Yeh but it doesn’t explicitly say anything about how secure it is to pass a string directly to “match”.
Other scalar values that are passed to a query via binding are safe as they are just data saved to the DB file. But as the MATCH x string contains a language it is going to be interpreted or compiled which is why I was asking how safe that would be. On Fri, 20 Dec 2019 at 16:05, Jose Isaias Cabrera <jic...@outlook.com> wrote: > > test user, on Friday, December 20, 2019 10:03 AM, wrote... > > > > Hello, > > > > I have a search box on a website that uses FTS5/MATCH. > > > > MATCH seems to take its own custom language for matching. > > > > 1. Is it safe to just pass the users query to MATCH ? via the SQLite bind > > FFI? > > > > - This would give them full access to the FTS5 matching language. > > > > 2. If not, how should I be sanitising user input? > > > > - E.g. How can I transform a string of words and text into a query? What > > characters should I be removing or escaping? How can I prevent them using > > the FTS5 keywords "AND" "OR" etc? > > Have you taken a look at the FTS5 site[1]? It has lots of information > there that may be helpful. > > josé > > [1] https://www.sqlite.org/fts5.html > > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
