     }
 
     /**
diff --git a/src/BaseFeatures/Filters/DoesNotContainFilter.php b/src/BaseFeatures/Filters/DoesNotContainFilter.php
@@ -28,7 +28,7 @@ public function apply(Builder $builder, array $options = []) : Builder
      */
     public static function build(Builder $builder, mixed $field, mixed $value, string $action = 'where') : Builder
     {
-        return $builder->$action(DB::raw('COALESCE(' . $field . ", '')"), 'not like', '%' . $value . '%');
+        return $builder->$action(DB::raw('COALESCE(' . self::escapeFieldName($field) . ", '')"), 'not like', '%' . $value . '%');
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -146,4 +146,9 @@ public function toArray() : array`
`146`	`146`	`'key' => $this->key(),`
`147`	`147`	`];`
`148`	`148`	`}`
	`149`	`+`
	`150`	`+ protected static function escapeFieldName(string $field) : string`
	`151`	`+ {`
	`152`	+ return '`' . implode('`.`', explode('.', $field)) . '`';
	`153`	`+ }`
`149`	`154`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ public function apply(Builder $builder, array $options = []) : Builder`
`28`	`28`	`*/`
`29`	`29`	`public static function build(Builder $builder, mixed $field, mixed $value, string $action = 'where') : Builder`
`30`	`30`	`{`
`31`		`- return $builder->$action(DB::raw('COALESCE(' . $field . ", '')"), 'like', '%' . $value . '%');`
	`31`	`+ return $builder->$action(DB::raw('COALESCE(' . self::escapeFieldName($field) . ", '')"), 'like', '%' . $value . '%');`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`/**`