From 3c9cf3a32cfd3f55715aa1bd188e5d4ba14a2663 Mon Sep 17 00:00:00 2001
From: Rob Van Dam <rvandam00@gmail.com>
Date: Tue, 2 Aug 2022 16:12:56 -0600
Subject: [PATCH 1/2] Allow for stacking method calls

Currently only one level of method calls is supported for finding quoting methods e.g. $dbh->quote but this allowed for multiple levels e.g. $foo->bar->baz->dbh->quote as long as one of them matches.
---
 .../Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm b/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm
index d69e202..cd26876 100644
--- a/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm
+++ b/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm
@@ -593,6 +593,10 @@ sub get_complete_variable {
             $is_quoted = 1;
             last;
         }
+        elsif ($sibling->isa('PPI::Token::Word')
+            && $sibling->method_call()
+            # allow for stacking method calls, e.g. $foo->bar->baz->dbh->quote
+            $variable .= $sibling->content();
         else {
             last;
         }

From 143987ea90e4c0b5b3672c70fd3bb8aa19a0f8d7 Mon Sep 17 00:00:00 2001
From: Rob Van Dam <rvandam00@gmail.com>
Date: Tue, 2 Aug 2022 16:15:31 -0600
Subject: [PATCH 2/2] Test parsing of stacked method calls

---
 t/ValuesAndExpressions/PreventSQLInjection.run | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/t/ValuesAndExpressions/PreventSQLInjection.run b/t/ValuesAndExpressions/PreventSQLInjection.run
index 079b016..d1bf0a9 100644
--- a/t/ValuesAndExpressions/PreventSQLInjection.run
+++ b/t/ValuesAndExpressions/PreventSQLInjection.run
@@ -452,6 +452,12 @@ $sql = "UPDATE table_name SET field = " . $dbh->test($value) . "WHERE field = 1"
 
 $sql = "UPDATE table_name SET field = " . $dbh->test($value) . "WHERE field = " . $dbh->quote($value2);
 
+## name Allow stacked calls prior to quoting method
+## parms { quoting_methods => 'test' }
+## failures 0
+## cut
+
+$sql = "UPDATE table_name SET field = " . $foo->bar->baz->dbh->test($value) . "WHERE field = 1";
 
 ## name vars in subtest name.
 ## parms { prefer_upper_case_keywords => 0 }