add quoting and validation to search assets
This commit is contained in:
Doug Bell
parent
a6a10d976a
commit
a199bfd5d0
1 changed files with 19 additions and 9 deletions
|
|
@ -360,9 +360,13 @@ as a WHERE clause. Does not return WHERE, as you could also use it for HAVING
|
||||||
sub getSqlFromQueryString {
|
sub getSqlFromQueryString {
|
||||||
my ( $self, $queryString ) = @_;
|
my ( $self, $queryString ) = @_;
|
||||||
|
|
||||||
|
my $dbh = $self->session->db->dbh;
|
||||||
my $sqp = Search::QueryParser->new( defField => 'keywords' );
|
my $sqp = Search::QueryParser->new( defField => 'keywords' );
|
||||||
my $query = $sqp->parse( $queryString );
|
my $query = $sqp->parse( $queryString );
|
||||||
|
|
||||||
|
my %isValidOp;
|
||||||
|
@isValidOp{qw( = != < > <= >= : )} = 1;
|
||||||
|
|
||||||
# Recursion is recursive
|
# Recursion is recursive
|
||||||
my $part = sub {
|
my $part = sub {
|
||||||
my ( $query, $conj ) = @_;
|
my ( $query, $conj ) = @_;
|
||||||
|
|
@ -372,20 +376,26 @@ sub getSqlFromQueryString {
|
||||||
push @parts, $self->getSqlFromQueryString( $_ );
|
push @parts, $self->getSqlFromQueryString( $_ );
|
||||||
}
|
}
|
||||||
elsif ( $part->{field} eq 'keywords' ) {
|
elsif ( $part->{field} eq 'keywords' ) {
|
||||||
push @parts, "MATCH ($part->{field}) AGAINST ('"
|
push @parts, "MATCH (" . $dbh->quote_identifier($part->{field}) . ") AGAINST ("
|
||||||
. $self->getKeywordString( $part->{value} )
|
. $dbh->quote( $self->getKeywordString( $part->{value} ) )
|
||||||
. "')";
|
. ")";
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
# TODO: Add op validation
|
next unless $isValidOp{ $part->{op} };
|
||||||
# TODO: Add field quoting
|
|
||||||
# TODO: Add value quoting
|
|
||||||
if ( $part->{op} eq ':' ) {
|
if ( $part->{op} eq ':' ) {
|
||||||
my $value = '%' . $part->{value} . '%';
|
my $value = '%' . $part->{value} . '%';
|
||||||
push @parts, "$part->{field} LIKE '$value'";
|
push @parts, join " ",
|
||||||
|
$dbh->quote_identifier($part->{field}),
|
||||||
|
'LIKE',
|
||||||
|
$dbh->quote($value),
|
||||||
|
;
|
||||||
}
|
}
|
||||||
else {
|
elsif {
|
||||||
push @parts, "$part->{field} $part->{op} '$part->{value}'"
|
push @parts, join " ",
|
||||||
|
$dbh->quote_identifier($part->{field}),
|
||||||
|
$part->{op},
|
||||||
|
$dbh->quote($part->{value}),
|
||||||
|
;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue