Added ` escapes around dynamic field names for db::raw calls

always-open · Jul 22, 2022 · 63d080e · 63d080e
1 parent 2cb3717
commit 63d080e
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/src/BaseFeatures/Filters/BaseFilter.php b/src/BaseFeatures/Filters/BaseFilter.php
@@ -146,4 +146,9 @@ public function toArray() : array
             'key' => $this->key(),
         ];
     }
+
+    protected static function escapeFieldName(string $field) : string
+    {
+        return '`' . implode('`.`', explode('.', $field)) . '`';
+    }
 }
diff --git a/src/BaseFeatures/Filters/ContainsFilter.php b/src/BaseFeatures/Filters/ContainsFilter.php
@@ -28,7 +28,7 @@ public function apply(Builder $builder, array $options = []) : Builder
      */
     public static function build(Builder $builder, mixed $field, mixed $value, string $action = 'where') : Builder
     {
-        return $builder->$action(DB::raw('COALESCE(' . $field . ", '')"), 'like', '%' . $value . '%');
+        return $builder->$action(DB::raw('COALESCE(' . self::escapeFieldName($field) . ", '')"), 'like', '%' . $value . '%');
     }
 
     /**

diff --git a/src/BaseFeatures/Filters/DoesNotContainFilter.php b/src/BaseFeatures/Filters/DoesNotContainFilter.php
@@ -28,7 +28,7 @@ public function apply(Builder $builder, array $options = []) : Builder
      */
     public static function build(Builder $builder, mixed $field, mixed $value, string $action = 'where') : Builder
     {
-        return $builder->$action(DB::raw('COALESCE(' . $field . ", '')"), 'not like', '%' . $value . '%');
+        return $builder->$action(DB::raw('COALESCE(' . self::escapeFieldName($field) . ", '')"), 'not like', '%' . $value . '%');
     }
 
     /**