SQL Injection

[Dylan-DutchAndBold]

Clicking through the source code has me worried. It looks like this package facilitates SQL Injections.

For example the scopeDistance function

public function scopeDistance($query, $geometryColumn, $geometry, $distance)
    {
        $query->whereRaw("st_distance(`{$geometryColumn}`, ST_GeomFromText('{$geometry->toWkt()}')) <= {$distance}");

        return $query;
    }

The user data is just executed raw, no bindings, no escaping. Doing a simple test below shows it allows for SQL Injection.

>>> Address::distance('location', new \Grimzy\LaravelMysqlSpatial\Types\Point(51.905737, 4.430866), "'' OR 1=1")->toSql()
=> "select * from `addresses` where st_distance(`location`, ST_GeomFromText('POINT(4.430866 51.905737)')) <= '' OR 1=1"

[Dylan-DutchAndBold]

I have decided that I will fix this issue in the weekend, and create a merge request.

[boydcl]

Thanks for doing this. This should be merged ASAP

[Dylan-DutchAndBold]

@grimzy Why is this not being resolved, I have a PR ready.

[grimzy]

@Dylan-DutchAndBold, thanks for reporting and fixing this.
Since the build is broken and the tests are also not passing on my local environment I needed more time to look a the PR.
Are the unit tests passing on your side?

[Dylan-DutchAndBold]

When I pulled your master the unit tests were broken. I had to update the mockery version and the tests passed. Laravel does not use symantic versioning correctly and had breaking changes on the minor. Their 5.6 release now requires PHP 7 and phpunit 6.

[grimzy]

I already started looking at this, but will spend more time over the week end and favor the latest minor Laravel releases.
Suggestions and PRs are most welcome!
Thanks again.

[Dylan-DutchAndBold]

Thank you picking this up, totally appreciate your work! @grimzy