Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passing args to select expression #56

Open
plumdog opened this issue May 3, 2016 · 0 comments
Open

Passing args to select expression #56

plumdog opened this issue May 3, 2016 · 0 comments

Comments

@plumdog
Copy link
Contributor

plumdog commented May 3, 2016

I'm using PostgreSQL's full text searching and so I want to add something like:

SELECT ts_rank_cd("search_field", plainto_tsquery('english', 'search term from user')) FROM ...

to my query.

But I want to be able to pass "search term from user" as an argument, rather than putting it into the string.

So far I have:

class TextSearchField(AggregateField):
    function_name = 'ts_rank_cd'

    def __init__(self, field, search, table=None, alias=None, cast=None, distinct=None, over=None):
        super(TextSearchField, self).__init__(field, table, alias, cast, distinct, over)
        self.search = search

    def get_field_identifier(self):
        # TODO: make this not be sql injectable please
        return '{field}, plainto_tsquery(\'english\', \'{ts_query}\')'.format(field=self.field.get_select_sql(), ts_query=self.search)

Which is fine, except that it is SQL injectable because the search term is taken from user input. I could go down the route of escaping things and putting it straight into the string, but I would far rather not.
I can see that where clauses keep track of their arguments and then these are passed along with the SQL string, but what about other expressions and things that don't appear in a where clause? I couldn't see any code that pointed me towards a solution, but perhaps I'm not looking in the right places. Perhaps it should be possible to register some args when creating a field that a table can the find? I'm happy to have a go at this, but would like to know if there's a better way before I get too far into it.

For what it's worth, this is appearing in a select in a nested query, then an outer query is ordering by the search rank and limiting to only get things that are above a certain matching threshold.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant