Safe usage of tsearch2: to_tsquery('<user input>')

Started by clusterover 18 years ago3 messagesgeneral

skrald@amossen.dk

over 18 years ago

In a web application I would like to use tsearch2 to search for by-user
entered key words. That is, the user provides the keywords in a space
separated list in some input text field. For that I use
to_tsquery('<user keywords>') but I would like to do this in a safe way
so that the user cannot misuse to_tsquery() by entering some harmful string.
That is, a user input like
"cars ford fast"
should be translated to
"to_tsquery('cars|ford|fast')"
in a safe way.

How can I do that?

(I use postgresql from PHP)

Tom Lane

tgl@sss.pgh.pa.us

over 18 years ago

In reply to: cluster (#1)

Re: Safe usage of tsearch2: to_tsquery('<user input>')

cluster <skrald@amossen.dk> writes:

In a web application I would like to use tsearch2 to search for by-user
entered key words. That is, the user provides the keywords in a space
separated list in some input text field. For that I use
to_tsquery('<user keywords>') but I would like to do this in a safe way
so that the user cannot misuse to_tsquery() by entering some harmful string.

Isn't plainto_tsquery() what you're looking for?

regards, tom lane

cluster

skrald@amossen.dk

over 18 years ago

In reply to: Tom Lane (#2)

Re: Safe usage of tsearch2: to_tsquery('<user input>')

Isn't plainto_tsquery() what you're looking for?

Yes if plainto_tsquery() is safe enough for inputting user search
keywords it looks like it is. I didn't knew it existed.

Thanks