DOC Clarify sanitisation in searchEngine() under boolean mode

This came up in https://github.com/silverstripe/silverstripe-cms/issues/1452, and wasn't fully addressed. Either we allow boolean mode and all the constraints this brings around special character usage, or we filter out those special characters, which makes boolean mode pointless. You can't just pass arbitrary user input in a power-user function like this. See https://dev.mysql.com/doc/refman/5.6/en/fulltext-boolean.html Context: This used to work for some examples like "foo>*" under MyISAM, presumably because it had a more lenient parser. InnoDB rightfully complains about this now.
2024-10-22 14:05:37 +02:00 · 2020-04-08 14:52:21 +12:00 · 2020-04-08 14:52:21 +12:00 · 0215fdd262
commit 0215fdd262
parent c6b698cb02
1 changed files with 6 additions and 0 deletions
--- a/src/ORM/Connect/MySQLDatabase.php
+++ b/src/ORM/Connect/MySQLDatabase.php
@ -144,6 +144,12 @@ class MySQLDatabase extends Database implements TransactionManager
     * The core search engine, used by this class and its subclasses to do fun stuff.
     * Searches both SiteTree and File.
     *
+     * Caution: While the $keywords argument is escaped for safe use in a query context,
+     * you need to ensure that it is also a valid boolean expression when opting into $booleanSearch.
+     * For example, the "asterisk" and "greater than" characters have a special meaning in this context,
+     * and can only be placed in certain parts of the keywords. You will need to preprocess and sanitise
+     * user input accordingly in order to avoid query errors.
+     *
     * @param array $classesToSearch
     * @param string $keywords Keywords as a string.
     * @param int $start