From 84be10cf4d956cf960a38a6ff362a34f2d33c60e Mon Sep 17 00:00:00 2001
From: Iwona Just <iwona@pixelandtonic.com>
Date: Wed, 20 Nov 2024 09:14:28 +0000
Subject: [PATCH] escape match value for the query

---
 src/fields/CalendarEvents.php   | 3 ++-
 src/fields/Categories.php       | 2 +-
 src/fields/CommerceProducts.php | 2 +-
 src/fields/CommerceVariants.php | 3 ++-
 src/fields/DigitalProducts.php  | 3 ++-
 src/fields/Entries.php          | 2 +-
 src/fields/Tags.php             | 2 +-
 src/fields/Users.php            | 2 +-
 8 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/fields/CalendarEvents.php b/src/fields/CalendarEvents.php
index 88a9f3e6..eb81117d 100644
--- a/src/fields/CalendarEvents.php
+++ b/src/fields/CalendarEvents.php
@@ -8,6 +8,7 @@
 use craft\feedme\base\FieldInterface;
 use craft\feedme\helpers\DataHelper;
 use craft\feedme\Plugin;
+use craft\helpers\Db;
 use craft\helpers\Json;
 use Solspace\Calendar\Elements\Event as EventElement;
 
@@ -124,7 +125,7 @@ public function parseField(): mixed
             $criteria['status'] = null;
             $criteria['typeId'] = $typeIds;
             $criteria['limit'] = $limit;
-            $criteria[$match] = $dataValue;
+            $criteria[$match] = Db::escapeParam($dataValue);
 
             Craft::configure($query, $criteria);
 
diff --git a/src/fields/Categories.php b/src/fields/Categories.php
index dfe235f0..5a3a481e 100644
--- a/src/fields/Categories.php
+++ b/src/fields/Categories.php
@@ -145,7 +145,7 @@ public function parseField(): mixed
 
             $criteria['status'] = null;
             $criteria['limit'] = $limit;
-            $criteria[$match] = $dataValue;
+            $criteria[$match] = Db::escapeParam($dataValue);
 
             Craft::configure($query, $criteria);
 
diff --git a/src/fields/CommerceProducts.php b/src/fields/CommerceProducts.php
index 1abcda63..03f71c50 100644
--- a/src/fields/CommerceProducts.php
+++ b/src/fields/CommerceProducts.php
@@ -129,7 +129,7 @@ public function parseField(): mixed
             $criteria['status'] = null;
             $criteria['typeId'] = $typeIds;
             $criteria['limit'] = $limit;
-            $criteria[$match] = $dataValue;
+            $criteria[$match] = Db::escapeParam($dataValue);
 
             Craft::configure($query, $criteria);
 
diff --git a/src/fields/CommerceVariants.php b/src/fields/CommerceVariants.php
index e0308fee..f7672cc0 100644
--- a/src/fields/CommerceVariants.php
+++ b/src/fields/CommerceVariants.php
@@ -10,6 +10,7 @@
 use craft\feedme\base\FieldInterface;
 use craft\feedme\helpers\DataHelper;
 use craft\feedme\Plugin;
+use craft\helpers\Db;
 use craft\helpers\Json;
 
 /**
@@ -128,7 +129,7 @@ public function parseField(): mixed
             $criteria['status'] = null;
             $criteria['typeId'] = $typeIds;
             $criteria['limit'] = $limit;
-            $criteria[$match] = $dataValue;
+            $criteria[$match] = Db::escapeParam($dataValue);
 
             Craft::configure($query, $criteria);
 
diff --git a/src/fields/DigitalProducts.php b/src/fields/DigitalProducts.php
index 81db12f5..c8ec9322 100644
--- a/src/fields/DigitalProducts.php
+++ b/src/fields/DigitalProducts.php
@@ -9,6 +9,7 @@
 use craft\feedme\base\FieldInterface;
 use craft\feedme\helpers\DataHelper;
 use craft\feedme\Plugin;
+use craft\helpers\Db;
 use craft\helpers\Json;
 
 /**
@@ -129,7 +130,7 @@ public function parseField(): mixed
             $criteria['status'] = null;
             $criteria['typeId'] = $typeIds;
             $criteria['limit'] = $limit;
-            $criteria[$match] = $dataValue;
+            $criteria[$match] = Db::escapeParam($dataValue);
 
             Craft::configure($query, $criteria);
 
diff --git a/src/fields/Entries.php b/src/fields/Entries.php
index c6386467..4ed77004 100644
--- a/src/fields/Entries.php
+++ b/src/fields/Entries.php
@@ -164,7 +164,7 @@ public function parseField(): mixed
 
             $criteria['status'] = null;
             $criteria['limit'] = $limit;
-            $criteria[$match] = $dataValue;
+            $criteria[$match] = Db::escapeParam($dataValue);
 
             Craft::configure($query, $criteria);
 
diff --git a/src/fields/Tags.php b/src/fields/Tags.php
index 1a989a5a..51db5462 100644
--- a/src/fields/Tags.php
+++ b/src/fields/Tags.php
@@ -127,7 +127,7 @@ public function parseField(): mixed
             $criteria['status'] = null;
             $criteria['groupId'] = $groupId;
             $criteria['limit'] = $limit;
-            $criteria[$match] = $dataValue;
+            $criteria[$match] = Db::escapeParam($dataValue);
 
             Craft::configure($query, $criteria);
 
diff --git a/src/fields/Users.php b/src/fields/Users.php
index 86782834..de9958ef 100644
--- a/src/fields/Users.php
+++ b/src/fields/Users.php
@@ -152,7 +152,7 @@ public function parseField(): mixed
             $ids = [];
             $criteria['status'] = null;
             $criteria['limit'] = $limit;
-            $criteria[$match] = $dataValue;
+            $criteria[$match] = Db::escapeParam($dataValue);
 
             // If the only source for the Users field is "admins" we don't have to bother with this query.
             if (!($isAdmin && empty($groupIds) && empty($customSources))) {