serv/surwiki
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Implement quoting for the FTS search syntax of SQLite

Browse source 
This makes search queries safe for user input
This commit is contained in:
Magnus Hoff 2017-10-24 21:20:55 +02:00
parent 5273402d4d
commit a07f47c0f7
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/state.rs
View file

@ -327,14 +327,20 @@ impl State {
use diesel::expression::sql_literal::sql; use diesel::expression::sql_literal::sql;
use diesel::types::Text; use diesel::types::Text;
fn fts_quote(src: &str) -> String {
format!("\"{}\"", src.replace('\"', "\"\""))
}
let query = fts_quote(&query_string);
Ok( Ok(
sql::<(Text, Text, Text)>( sql::<(Text, Text, Text)>(
"SELECT title, snippet(article_search, 1, '', '', '\u{2026}', 8), slug \ "SELECT title, snippet(article_search, 1, '', '', '\u{2026}', 8), slug \
FROM article_search \ FROM article_search \
WHERE article_search MATCH ? WHERE article_search MATCH ? \
ORDER BY rank" ORDER BY rank"
) )
.bind::<Text, _>(query_string) .bind::<Text, _>(query)
.load(&*connection_pool.get()?)?) .load(&*connection_pool.get()?)?)
}) })
} }