当前位置: 文江博客话题详情

在 ms sql server 上进行全文搜索时如何处理用户输入?

发布于 2024-07-10 20:20:59 字数 464 浏览 11 评论 0原文

我在 ms sql server 上有一个简单的搜索机制,它使用全文“包含”。 我将搜索值作为参数传递给 contains 谓词 - 直接从用户的输入(通过 asp.net 网站)。 问题是我在各种情况下都会遇到 sql 异常: - 当用户输入两个单词时,例如“简单情况” - 当用户将 qoute 添加到搜索值时,例如“test”,

我使用如下查询进行了测试:

declare @val nvarchar(40)
set @val = N'test"' -- or 'simple case'

select x.* FROM xx as x
where CONTAINS(x.[name], @val)

通常我得到:“全文搜索条件‘xxx’中‘xxx’附近的语法错误。”问题是我想允许用户使用“*”、“or”和“and”条件进行高级查询,

您如何处理用户输入? 您引用名称值吗?

原文

I have a simple search mechanism on ms sql server that uses full-text "contains".
I pass search value as a parameter to contains predicate - directly from user's input (via asp.net web site). The problem is that i get sql exception in variety of cases:
- when user inputs two words, like 'simple case'
- when user adds qoute to search value, like 'test"'

I have made test using query like below:

declare @val nvarchar(40)
set @val = N'test"' -- or 'simple case'

select x.* FROM xx as x
where CONTAINS(x.[name], @val)

Usually i get: "Syntax error near 'xxx' in the full-text search condition 'xxx'." The problem is that i would like to allow users to make advanced queries with '*', 'or' and 'and' conditions.

How do You handle user-input?
Do You qoutename value?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

孤君无依 2024-07-17 20:20:59

在我们的应用程序中,我们使用自己的简单查询语言进行用户输入:仅操作数(带有可选通配符的单词或短语)、运算符(AND、OR、NOT)和括号。

我们解析用户输入,将其分解为各个组成部分并检查语法等。

如果我们认为输入有效,我们会将其重建为等效的 CONTAINS 条件并将其作为我们的搜索存储过程的参数。 因为我们自己创建条件,所以我们知道它在语法上是正确的。

如果用户输入无效,那么我们可以向用户返回有意义的错误消息,而根本不需要连接到数据库。

In our app we use our own simple query language for the user input: just operands (words or phrases with optional wildcards), operators (AND, OR, NOT) and parentheses.

We parse the user input, break it down into it's constituent parts and check the syntax etc.

If we're happy that the input is valid, we rebuild it into the equivalent CONTAINS condition and send that as a parameter to our search sproc. Because we're creating the condition ourselves we know that it's syntactically correct.

If the user input is invalid then we're able to return a meaningful error message to the user without needing to connect to the database at all.

回复 原文
少女情怀诗 2024-07-17 20:20:59

几年前我用这个开发了一个应用程序; 我所做的是前端给你一个文本框来输入你的术语,它有一个下拉菜单可以在几个选项之间进行选择,如下所示:

<option selected value="AND">All of the words entered</option>
<option value="OR">Any of the words entered</option>
<option value="ALL">The exact phrase entered</option>

所以我不希望他们输入 ands 或 ors - 我为他们这样做。 我确实让他们引用了一个子短语。

下面是一些完成此操作的代码。 结果短语作为参数发送给过程; 正如上面的评论者提到的,你确实必须这样做以防止 SQL 注入。 不幸的是,这段代码是遗留的 ASP VBScript,甚至没有按照该语言的标准编写得很好,但也许这会给您一个想法。

 function formatContainsString (sCriteria, sANDorOR)
    dim sReturnBuf 'where we build our string
    dim sWordList 'sCriteria split
    dim lCurPos      'where we are at in sWordList
    dim bInnerQuotes ' an open quote was found
    if sCriteria = "" or sANDorOR = "" then
        formatContainsString = ""
        exit function
    end if

