There's a few areas to cover: Sphinx Searching - does not use SQL, and cannot modify data, so this is safe.
Underlying searches for ActiveRecord objects, using search results from Sphinx - Uses hash arguments in #find calls - which ActiveRecord sanitises, I'm pretty certain - Can pass arguments to :order option if using :sql_order in your search calls. Does AR sanitise :order? Sphinx Indexing - Uses SQL statements - Only defined within a define_index block - so you'd have to have some Ruby injection happening to have any effect on that (to change the sql contents and then regenerate the config file and re-index Sphinx). -- Pat On 04/06/2009, at 12:47 AM, anatoly wrote: > > I'm reviewing security in general for my site. One thing I am not > sure about yet is whether there is any sanitation / sql injection > counter measures within TS. Would like to hear any tips on this > topic, with respect to searching with TS. Many thanks. > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Thinking Sphinx" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/thinking-sphinx?hl=en -~----------~----~----~----~------~----~------~--~---
