mysql full text seach, valid boolean + sql injection attack
Posted: Fri Mar 26, 2004 5:20 pm
mysql has all these nice full text boolean search functions that i would like to use to allow users to my site to enter a boolean search of the kind:
'underwater base' and ('doctor octopus' or 'super monkey')
i figure someone must have gone before me in figuring out a way to check the syntax of a boolean search.
And because this is allowing users to create a string which will be included in an sql statement it's opening the door a little wider than normal to an sql injection attack,
i don't just want to ban people from searching on the words 'select', 'delete' and 'insert' does anyone have a more sophisticated approach to dealing with this?
can anyone point me in the right direction?
cheers
mathew
'underwater base' and ('doctor octopus' or 'super monkey')
i figure someone must have gone before me in figuring out a way to check the syntax of a boolean search.
And because this is allowing users to create a string which will be included in an sql statement it's opening the door a little wider than normal to an sql injection attack,
i don't just want to ban people from searching on the words 'select', 'delete' and 'insert' does anyone have a more sophisticated approach to dealing with this?
can anyone point me in the right direction?
cheers
mathew