From 0215fdd26254d36ee3ce491a5afb47d6fa97f5a3 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Wed, 8 Apr 2020 14:52:21 +1200 Subject: [PATCH] DOC Clarify sanitisation in searchEngine() under boolean mode This came up in https://github.com/silverstripe/silverstripe-cms/issues/1452, and wasn't fully addressed. Either we allow boolean mode and all the constraints this brings around special character usage, or we filter out those special characters, which makes boolean mode pointless. You can't just pass arbitrary user input in a power-user function like this. See https://dev.mysql.com/doc/refman/5.6/en/fulltext-boolean.html Context: This used to work for some examples like "foo>*" under MyISAM, presumably because it had a more lenient parser. InnoDB rightfully complains about this now. --- src/ORM/Connect/MySQLDatabase.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/ORM/Connect/MySQLDatabase.php b/src/ORM/Connect/MySQLDatabase.php index c19004885..7469e4292 100644 --- a/src/ORM/Connect/MySQLDatabase.php +++ b/src/ORM/Connect/MySQLDatabase.php @@ -144,6 +144,12 @@ class MySQLDatabase extends Database implements TransactionManager * The core search engine, used by this class and its subclasses to do fun stuff. * Searches both SiteTree and File. * + * Caution: While the $keywords argument is escaped for safe use in a query context, + * you need to ensure that it is also a valid boolean expression when opting into $booleanSearch. + * For example, the "asterisk" and "greater than" characters have a special meaning in this context, + * and can only be placed in certain parts of the keywords. You will need to preprocess and sanitise + * user input accordingly in order to avoid query errors. + * * @param array $classesToSearch * @param string $keywords Keywords as a string. * @param int $start