imadphp · March 11, 2019 13:36
diff --git a/MAGESTORE_STORE_LOCATOR_SQLI.patch b/MAGESTORE_STORE_LOCATOR_SQLI.patch
 diff --git a/vendor/magestore/storepickup/app/code/Magestore/Storepickup/Model/ResourceModel/Store/Collection.php b/vendor/magestore/storepickup/app/code/Magestore/Storepickup/Model/ResourceModel/Store/Collection.php
 index 5a48b364a..87a855904 100644
 --- a/vendor/magestore/storepickup/app/code/Magestore/Storepickup/Model/ResourceModel/Store/Collection.php
 +++ b/vendor/magestore/storepickup/app/code/Magestore/Storepickup/Model/ResourceModel/Store/Collection.php
 @@ -106,8 +106,8 @@ class Collection extends \Magento\Framework\Model\ResourceModel\Db\Collection\Ab
      */
     public function addLatLngToFilterDistance($lat, $lng, $distance = null)
     {
 -        $expression = "(1609.34*((acos(sin(({{lat}}*pi()/180)) * sin((`{{latitude}}`*pi()/180))+cos(($lat *pi()/180)) * cos((`{{latitude}}`*pi()/180)) * cos((({{lng}} - `{{longitude}}`)*pi()/180))))*180/pi())*60*1.1515)";
 -        $this->addExpressionFieldToSelect('distance', $expression, ['latitude' => 'latitude', 'longitude' => 'longitude', 'lat' => $lat, 'lng' => $lng]);
 +        $expression = "(1609.34*((acos(sin(({{lat}}*pi()/180)) * sin((`latitude`*pi()/180))+cos(({{lat}} *pi()/180)) * cos((`latitude`*pi()/180)) * cos((({{lng}} - `longitude`)*pi()/180))))*180/pi())*60*1.1515)";
 +        $this->addExpressionFieldToSelect('distance', $expression, ['lat' => $lat, 'lng' => $lng]);
 
         if ($distance) {
             $this->getSelect()->having('distance <= ?', $distance);

 diff --git a/vendor/magento/framework/Model/ResourceModel/Db/Collection/AbstractCollection.php b/vendor/magento/framework/Model/ResourceModel/Db/Collection/AbstractCollection.php
 index b57755ed7..4cff648c9 100644
 --- a/vendor/magento/framework/Model/ResourceModel/Db/Collection/AbstractCollection.php
 +++ b/vendor/magento/framework/Model/ResourceModel/Db/Collection/AbstractCollection.php
 @@ -343,7 +343,8 @@ abstract class AbstractCollection extends AbstractDb implements SourceProviderIn
 
         $fullExpression = $expression;
         foreach ($fields as $fieldKey => $fieldItem) {
 -            $fullExpression = str_replace('{{' . $fieldKey . '}}', $fieldItem, $fullExpression);
 +            $quotedFieldItem =  $this->getConnection()->quote($fieldItem);
 +            $fullExpression = str_replace('{{' . $fieldKey . '}}', $quotedFieldItem, $fullExpression);
         }
 
         $this->getSelect()->columns([$alias => $fullExpression]);
	diff --git a/vendor/magestore/storepickup/app/code/Magestore/Storepickup/Model/ResourceModel/Store/Collection.php b/vendor/magestore/storepickup/app/code/Magestore/Storepickup/Model/ResourceModel/Store/Collection.php
	index 5a48b364a..87a855904 100644
	--- a/vendor/magestore/storepickup/app/code/Magestore/Storepickup/Model/ResourceModel/Store/Collection.php
	+++ b/vendor/magestore/storepickup/app/code/Magestore/Storepickup/Model/ResourceModel/Store/Collection.php
	@@ -106,8 +106,8 @@ class Collection extends \Magento\Framework\Model\ResourceModel\Db\Collection\Ab
	*/
	public function addLatLngToFilterDistance($lat, $lng, $distance = null)
	{
	- $expression = "(1609.34((acos(sin(({{lat}}pi()/180)) * sin((`{{latitude}}`pi()/180))+cos(($lat pi()/180)) * cos((`{{latitude}}`pi()/180)) cos((({{lng}} - `{{longitude}}`)pi()/180))))180/pi())601.1515)";
	- $this->addExpressionFieldToSelect('distance', $expression, ['latitude' => 'latitude', 'longitude' => 'longitude', 'lat' => $lat, 'lng' => $lng]);
	+ $expression = "(1609.34((acos(sin(({{lat}}pi()/180)) * sin((`latitude`pi()/180))+cos(({{lat}} pi()/180)) * cos((`latitude`pi()/180)) cos((({{lng}} - `longitude`)pi()/180))))180/pi())601.1515)";
	+ $this->addExpressionFieldToSelect('distance', $expression, ['lat' => $lat, 'lng' => $lng]);

	if ($distance) {
	$this->getSelect()->having('distance <= ?', $distance);

	diff --git a/vendor/magento/framework/Model/ResourceModel/Db/Collection/AbstractCollection.php b/vendor/magento/framework/Model/ResourceModel/Db/Collection/AbstractCollection.php
	index b57755ed7..4cff648c9 100644
	--- a/vendor/magento/framework/Model/ResourceModel/Db/Collection/AbstractCollection.php
	+++ b/vendor/magento/framework/Model/ResourceModel/Db/Collection/AbstractCollection.php
	@@ -343,7 +343,8 @@ abstract class AbstractCollection extends AbstractDb implements SourceProviderIn

	$fullExpression = $expression;
	foreach ($fields as $fieldKey => $fieldItem) {
	- $fullExpression = str_replace('{{' . $fieldKey . '}}', $fieldItem, $fullExpression);
	+ $quotedFieldItem = $this->getConnection()->quote($fieldItem);
	+ $fullExpression = str_replace('{{' . $fieldKey . '}}', $quotedFieldItem, $fullExpression);
	}

	$this->getSelect()->columns([$alias => $fullExpression]);