    ' If the passed parameter is 'ALL' then use the exact phrase typed by users
    if sANDorOR = "ALL"  then
        formatContainsString = "'"  & chr(34) & sCriteria  & chr(34) & "'"
        Exit Function
    End If

    sReturnBuf = "'"
    sWordList = split(sCriteria," ")
    for lCurPos = 0 to ubound(sWordList)
        if bInnerQuotes then 'want to pass this as a single phrase
            sReturnBuf = sReturnBuf & " " & sWordList(lCurPos)
            if right(sWordList(lCurPos),1) = chr(34) then
               sReturnBuf = left(sReturnBuf,len(sReturnBuf)-1) & "*" & chr(34)
                sReturnBuf = sReturnBuf & " " & sANDorOR & " "'phrase is over
                bInnerQuotes = False
            end if
        else        
            if left(sWordList(lCurPos),1) = chr(34) then 
                sReturnBuf = sReturnBuf & sWordList(lCurPos)
                bInnerQuotes = True
            else
                sReturnBuf = sReturnBuf & chr(34) & sWordList(lCurPos) & "*" & _ 
                    chr(34) & " " & sANDorOR & " "'quote the word
            end if
        end if
    next
    'finally, remove the last AND or OR... and append the tick
    formatContainsString = left(sReturnBuf,len(sReturnBuf)-(len(sANDorOR)+1)) _ 
        & "'"

end function

I built an app years ago using this; what I did is the front-end gives you a text box to type your terms and it has a drop-down to select between a few options like so:

<option selected value="AND">All of the words entered</option>
<option value="OR">Any of the words entered</option>
<option value="ALL">The exact phrase entered</option>

So I don't want them typing ands or ors - I do that for them. I do let them quote a sub-phrase.

Below is some code that accomplishes this. The resulting phrase is sent as a parameter to a procedure; as the commenter above mentioned you really must do this to protect against SQL injection. Unfortunately this code is legacy ASP VBScript and isn't even well-written by that language's standards but maybe this gives you an idea.

 function formatContainsString (sCriteria, sANDorOR)
    dim sReturnBuf 'where we build our string
    dim sWordList 'sCriteria split
    dim lCurPos      'where we are at in sWordList
    dim bInnerQuotes ' an open quote was found
    if sCriteria = "" or sANDorOR = "" then
        formatContainsString = ""
        exit function
    end if

    ' If the passed parameter is 'ALL' then use the exact phrase typed by users
    if sANDorOR = "ALL"  then
        formatContainsString = "'"  & chr(34) & sCriteria  & chr(34) & "'"
        Exit Function
    End If

    sReturnBuf = "'"
    sWordList = split(sCriteria," ")
    for lCurPos = 0 to ubound(sWordList)
        if bInnerQuotes then 'want to pass this as a single phrase
            sReturnBuf = sReturnBuf & " " & sWordList(lCurPos)
            if right(sWordList(lCurPos),1) = chr(34) then
               sReturnBuf = left(sReturnBuf,len(sReturnBuf)-1) & "*" & chr(34)
                sReturnBuf = sReturnBuf & " " & sANDorOR & " "'phrase is over
                bInnerQuotes = False
            end if
        else        
            if left(sWordList(lCurPos),1) = chr(34) then 
                sReturnBuf = sReturnBuf & sWordList(lCurPos)
                bInnerQuotes = True
            else
                sReturnBuf = sReturnBuf & chr(34) & sWordList(lCurPos) & "*" & _ 
                    chr(34) & " " & sANDorOR & " "'quote the word
            end if
        end if
    next
    'finally, remove the last AND or OR... and append the tick
    formatContainsString = left(sReturnBuf,len(sReturnBuf)-(len(sANDorOR)+1)) _ 
        & "'"

end function
回复 原文
花开浅夏 2024-07-17 20:20:59

根据您收到的错误,我想说您没有在查询中使用参数。 这是非常危险的,并且允许您的用户执行 sql 注入。

现在,对于您的问题,我认为最好的选择是您设置两种文本输入类型,一种用于普通用户,另一种用于高级用户,这样您就可以知道在哪里解析高级查询。

By the errors you are getting i would say you are not using parameters for your queries. This is very dangerous and allows your users to perform sql injections.

Now, as for your question, i think the best option would be for you to set 2 text entry types, one for regular users, another for advanced users so you can know where to parse for advanced queries.

回复 原文
~没有更多了~

关于作者

拥抱影子

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

5576443447

文章 0 评论 0

酒几许

文章 0 评论 0

夜空下最亮的亮点

文章 0 评论 0

xiaolangfanhua

文章 0 评论 0

好久不见√

文章 0 评论 0

盗心人

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文