Thanks for the details Dan On Sat, 21 Dec 2019 at 18:40, Dan Kennedy <danielk1...@gmail.com> wrote:
> > On 20/12/62 22:03, test user wrote: > > Hello, > > > > I have a search box on a website that uses FTS5/MATCH. > > > > MATCH seems to take its own custom language for matching. > > > > 1. Is it safe to just pass the users query to MATCH ? via the SQLite bind > > FFI? > > Users could specify a query that uses excessive resources. In > particular, prefix searches for very common prefixes on large databases > can use a lot of memory. I think it's otherwise safe though. > > > - This would give them full access to the FTS5 matching language. > > > > 2. If not, how should I be sanitising user input? > > > > - E.g. How can I transform a string of words and text into a query? What > > characters should I be removing or escaping? How can I prevent them using > > the FTS5 keywords "AND" "OR" etc? > It really depends on what you want to allow. And how you want the query > interpreted. If you want all input to be treated as a single phrase, > enclose it in double-quotes, doubling any embedded " characters SQL > style. Or, if you wanted the input treated as a list of terms separated > by implicit AND, split the input on whitespace and then enclose each > term in double-quotes. Details here: > > https://www.sqlite.org/fts5.html#full_text_query_syntax > > Dan. > > > > > > > > Thanks > > _______________________________________________ > > sqlite-users mailing list > > sqlite-users@mailinglists.sqlite.org > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
