Sphinx PHP API EscapeString() function doesn't work for SphinxQL? - sphinx

I found the following function in the Sphinx PHP API code:
function sphinxapi_EscapeString($string)
{
$from = ['\\', '(', ')', '|', '-', '!', '#', '~', '"', '&', '/', '^', '$', '=', '<'];
$to = ['\\\\', '\(', '\)', '\|', '\-', '\!', '\#', '\~', '\"', '\&', '\/', '\^', '\$', '\=', '\<'];
return str_replace($from, $to, $string);
}
However, it doesn't seem to work properly because when I use strings with certain characters in them in queries Sphinx throws exceptions.
An example is the quote character ". EscapeString() puts a backslash \ in front of it, but Sphinx throws an exception saying:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 index my_index: syntax error, unexpected $end near ''' in ..
If I add two more backslashes, making it \\\", then no error is thrown.
What's the deal here? Why isn't EscapeString() working?

You havent shared your exact code, but I wonder if you JUST calling this function, need to escape as per SQL rules too.
EscapeString ONLY escapes the query to escape the Extended Syntax charactors.
Thats all that is required in the API, as the Query/AddQuery function takes the query directly.
But in SphinxQL the query string is inside a SQL statement, so the string needs 'SQL String' escaping before being embedded in the statement (whether or not you ALSO escape like EscapeString does). PDO can do it automatically if you use prepared statements, otherwise use the PDO quote function.
(A Query like SELECT ... MATCH('one \" ') isnt escaped propelly, as the slash is 'swallowed' by the SQL parser, not making it through to the Full text Query parser)

Related

POSTGRESQL Dollar Quotes in Where Clause

For people who tried or needed a solution to escape every special character (even $) in a WHERE CLAUSE in POSTGRESQL, here is how it should be use
the documentation can be somehow hard to understand, and there is no proper example of it so here is mine
e.g : if you want to make a request looking as
SELECT
*
FROM
<TableName>
WHERE
<ColumnName> = 'string with ' character';
it will throw an error cause "character'" is outside the string
So here is how it should be written:
SELECT
*
FROM
<TableName>
WHERE
<ColumnName> = $$string with ' character$$;
The WHERE CONDITION will take the string literally; the interface may look broken but the following instruction will still be interpreted as expected.
SELECT
*
FROM
<TableName>
WHERE
<ColumnName> = $$string with ' character$$ AND <OtherColumnName> IS NOT NULL;
This could even be another escaped string with $$.
For details about dollar quoting, look at the documentation.

I'm using Yii2 and Postgres. I need to use the dollar sign in my query

The request has a line $query->andWhere(new Expression('mkb ?| array['' . $code1 . '', '' . $code2 . '']'));
Error is returned
Invalid parameter number: mixed named and positional parameters
As I understand it, this is because of the dollar sign. That is, the request has :param How to escape it sign dollar?

what does caret do in postgresql?

I'm playing hackthebox machine's and current one has a postgresql db in place. The query breaks with ' and appeas as follows:
ERROR: unterminated quoted string at or near "'" LINE 1: Select * from
cars where name ilike '%test'%' ^
I understand that % is being used to search within the query string for the characters provided but, What is ^ used for?
Bold highlights my test query
All my searches yielded resulst regarding regexes and caret signaling the start of the string. Plus other result about using cli or something like that.
Can anybody tell me what is it doing at the end of the query?
Your are looking for the use of the caret specifically within error messages.
If I run this query:
psql -c " Select * from cars where name ilike '%test'%'"
This is what I get, preserving line breaks and spaces:
ERROR: unterminated quoted string at or near "'"
LINE 1: Select * from cars where name ilike '%test'%'
^
The caret points to where on the previous line the error occurred. In this case, that is where the opening quote mark that never got closed was located.
If you are using a tool which malformats your error messages, you should consider changing to one that does not or otherwise figuring out how to fix it.

Anorm: Escape { for Postgres

I want to execute query like this:
SELECT '{"a":[1,2,3],"b":[4,5,6]}'::json#>>'{a,2}'
But anorm can not prepare the query and raise the parse error.
How to escape the '{' and '}' symbols in SQL text for anorm?
Update:
the solution is a pretty simple (like RTFM:) )
SELECT '{"a":[1,2,3],"b":[4,5,6]}'::json#>>'{a,2}'
should be
SELECT '{"a":[1,2,3],"b":[4,5,6]}'::json->'a'->>2
there are no symbols '{', '}' so Anorm is happy.
You can pass the values as stings which contain curly braces
Look at this example
SELECT '{}'::jsonb;
so I replaced it with binding
SELECT {empty}::jsonb;
And passed this named param on executing the query
NamedParameter("empty", "{}")

How to update a record with literal percent literal (%) in PostgreSQL without saving it as "\%"

I need to update a record, which contains literal percent signs, using PostgreSQL in Railo. The query looks like
<cfquery>
update foo set bar = 'string with % in it %'
</cfQuery>
It throws error as ColdFusion normally interprets it as a wildcard character. I can escape it using the following query.
<cfquery>
update foo set bar = 'string with escaped \% in it \%'
</cfQuery>
However, the record now contains "\%" in the database and will be displayed on the page as "\%".
I found a documentation with an example of escaping percent sign in a SELECT. But it does not work for me: syntax error at or near "ESCAPE".
SELECT emp_discount
FROM Benefits
WHERE emp_discount LIKE '10\%'
ESCAPE '\';
Is there a better to achieve the same goal? The underlining database is PostgreSQL. Thanks!
Queryparameters escape special characters. Yet another reason to use them.