Merge pull request #72 from wuwx/patch-2

preventing sql injection
mgallegos · Jul 28, 2021 · fbc2d94 · fbc2d94
2 parents cec56df + 81cdf1f
commit fbc2d94
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/src/Mgallegos/LaravelJqgrid/Repositories/EloquentRepositoryAbstract.php b/src/Mgallegos/LaravelJqgrid/Repositories/EloquentRepositoryAbstract.php
@@ -299,9 +299,18 @@ public function getRows($limit, $offset, $orderBy = null, $sord = null, array $f
 			}
 		})
 		->take($limit)
-		->skip($offset)
-		->orderByRaw($orderByRaw)
-		->get($this->visibleColumns);
+		->skip($offset);
+
+        foreach(explode(",", $orderByRaw) as $subOrderByRaw) {
+            $params = preg_split("/\ /i", trim($subOrderByRaw));
+            if (count($params) == 2) {
+                $rows = $rows->orderBy($params[0], $params[1]);
+            } elseif (count($params) == 1) {
+                $rows = $rows->orderBy($params[0]);
+            }
+        }
+
+		$rows = $rows->get($this->visibleColumns);
 
 		if(!is_array($rows))
 		{