You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SELECT ts_rank_cd("search_field", plainto_tsquery('english', 'search term from user')) FROM ...
to my query.
But I want to be able to pass "search term from user" as an argument, rather than putting it into the string.
So far I have:
classTextSearchField(AggregateField):
function_name='ts_rank_cd'def__init__(self, field, search, table=None, alias=None, cast=None, distinct=None, over=None):
super(TextSearchField, self).__init__(field, table, alias, cast, distinct, over)
self.search=searchdefget_field_identifier(self):
# TODO: make this not be sql injectable pleasereturn'{field}, plainto_tsquery(\'english\', \'{ts_query}\')'.format(field=self.field.get_select_sql(), ts_query=self.search)
Which is fine, except that it is SQL injectable because the search term is taken from user input. I could go down the route of escaping things and putting it straight into the string, but I would far rather not.
I can see that where clauses keep track of their arguments and then these are passed along with the SQL string, but what about other expressions and things that don't appear in a where clause? I couldn't see any code that pointed me towards a solution, but perhaps I'm not looking in the right places. Perhaps it should be possible to register some args when creating a field that a table can the find? I'm happy to have a go at this, but would like to know if there's a better way before I get too far into it.
For what it's worth, this is appearing in a select in a nested query, then an outer query is ordering by the search rank and limiting to only get things that are above a certain matching threshold.
The text was updated successfully, but these errors were encountered:
I'm using PostgreSQL's full text searching and so I want to add something like:
to my query.
But I want to be able to pass
"search term from user"
as an argument, rather than putting it into the string.So far I have:
Which is fine, except that it is SQL injectable because the search term is taken from user input. I could go down the route of escaping things and putting it straight into the string, but I would far rather not.
I can see that where clauses keep track of their arguments and then these are passed along with the SQL string, but what about other expressions and things that don't appear in a where clause? I couldn't see any code that pointed me towards a solution, but perhaps I'm not looking in the right places. Perhaps it should be possible to register some args when creating a field that a table can the find? I'm happy to have a go at this, but would like to know if there's a better way before I get too far into it.
For what it's worth, this is appearing in a select in a nested query, then an outer query is ordering by the search rank and limiting to only get things that are above a certain matching threshold.
The text was updated successfully, but these errors were encountered: