On 20/12/62 22:03, test user wrote:
Hello,
I have a search box on a website that uses FTS5/MATCH.
MATCH seems to take its own custom language for matching.
1. Is it safe to just pass the users query to MATCH ? via the SQLite bind
FFI?
Users could specify a query that uses excessive resources. In
particular, prefix searches for very common prefixes on large databases
can use a lot of memory. I think it's otherwise safe though.
- This would give them full access to the FTS5 matching language.
2. If not, how should I be sanitising user input?
- E.g. How can I transform a string of words and text into a query? What
characters should I be removing or escaping? How can I prevent them using
the FTS5 keywords "AND" "OR" etc?
It really depends on what you want to allow. And how you want the query
interpreted. If you want all input to be treated as a single phrase,
enclose it in double-quotes, doubling any embedded " characters SQL
style. Or, if you wanted the input treated as a list of terms separated
by implicit AND, split the input on whitespace and then enclose each
term in double-quotes. Details here:
https://www.sqlite.org/fts5.html#full_text_query_syntax
Dan.
Thanks
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
