Laravel 5.1 Eloquent escape string parameter (havingraw)

Question

i am receiving a string parameter that i would like to use havingRaw with:

string i am receiving:

$searchString = Input::get('q');//example:party beach

i have found in different question that i should use this to prevent sql injection:

$searchStringEsc = DB::connection()->getPdo()->quote($searchString);

the problem i am having is, when i insert into my query with havingRaw, since my string is now escaped `party beach` it return null, but when i insert the un-escaped string, it works fine.

->havingRaw('search rlike replace("'.$searchStringEsc.'", " ", "|")')

is there another way to escape raw parameters? thank you

EDIT-- Full Query (i am doing a search query where the user can put in city name, establishment name, any tags tagged to the establishment etc...)

            $results = DB::table('events')
            ->leftJoin('event_tag', 'events.id', '=', 'event_tag.event_id')
            ->join('tags', 'tags.id', '=', 'event_tag.tag_id')
            ->join('establishments', 'establishments.id', '=', 'events.establishment_id')
            ->join('cities', 'establishments.city_id', '=', 'cities.id')
            ->leftJoin('artist_event', 'events.id', '=', 'artist_event.event_id')
            ->join('artists', 'artist_event.artist_id', '=', 'artists.id')
            ->leftJoin('event_music', 'events.id', '=', 'event_music.event_id')
            ->join('musics', 'musics.id', '=', 'event_music.music_id')
            ->select('events.id as evId', 'events.slug as evSlug', 'events.name as evName',
                'events.cover_path as estPath','establishments.establishment_type_id as estType',
                'establishments.name as estName', 'events.start_date as evStart', 'events.end_date as evEnd',
                'cities.name as ciName',
                DB::raw('CONCAT_WS(",",
                        GROUP_CONCAT(distinct tags.name),
                        GROUP_CONCAT(distinct artists.name),
                        GROUP_CONCAT(distinct cities.name),
                        GROUP_CONCAT(distinct events.name),
                        GROUP_CONCAT(distinct musics.name)
                        ) as search'))
            ->where('events.end_date','>=', DB::raw('NOW()'))
            ->where('establishments.is_active','=',1)
            ->groupBy('events.id')
            ->havingRaw('search rlike replace("'.$searchString.'", " ", "|")')
            ->orderBy('events.total_visited', 'desc')
            ->take(5)->get();

if i leave it as $searchString (unscaped string), it works fine. if i change it to $searchStringEsc (escaped string) it return null

Answer 1

You can simply use query binding, so replace

 ->havingRaw('search rlike replace("'.$searchString.'", " ", "|")')

with

->havingRaw('search rlike replace(?, " ", "|")', [$searchString])

which handles all of your escaping needs (whereRaw can do that too). The ? just means that you have a bound parameter (namely $searchString) there.