From a07f47c0f7054f54576b85e8f534ae473fb7912b Mon Sep 17 00:00:00 2001
From: Magnus Hoff <maghoff@gmail.com>
Date: Tue, 24 Oct 2017 21:20:55 +0200
Subject: [PATCH] Implement quoting for the FTS search syntax of SQLite

This makes search queries safe for user input
---
 src/state.rs | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/state.rs b/src/state.rs
index be25daa..334eef4 100644
--- a/src/state.rs
+++ b/src/state.rs
@@ -327,14 +327,20 @@ impl State {
             use diesel::expression::sql_literal::sql;
             use diesel::types::Text;
 
+            fn fts_quote(src: &str) -> String {
+                format!("\"{}\"", src.replace('\"', "\"\""))
+            }
+
+            let query = fts_quote(&query_string);
+
             Ok(
                 sql::<(Text, Text, Text)>(
                     "SELECT title, snippet(article_search, 1, '', '', '\u{2026}', 8), slug \
                         FROM article_search \
-                        WHERE article_search MATCH ?
+                        WHERE article_search MATCH ? \
                         ORDER BY rank"
                 )
-                .bind::<Text, _>(query_string)
+                .bind::<Text, _>(query)
                 .load(&*connection_pool.get()?)?)
         })
     }