Merge pull request #8 from ptondereau/master

Fix SQL injection + replace double quotes by single one + alias

src/Conversations/Conversation.php

@@ -6,7 +6,7 @@
 
 class Conversation extends Model
 {
-    protected $table = "conversations";
+    protected $table = 'conversations';
     public $timestamps = true;
     public $fillable = ['user_one', 'user_two', 'status'];
 

src/Conversations/ConversationRepository.php

@@ -61,31 +61,37 @@ protected function getUserColumns()
     public function getList($user, $offset, $take)
     {
         $conversations = DB::select(
-            DB::raw("SELECT " . $this->getUserColumns() . "msg.user_id as sender_id, conv.id as conv_id, msg.message, msg.created_at, msg.is_seen
-	FROM " . DB::getTablePrefix() . config('talk.user.table') . " user, " . DB::getTablePrefix() . "conversations conv, " . DB::getTablePrefix() . "messages msg
+            DB::raw('SELECT ' . $this->getUserColumns() . 'msg.user_id as sender_id, conv.id as conv_id, msg.message, msg.created_at, msg.is_seen
+	FROM ' . DB::getTablePrefix() . config('talk.user.table') . ' user, ' . DB::getTablePrefix() . 'conversations conv, ' . DB::getTablePrefix() . 'messages msg
 	WHERE conv.id = msg.conversation_id
 				AND (
-					conv.user_one ={$user}
-					OR conv.user_two ={$user}
+					conv.user_one = :user
+					OR conv.user_two = :user
 				) and (msg.created_at)
 	in (
 		SELECT max(msg.created_at) as created_at
-		FROM " . DB::getTablePrefix() . "conversations conv, " . DB::getTablePrefix() . "messages msg
+		FROM ' . DB::getTablePrefix() . 'conversations conv, ' . DB::getTablePrefix() . 'messages msg
 		WHERE CASE
-			WHEN conv.user_one ={$user}
+			WHEN conv.user_one = :user
 			THEN conv.user_two = user.id
-			WHEN conv.user_two ={$user}
+			WHEN conv.user_two = :user
 			THEN conv.user_one = user.id
 		END
 		AND conv.id = msg.conversation_id
 		AND (
-			conv.user_one ={$user}
-			OR conv.user_two ={$user}
+			conv.user_one = :user
+			OR conv.user_two = :user
 			)
 	GROUP BY conv.id
 )
      ORDER BY msg.created_at DESC
-     LIMIT " . $offset . ", " . $take)
+     LIMIT :offset, :take',
+                [
+                    'user' => $user,
+                    'offset' => $offset,
+                    'take' => $take
+                ]
+            )
         );
 
 

src/Messages/MessageRepository.php

@@ -16,11 +16,12 @@ public function getConversations($conversationId)
     {
         $readMessage = DB::select(
             DB::raw(
-                "SELECT U.name, M.id, U.id as user_id, M.message, M.created_at
-			    FROM " . DB::getTablePrefix() . "users U, " . DB::getTablePrefix() . "messages M
+                'SELECT U.name, M.id, U.id as user_id, M.message, M.created_at
+			    FROM ' . DB::getTablePrefix() . 'users U, ' . DB::getTablePrefix() . 'messages M
 			    WHERE M.user_id = U.id
-			    AND M.conversation_id = {$conversationId}
-			    order by M.created_at asc"
+			    AND M.conversation_id = ?
+			    order by M.created_at asc',
+                [$conversationId]
             )
         );
         return $readMessage;

src/TalkServiceProvider.php

@@ -65,10 +65,11 @@ protected function setupMigrations()
      */
     protected function registerTalk()
     {
-        $this->app->singleton('Talk', function (Container $app) {
+        $this->app->singleton('talk', function (Container $app) {
             return new Talk($app[ConversationRepository::class], $app[MessageRepository::class]);
         });
 
+        $this->app->alias('talk', Talk::class);
     }
 
     /**
@@ -78,8 +79,6 @@ protected function registerTalk()
      */
     public function provides()
     {
-        return [
-            Talk::class,
-        ];
+        return ['talk'];
     }
 }