search

johannesschobel / dingoquerymapper

Uses Dingo/API Request Query Parameters to filter Laravel Models
MIT License
12 stars 6 forks source link

Single quoted content and filtering #12

Closed sgtwinters closed 6 years ago

sgtwinters commented 6 years ago

I encountered an issue when filtering a Collection using the createFromCollection method from your DingoQueryMapper. When there are model params with single quoted content, building the filtering rules seems to break.

I think the problem is in the createEvaluationRule method from the CollectionOperator. When building an evaluation rule, where the key contains a single quote, the endresult is a string which cannot be evaluated. I can solve this by stripping any single quotes from the $key parameter, before further building the rule in createEvaluationRule.

Just to be sure, am I doing something wrong here or did I just found a bug ;). Thanks in advance!

johannesschobel commented 6 years ago

Hey @sgtwinters thank you very much for your issue.

Can you give an example how you call the QueryMapper? E.g., can you provide the URL you are calling (with params)?

sgtwinters commented 6 years ago

Hi @johannesschobel, yes off course. I don't call the QueryMapper directly by the way, this is a short snippet.

public function getProcesses(Request $request)
{   
        $processes = Process::all();

        $filter = new DingoQueryMapper($request);
        $processes = $filter->createFromCollection($processes)->paginate();

        return $this->response->paginator($processes, new ProcessTransformer);
}

The issue arises when an item within the (in this case) $processes collection includes the single quotes I mentioned before.

Thanks in advance!

johannesschobel commented 6 years ago

Hey man.. And can you give me an example of the Process data? What do you mean with "single quoted data"?

I use it, for example, like this: GET /users?name=jo* This would get any user, that starts with jo...

Do you mean the following thing: Your $process->name may look like this : $process->name = "hello'world"; (note the quote!) And now you are trying to get GET /processes?name=hello'world

Maybe you need to escape the '?

johannesschobel commented 6 years ago

aaaaaaaaaaaaaah.. ok.. i just tried it myself - you may be right.. I get a ParseError.. Is it this, what you meant?

sgtwinters commented 6 years ago

Hey Johannes, exactly like you just made as an example: the $process->name in my case includes two quotes $process->name = "Hi 'test'" (but that will cause the same problem).

The rule built in createEvaluationRule (the substr) will in that case include unescaped single quotes, therefore forming a invalid substr() method (at least thats where I ended up before creating this issue :)):

$rule = "substr('%s', 0, strlen('%s')) %s '%s'"

johannesschobel commented 6 years ago

can you provide me with a PR to fix this? ;)

sgtwinters commented 6 years ago

Hey @johannesschobel, I will look into it a bit further asap :) and if I fix it (properly) I will provide a PR. Thnx for now!

johannesschobel commented 6 years ago

Thank you for noticing this issue and reporting it! Will look forward for your PR