score:0

in queries defined by db::select() you can use parameters defined in array.

$sql = db::select(db::raw("  
  select orders.id,
  // ...  
  where tr.tenant_relations_type = 'app\\models\\order'
  and orders.created_at between :datefrom and :dateto 
  // ...    
"), [
  'datefrom' => $request->input('dateform'),
  'dateto' => $request->input('dateto'),
]); 

of course you should additionally filter input dates to make sure are in valid format.

score:0

use bindings for the variables

$startdate = '2021-01-01 00:00:00';
$enddate = '2021-06-07 00:00:00';
$sql= db::select(db::raw(    
    "
   select orders.id,

//... rest of the query ommited          
      where tr.tenant_relations_type = ?
      and orders.created_at between ? and ? and 
//... rest of the query ommited      
   
   ", [order::class, $startdate, $enddate]));//place your variables in order here

if you dont want to track the order of the bindings, you can use an associative array.

$sql= db::select(db::raw(    
    "
   select orders.id,

//... rest of the query ommited          
      where tr.tenant_relations_type = :model
      and orders.created_at between :start and :end and 
//... rest of the query ommited      
   
   "; ['start' => $startdate, 'end' => $enddate, 'model' => order::class]));    

Related Query

More Query from same tag