Postgres Pro
Downloads
Home   >   mailing lists

Thread: Safe usage of tsearch2: to_tsquery('')

Safe usage of tsearch2: to_tsquery('')

From
cluster
Date:
In a web application I would like to use tsearch2 to search for by-user
entered key words. That is, the user provides the keywords in a space
separated list in some input text field. For that I use
to_tsquery('<user keywords>') but I would like to do this in a safe way
so that the user cannot misuse to_tsquery() by entering some harmful string.
That is, a user input like
    "cars ford fast"
should be translated to
    "to_tsquery('cars|ford|fast')"
in a safe way.

How can I do that?

(I use postgresql from PHP)

Re: Safe usage of tsearch2: to_tsquery('')

From
Tom Lane
Date:
cluster <skrald@amossen.dk> writes:
> In a web application I would like to use tsearch2 to search for by-user
> entered key words. That is, the user provides the keywords in a space
> separated list in some input text field. For that I use
> to_tsquery('<user keywords>') but I would like to do this in a safe way
> so that the user cannot misuse to_tsquery() by entering some harmful string.

Isn't plainto_tsquery() what you're looking for?

            regards, tom lane

Re: Safe usage of tsearch2: to_tsquery('')

From
cluster
Date:
> Isn't plainto_tsquery() what you're looking for?

Yes if plainto_tsquery() is safe enough for inputting user search
keywords it looks like it is. I didn't knew it existed.

Thanks