Protect insert from sql injection

Dylan-DutchAndBold · Dylan-DutchAndBold · commit 0afe1cb70a89 · 2018-06-05T21:31:00.000+02:00
diff --git a/src/Eloquent/BaseBuilder.php b/src/Eloquent/BaseBuilder.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace Grimzy\LaravelMysqlSpatial\Eloquent;
+
+use \Illuminate\Database\Query\Builder;
+
+class BaseBuilder extends Builder
+{
+    /**
+     * Remove all of the expressions from a list of bindings.
+     *
+     * @param  array  $bindings
+     * @return array
+     */
+    protected function cleanBindings(array $bindings)
+    {
+        $bindings = array_map(function ($binding) {
+            return $binding instanceof SpatialExpression ? $binding->getSpatialValue() : $binding;
+        }, $bindings);
+
+        return parent::cleanBindings($bindings);
+    }
+}
diff --git a/src/Eloquent/Builder.php b/src/Eloquent/Builder.php
@@ -20,6 +20,6 @@ public function update(array $values)
 
     protected function asWKT(GeometryInterface $geometry)
     {
-        return $this->getQuery()->raw("ST_GeomFromText('".$geometry->toWKT()."')");
+        return new SpatialExpression($geometry);
     }
 }
diff --git a/src/Eloquent/SpatialExpression.php b/src/Eloquent/SpatialExpression.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace Grimzy\LaravelMysqlSpatial\Eloquent;
+
+use Illuminate\Database\Query\Expression;
+
+class SpatialExpression extends Expression
+{
+    public function getValue()
+    {
+        return 'ST_GeomFromText(?)';
+    }
+
+    public function getSpatialValue()
+    {
+        return $this->value->toWkt();
+    }
+}
diff --git a/src/Eloquent/SpatialTrait.php b/src/Eloquent/SpatialTrait.php
@@ -61,12 +61,21 @@ public function newEloquentBuilder($query)
         return new Builder($query);
     }
 
+    protected function newBaseQueryBuilder()
+    {
+        $connection = $this->getConnection();
+
+        return new BaseBuilder(
+            $connection, $connection->getQueryGrammar(), $connection->getPostProcessor()
+        );
+    }
+
     protected function performInsert(EloquentBuilder $query, array $options = [])
     {
         foreach ($this->attributes as $key => $value) {
             if ($value instanceof GeometryInterface) {
                 $this->geometries[$key] = $value; //Preserve the geometry objects prior to the insert
-                $this->attributes[$key] = $this->getConnection()->raw(sprintf("ST_GeomFromText('%s')", $value->toWKT()));
+                $this->attributes[$key] = new SpatialExpression($value);
             }
         }
 

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,6 @@ public function update(array $values)`
`20`	`20`
`21`	`21`	`protected function asWKT(GeometryInterface $geometry)`
`22`	`22`	`{`
`23`		`- return $this->getQuery()->raw("ST_GeomFromText('".$geometry->toWKT()."')");`
	`23`	`+ return new SpatialExpression($geometry);`
`24`	`24`	`}`
`25`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -61,12 +61,21 @@ public function newEloquentBuilder($query)`
`61`	`61`	`return new Builder($query);`
`62`	`62`	`}`
`63`	`63`
	`64`	`+ protected function newBaseQueryBuilder()`
	`65`	`+ {`
	`66`	`+ $connection = $this->getConnection();`
	`67`	`+`
	`68`	`+ return new BaseBuilder(`
	`69`	`+ $connection, $connection->getQueryGrammar(), $connection->getPostProcessor()`
	`70`	`+ );`
	`71`	`+ }`
	`72`	`+`
`64`	`73`	`protected function performInsert(EloquentBuilder $query, array $options = [])`
`65`	`74`	`{`
`66`	`75`	`foreach ($this->attributes as $key => $value) {`
`67`	`76`	`if ($value instanceof GeometryInterface) {`
`68`	`77`	`$this->geometries[$key] = $value; //Preserve the geometry objects prior to the insert`
`69`		`- $this->attributes[$key] = $this->getConnection()->raw(sprintf("ST_GeomFromText('%s')", $value->toWKT()));`
	`78`	`+ $this->attributes[$key] = new SpatialExpression($value);`
`70`	`79`	`}`
`71`	`80`	`}`
`72`	`81`