sanitize raw GET requests for search method

[d47081]

I'm worried about injections in app that using following code:

$client = new \Manticoresearch\Client();

$index = $client->index(
    'documents'
);

$index->search($_GET['query'])

Can I safely use search method with raw HTTP requests or some filtering methods required there?

Thanks!

[sanikolaev]

I think it's better to use the escape() method.

[sanikolaev]

Could you please advice how to properly use escape method?

@Nick-S-2018 can you advise on this?

[d47081]

I found that Utils::escape is trait not regular static method - so this notice related to PHP syntax, but I have no experience with that

[Nick-S-2018]

@d47081 Hi, we've fixed the issue with the deprecated escape call in the dev client version.
Now you can simply use it like this:

  $query = $index->search(
        $index::escape($q)
  );

[d47081]

Thanks, but it's not work

 Fatal error: Uncaught Error: Call to undefined method Manticoresearch\Index::escape() in /var/www/YGGverse/Yo/src/webui/search.php:137 Stack trace: #0 {main} thrown in /var/www/YGGverse/Yo/src/webui/search.php on line 137

Here is current implementation with trait notice silentized:
https://github.com/YGGverse/Yo/blob/main/src/webui/search.php#L134

I think that escape method can't work with index object or can?

[Nick-S-2018]

@d47081
It should work fine. Can you please reproduce the following minimal example and see the result? Just replace, if necessary, the path to the vendor dir and the config values to the ones you use.

require_once __DIR__ . '/vendor/autoload.php';

$config = [
	'host' => '127.0.0.1',
	'port' => 9308
];
$client = new \Manticoresearch\Client($config);
$index = $client->index('t');
$index->drop(true);
$index->create([
	'f' => ['type' => 'text'],
]);
$query = $index->search(
	$index::escape('(test)')
);
print_r($query->get());