Framework: Parameter binding on joins, especially leftJoins

Created on 19 Jul 2013  路  4Comments  路  Source: laravel/framework

Illuminate/Database/Query/Builder class
Currently only values from the where clause get added to the bindings array, and values in join on clauses are not parameterized and therefore susceptible to SQL injection. Also it causes the query to not achieve its full caching potential.

At many times it may be fine to rewrite additional on conditions as where conditions, however for leftJoins, using thewhere is not always an equivalent query (see here).

Additionally, many developers prefer to make use of the additional on conditions because it makes the SQL much more readable, logically seperated and understandable when debugging or reviewing (especially if you are not the developer who wrote the query) as opposed to the conditions being unnecessarily lumped together in a large whereclause.

I propose a solution that allows for the passing of an array of bindings to be coupled with a query Expression, for example:

$query = DB::table('users');
$query->select('users.name','roles.type');
$query->leftJoin('roles', function($join)
            {
                 $join->on('roles.id','=','users.role_id');
                 $join->on('roles.type','=',DB::raw('?'),array('admin')); // <-- binding(s) added here
            });
return $query->get();

| All Users | is Admin? |
| --- | :-: |
| Tom | admin |
| Dan | |
| John | admin |

I'm new to gitHub and hope to upload some Laravel packages soon. But thought I would bring this up. Any ideas?

picture prograhammer

Most helpful comment

please, explain how to use joinWhere

picture pilot911 on 4 Dec 2013
👍3

All 4 comments

The current work-around I'm using (I didn't want to extend classes like Builder and JoinClause):
(notice: this breaks the query chaining with ->)

$query = DB::table('users');
$query->select('users.name','roles.type');
$query->leftJoin('roles', function($join)
            {
                 $join->on('roles.id','=','users.role_id');
                 $join->on('roles.type','=',DB::raw('?')); 
            })
       ->setBindings(array_merge($query->getBindings(),array("admin"))); // <-- binding(s) added here
return $query->get();
prograhammer picture prograhammer on 20 Jul 2013

+1

this is needed also on addSelect and select, I guess it is better to add the bindings to the Expression object so we can use it like this:

DB::raw("roles.type = ?", array('admin'));
ammont picture ammont on 4 Aug 2013

Done. joinWhere, leftJoinWhere... if you have a function join just use ->where and ->orWhere from within the Closure.

taylorotwell picture taylorotwell on 2 Nov 2013
👍1

please, explain how to use joinWhere

pilot911 picture pilot911 on 4 Dec 2013
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

YannPl picture YannPl  路  3Comments
PhiloNL picture PhiloNL  路  3Comments
fideloper picture fideloper  路  3Comments
CupOfTea696 picture CupOfTea696  路  3Comments
shopblocks picture shopblocks  路  3Comments