Closed
Description
Clicking through the source code has me worried. It looks like this package facilitates SQL Injections.
For example the scopeDistance
function
public function scopeDistance($query, $geometryColumn, $geometry, $distance)
{
$query->whereRaw("st_distance(`{$geometryColumn}`, ST_GeomFromText('{$geometry->toWkt()}')) <= {$distance}");
return $query;
}
The user data is just executed raw, no bindings, no escaping. Doing a simple test below shows it allows for SQL Injection.
>>> Address::distance('location', new \Grimzy\LaravelMysqlSpatial\Types\Point(51.905737, 4.430866), "'' OR 1=1")->toSql()
=> "select * from `addresses` where st_distance(`location`, ST_GeomFromText('POINT(4.430866 51.905737)')) <= '' OR 1=1"