Skip to content

Commit 52c73cf

Browse files
Dylan-DutchAndBoldDylan-DutchAndBold
committed
Used bindings and predefined options to counteract sql injection
1 parent f9a0428 commit 52c73cf

File tree

2 files changed

+70
-7
lines changed

2 files changed

+70
-7
lines changed

src/Eloquent/SpatialTrait.php

Lines changed: 63 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
namespace Grimzy\LaravelMysqlSpatial\Eloquent;
44

55
use Grimzy\LaravelMysqlSpatial\Exceptions\SpatialFieldsNotDefinedException;
6+
use Grimzy\LaravelMysqlSpatial\Exceptions\UnknownSpatialRelationFunction;
67
use Grimzy\LaravelMysqlSpatial\Types\Geometry;
78
use Grimzy\LaravelMysqlSpatial\Types\GeometryInterface;
89
use Illuminate\Database\Eloquent\Builder as EloquentBuilder;
@@ -37,6 +38,17 @@ trait SpatialTrait
3738

3839
public $geometries = [];
3940

41+
protected $stRelations = [
42+
'within',
43+
'crosses',
44+
'contains',
45+
'disjoint',
46+
'equals',
47+
'intersects',
48+
'overlaps',
49+
'touches'
50+
];
51+
4052
/**
4153
* Create a new Eloquent query builder for the model.
4254
*
@@ -89,61 +101,105 @@ public function getSpatialFields()
89101
}
90102
}
91103

104+
public function isColumnAllowed($geometryColumn)
105+
{
106+
if (! in_array($geometryColumn, $this->getSpatialFields())) {
107+
throw new SpatialFieldsNotDefinedException();
108+
}
109+
110+
return true;
111+
}
112+
92113
public function scopeDistance($query, $geometryColumn, $geometry, $distance)
93114
{
94-
$query->whereRaw("st_distance(`{$geometryColumn}`, ST_GeomFromText('{$geometry->toWkt()}')) <= {$distance}");
115+
$this->isColumnAllowed($geometryColumn);
116+
117+
$query->whereRaw("st_distance(`$geometryColumn`, ST_GeomFromText(?)) <= ?", [
118+
$geometry->toWkt(),
119+
$distance
120+
]);
95121

96122
return $query;
97123
}
98124

99125
public function scopeDistanceExcludingSelf($query, $geometryColumn, $geometry, $distance)
100126
{
127+
$this->isColumnAllowed($geometryColumn);
128+
101129
$query = $this->scopeDistance($query, $geometryColumn, $geometry, $distance);
102130

103-
$query->whereRaw("st_distance(`{$geometryColumn}`, ST_GeomFromText('{$geometry->toWkt()}')) != 0");
131+
$query->whereRaw("st_distance(`$geometryColumn`, ST_GeomFromText(?)) != 0", [
132+
$geometry->toWkt()
133+
]);
104134

105135
return $query;
106136
}
107137

108138
public function scopeDistanceValue($query, $geometryColumn, $geometry)
109139
{
140+
$this->isColumnAllowed($geometryColumn);
141+
110142
$columns = $query->getQuery()->columns;
111143

112144
if (!$columns) {
113145
$query->select('*');
114146
}
115-
$query->selectRaw("st_distance(`{$geometryColumn}`, ST_GeomFromText('{$geometry->toWkt()}')) as distance");
147+
148+
$query->selectRaw("st_distance(`$geometryColumn`, ST_GeomFromText(?)) as distance", [
149+
$geometry->toWkt()
150+
]);
116151
}
117152

118153
public function scopeDistanceSphere($query, $geometryColumn, $geometry, $distance)
119154
{
120-
$query->whereRaw("st_distance_sphere(`{$geometryColumn}`, ST_GeomFromText('{$geometry->toWkt()}')) <= {$distance}");
155+
$this->isColumnAllowed($geometryColumn);
156+
157+
$query->whereRaw("st_distance_sphere(`$geometryColumn`, ST_GeomFromText(?)) <= ?", [
158+
$geometry->toWkt(),
159+
$distance
160+
]);
121161

122162
return $query;
123163
}
124164

125165
public function scopeDistanceSphereExcludingSelf($query, $geometryColumn, $geometry, $distance)
126166
{
167+
$this->isColumnAllowed($geometryColumn);
168+
127169
$query = $this->scopeDistanceSphere($query, $geometryColumn, $geometry, $distance);
128170

129-
$query->whereRaw("st_distance_sphere(`{$geometryColumn}`, ST_GeomFromText('{$geometry->toWkt()}')) != 0");
171+
$query->whereRaw("st_distance_sphere($geometryColumn, ST_GeomFromText(?)) != 0", [
172+
$geometry->toWkt()
173+
]);
130174

131175
return $query;
132176
}
133177

134178
public function scopeDistanceSphereValue($query, $geometryColumn, $geometry)
135179
{
180+
$this->isColumnAllowed($geometryColumn);
181+
136182
$columns = $query->getQuery()->columns;
137183

138184
if (!$columns) {
139185
$query->select('*');
140186
}
141-
$query->selectRaw("st_distance_sphere(`{$geometryColumn}`, ST_GeomFromText('{$geometry->toWkt()}')) as distance");
187+
$query->selectRaw("st_distance_sphere(`$geometryColumn`, ST_GeomFromText(?)) as distance", [
188+
$geometry->toWkt()
189+
]);
142190
}
143191

144192
public function scopeComparison($query, $geometryColumn, $geometry, $relationship)
145193
{
146-
$query->whereRaw("st_{$relationship}(`{$geometryColumn}`, ST_GeomFromText('{$geometry->toWkt()}'))");
194+
$this->isColumnAllowed($geometryColumn);
195+
196+
if (! in_array($relationship, $this->stRelations)) {
197+
throw new UnknownSpatialRelationFunction($relationship);
198+
}
199+
200+
$query->whereRaw("st_{$relationship}(`$geometryColumn`, ST_GeomFromText(?))", [
201+
$geometry->toWkt()
202+
]);
147203

148204
return $query;
149205
}

src/Exceptions/UnknownSpatialRelationFunction.php

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
<?php
2+
3+
namespace Grimzy\LaravelMysqlSpatial\Exceptions;
4+
5+
class UnknownSpatialRelationFunction extends \RuntimeException
6+
{
7+
}

0 commit comments

Comments
 (0)