My solution for preventing SQL injection (using mysql.escape()) makes the current dp api endpoint for puzzle search unusable. The way search used to work was by tokenizing a search query, inserting each search term into “like” string:
column like '%term_1%' or column like '%term_2%' or ...
This will no longer work because the escape method in the db server converts the whole expression to a string. I will make the following changes to fix this:
Pass the terms as arguments from dbclient
Create a new boolean special member to denote api endpoints with special implementations
Update dbserver.get_query() to check for special endpoints
Create the __search_puzzles endpoint handler, which inserts the search terms into an expression like so (the terms will be filtered so as not to include the apostrophe ’__ character:
My solution for preventing SQL injection (using
mysql.escape()
) makes the current dp api endpoint for puzzle search unusable. The way search used to work was by tokenizing a search query, inserting each search term into “like” string:This will no longer work because the escape method in the db server converts the whole expression to a string. I will make the following changes to fix this:
dbserver.get_query()
to check for special endpoints