Ensure only allowed searchable columns are used in DB Query

sedan07 · sedan07 · commit 27bca8280419 · 2021-01-15T14:17:35.000Z
diff --git a/app/Models/Traits/SearchableTrait.php b/app/Models/Traits/SearchableTrait.php
@@ -34,10 +34,11 @@ public function scopeSearch(Builder $query, array $search = [])
             return $query;
         }
 
-        if (!array_intersect(array_keys($search), $this->searchable)) {
+        $allowed_search = array_intersect_key($search, array_flip($this->searchable));
+        if (! $allowed_search) {
             return $query;
         }
 
-        return $query->where($search);
+        return $query->where($allowed_search);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -34,10 +34,11 @@ public function scopeSearch(Builder $query, array $search = [])`
`34`	`34`	`return $query;`
`35`	`35`	`}`
`36`	`36`
`37`		`- if (!array_intersect(array_keys($search), $this->searchable)) {`
	`37`	`+ $allowed_search = array_intersect_key($search, array_flip($this->searchable));`
	`38`	`+ if (! $allowed_search) {`
`38`	`39`	`return $query;`
`39`	`40`	`}`
`40`	`41`
`41`		`- return $query->where($search);`
	`42`	`+ return $query->where($allowed_search);`
`42`	`43`	`}`
`43`	`44`	`}`