test user, on Friday, December 20, 2019 10:03 AM, wrote... > > Hello, > > I have a search box on a website that uses FTS5/MATCH. > > MATCH seems to take its own custom language for matching. > > 1. Is it safe to just pass the users query to MATCH ? via the SQLite bind > FFI? > > - This would give them full access to the FTS5 matching language. > > 2. If not, how should I be sanitising user input? > > - E.g. How can I transform a string of words and text into a query? What > characters should I be removing or escaping? How can I prevent them using > the FTS5 keywords "AND" "OR" etc?
Have you taken a look at the FTS5 site[1]? It has lots of information there that may be helpful. josé [1] https://www.sqlite.org/fts5.html _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users