mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
DOC Clarify sanitisation in searchEngine() under boolean mode
This came up in https://github.com/silverstripe/silverstripe-cms/issues/1452, and wasn't fully addressed. Either we allow boolean mode and all the constraints this brings around special character usage, or we filter out those special characters, which makes boolean mode pointless. You can't just pass arbitrary user input in a power-user function like this. See https://dev.mysql.com/doc/refman/5.6/en/fulltext-boolean.html Context: This used to work for some examples like "foo>*" under MyISAM, presumably because it had a more lenient parser. InnoDB rightfully complains about this now.
This commit is contained in:
parent
c6b698cb02
commit
0215fdd262
@ -144,6 +144,12 @@ class MySQLDatabase extends Database implements TransactionManager
|
|||||||
* The core search engine, used by this class and its subclasses to do fun stuff.
|
* The core search engine, used by this class and its subclasses to do fun stuff.
|
||||||
* Searches both SiteTree and File.
|
* Searches both SiteTree and File.
|
||||||
*
|
*
|
||||||
|
* Caution: While the $keywords argument is escaped for safe use in a query context,
|
||||||
|
* you need to ensure that it is also a valid boolean expression when opting into $booleanSearch.
|
||||||
|
* For example, the "asterisk" and "greater than" characters have a special meaning in this context,
|
||||||
|
* and can only be placed in certain parts of the keywords. You will need to preprocess and sanitise
|
||||||
|
* user input accordingly in order to avoid query errors.
|
||||||
|
*
|
||||||
* @param array $classesToSearch
|
* @param array $classesToSearch
|
||||||
* @param string $keywords Keywords as a string.
|
* @param string $keywords Keywords as a string.
|
||||||
* @param int $start
|
* @param int $start
|
||||||
|
Loading…
Reference in New Issue
Block a user