Hi. I need to utilize boolean full-text search in my application. As I knew from this post: https://forum.phalcon.io/discussion/150/full-text-searches I have to utilize Raw SQL to achieve this.
How do I make my full text search secure?
Will it be sufficient protection from sql injection if I just cast request to string?
$this->request->getQuery('ftSearchQuery','string')Hi, dschissler.
Not sure I understood first part with enable_literals.
That's totally not a problem for me to use parameters in queries that can be presented in PHQL(that's how I usually do), however documentation states enable_literals affects only PHQL queries.
As I undersand from second part of your message, I can use raw sql for ftSearch with params, like:
$sql = 'SELECT field1, field2 FROM table WHERE MATCH (/*ft fields list*/) AGAINST(":param1: :param2:" IN BOOLEAN MODE)'
$params = [ 'param1'=>'firstValue','param2'=>'secondValue']
$result = new MyModel();
$results = new Resultset(null, $result, $result->getReadConnection()->query($sql,$params));Is it possible to bind parameter types in this code? And if it's not possible, is this solution secure enough?
Hm. I haven't found this to be mentioned in documentation.
Out of the box at least.
I found custom dialect function MATCH_AGAINST example here: https://blog.phalcon.io
It works with one parameter.
I've tried to improve this sollution to pass many parameters separately and it's not working for me, not sure why.
Ok. Finaly got this to work.