Skip to content

Commit 8b0a0d7

Browse files
author
Joan He
authored
Merge pull request #4466 from magento-arcticfoxes/MC-17309
[arcticfoxes] Bug Fixes
2 parents d59ce32 + ac85d5b commit 8b0a0d7

File tree

1 file changed

+40
-22
lines changed

1 file changed

+40
-22
lines changed

app/code/Magento/Rule/Model/Condition/Sql/Builder.php

Lines changed: 40 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -152,9 +152,11 @@ protected function _getMappedSqlCondition(
152152
): string {
153153
$argument = $condition->getMappedSqlField();
154154

155-
// If rule hasn't valid argument - create negative expression to prevent incorrect rule behavior.
155+
// If rule hasn't valid argument - prevent incorrect rule behavior.
156156
if (empty($argument)) {
157157
return $this->_expressionFactory->create(['expression' => '1 = -1']);
158+
} elseif (preg_match('/[^a-z0-9\-_\.\`]/i', $argument) > 0) {
159+
throw new \Magento\Framework\Exception\LocalizedException(__('Invalid field'));
158160
}
159161

160162
$conditionOperator = $condition->getOperatorForValidate();
@@ -195,7 +197,6 @@ protected function _getMappedSqlCondition(
195197
);
196198
}
197199
}
198-
199200
return $this->_expressionFactory->create(
200201
['expression' => $expression]
201202
);
@@ -241,6 +242,7 @@ protected function _getMappedSqlCombination(
241242
* @param AbstractCollection $collection
242243
* @param Combine $combine
243244
* @return void
245+
* @throws \Magento\Framework\Exception\LocalizedException
244246
*/
245247
public function attachConditionToCollection(
246248
AbstractCollection $collection,
@@ -250,29 +252,45 @@ public function attachConditionToCollection(
250252
$this->_joinTablesToCollection($collection, $combine);
251253
$whereExpression = (string)$this->_getMappedSqlCombination($combine);
252254
if (!empty($whereExpression)) {
253-
if (!empty($combine->getConditions())) {
254-
$conditions = '';
255-
$attributeField = '';
256-
foreach ($combine->getConditions() as $condition) {
257-
if ($condition->getData('attribute') === \Magento\Catalog\Api\Data\ProductInterface::SKU) {
258-
$conditions = $condition->getData('value');
259-
$attributeField = $condition->getMappedSqlField();
260-
}
261-
}
255+
$collection->getSelect()->where($whereExpression);
256+
$this->buildConditions($collection, $combine);
257+
}
258+
}
262259

263-
$collection->getSelect()->where($whereExpression);
260+
/**
261+
* Build sql conditions from combination.
262+
*
263+
* @param AbstractCollection $collection
264+
* @param Combine $combine
265+
* @return void
266+
*/
267+
private function buildConditions(AbstractCollection $collection, Combine $combine) : void
268+
{
269+
if (!empty($combine->getConditions())) {
270+
$conditions = '';
271+
$attributeField = '';
272+
foreach ($combine->getConditions() as $condition) {
273+
if ($condition->getData('attribute') === \Magento\Catalog\Api\Data\ProductInterface::SKU) {
274+
$conditions = $condition->getData('value');
275+
$attributeField = $condition->getMappedSqlField();
276+
}
277+
}
264278

265-
if (!empty($conditions) && !empty($attributeField)) {
266-
$conditions = explode(',', $conditions);
267-
foreach ($conditions as &$condition) {
268-
$condition = "'" . trim($condition) . "'";
269-
}
270-
$conditions = implode(', ', $conditions);
271-
$collection->getSelect()->order("FIELD($attributeField, $conditions)");
279+
if (!empty($conditions) && !empty($attributeField)) {
280+
$conditions = explode(',', $conditions);
281+
foreach ($conditions as &$condition) {
282+
$condition = trim($condition);
272283
}
273-
} else {
274-
// Select ::where method adds braces even on empty expression
275-
$collection->getSelect()->where($whereExpression);
284+
$conditions = implode(', ', $conditions);
285+
$collection->getSelect()->order(
286+
$this->_connection->quoteInto(
287+
"FIELD(?, ?)",
288+
[
289+
$attributeField,
290+
$conditions
291+
]
292+
)
293+
);
276294
}
277295
}
278296
}

0 commit comments

Comments
 (0)