Search

A new extension, “Search Results” is now available for download. Comments and feedback can be left here but if you discover any issues, please post it on the issue tracker.

Outstanding! I’m going to give this bad boy a spin this weekend. It could REALLY come in handy on a few sites I’m doing.

Nice! Looks very similar to how my forthcoming Site Index extension works, by allowing the developer to pass a list of sections to the search at runtime.

Beware that this is potentially a security risk if a user changes the form implementation to include IDs of all sections. You might have a “Users” section in which you store personal information which instantly becomes searchable by modifying the URL. Also, look out for SQL injection vulnerabilities when you concatenate the SQL statement together as a string.

I’m attempting to solve this problem with Site Index by providing configuration for which sections and which fields are searchable; but the UI is a little way off completion.

This is a great start for an instant search though :-)

I agree with you on the security risk issue. Perhaps I could include a configuration file with the event to have the configuration seperated from the HTML.

For the SQL injection: I htmlentities and strip_tags the input queries. I think that is able to prevent SQL injection. Or is this a wrong way to collect safe input?

Search Results updated to version 0.2 on 18th of March 2010

  • Used other function to prevent SQL injection.
  • Made configuration in an external file.
  • Added ‘status’-node to the events’ output to provide a success or a failure-status.

For the SQL injection: I htmlentities and strip_tags the input queries. I think that is able to prevent SQL injection. Or is this a wrong way to collect safe input?

HTML tags won’t hurt your database but quotes will.

Yeah, a little Google-time showed me that answer. That’s why I now use the this function to render quotes harmless:

    private function sql_quote($value)
    {

        if(get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        //check if this function exists
        if(function_exists( "mysql_real_escape_string")) {
            $value = mysql_real_escape_string($value);
        } else {
            //for PHP version < 4.3.0 use addslashes
            $value = addslashes($value);
        }
        return $value;
    }

Symphony 2 won’t work on PHP 4, so you might simplify this function.

hehe, just copy-pasted the code from this website, but you’re right :-P

I implemented this extension (event) and ran into a peculiar problem. I get extra stuff printed below the footer of my web page. I finally tracked down the source. Apparently the XML for all events is added to the end of the HTML as a comment. And it seems, at least in FireFox, that there is a limit to the length of an HTML comment. At some point it forgets that it’s a comment and starts displaying it. How do I get rid of the “events comment?”

I forgot to add that the search function itself seems to be working great.

How do I get rid of the “events comment?”

Thats a line in your config file:

'display_event_xml_in_source' => 'yes',

Not to worry though, only logged in users will see them. They are pretty handy when it comes to debugging “old school Events” (the ones with forms).

Now why didn’t I think to look there? And will I remember to turn it back on when I need it? Thanks phoque.

@kanduvisla or @wisolman -

Would y’all mind sharing step-by-step, how you implemented this on your sites? I followed the README and keep getting the following error…

Symphony Fatal Database Error

Unknown column 'value' in 'where clause'
An error occurred while attempting to execute the following query
SELECT `entry_id` FROM `books_entries_data_35` WHERE `value` LIKE '%John%' OR `value` LIKE '%Piper%';

Backtrace:
[/home/sites/bookstore/public_html/symphony/lib/toolkit/class.mysql.php:275] MySQL->__error();
[/home/sites/bookstore/public_html/symphony/lib/toolkit/class.mysql.php:313] MySQL->query();
[/home/sites/bookstore/public_html/workspace/events/event.searchresults.php:155] MySQL->fetch();
[/home/sites/bookstore/public_html/workspace/events/event.searchresults.php:111] eventsearchresults->__trigger();
[/home/sites/bookstore/public_html/symphony/lib/toolkit/class.frontendpage.php:548] eventsearchresults->load();
[/home/sites/bookstore/public_html/symphony/lib/toolkit/class.frontendpage.php:233] FrontendPage->processEvents();
[/home/sites/bookstore/public_html/symphony/lib/toolkit/class.frontendpage.php:63] FrontendPage->__buildPage();
[/home/sites/bookstore/public_html/symphony/lib/core/class.frontend.php:50] FrontendPage->generate();
[/home/sites/bookstore/public_html/index.php:20] Frontend->display();

Database Query Log:
SET NAMES 'utf8'; [0.0001]
SET CHARACTER SET 'utf8'; [0.0001]
SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendInitialised' AND t1.status = 'enabled'; [0.0001]
SELECT SQL_NO_CACHE * FROM `books_cache` WHERE `hash` = '_session_config' AND (`expiry` IS NULL OR UNIX_TIMESTAMP() <= `expiry`) LIMIT 1; [0.0003]
SELECT `session_data` FROM `books_sessions` WHERE `session` = '71t4hevni1d6frthjubplgm137' LIMIT 1; [0.0002]
SELECT `id` FROM `books_authors` WHERE `username` = 'admin' AND `password` = 'c33bf947567a14ecad88f96a235bb13a' LIMIT 1; [0.0001]
UPDATE books_authors SET `last_seen` = '2010-04-21 13:07:38' WHERE `id` = '1'; [0.0004]
SELECT * FROM `books_authors` WHERE `id` = '1' LIMIT 1; [0.0001]
SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendDevKitResolve' AND t1.status = 'enabled'; [0.0002]
SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendPrePageResolve' AND t1.status = 'enabled'; [0.0001]
SELECT * FROM `books_pages` WHERE `path` IS NULL AND `handle` = 'search-results' LIMIT 1; [0.0001]
SELECT `params` FROM `books_pages` WHERE `id` = '96' LIMIT 1; [0.0001]
SELECT `type` FROM `books_pages_types` WHERE `page_id` = '96'; [0.0001]
SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendPageResolved' AND t1.status = 'enabled'; [0.0001]
SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendParamsResolve' AND t1.status = 'enabled'; [0.0001]
SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendProcessEvents' AND t1.status = 'enabled'; [0.0001]
SELECT `id`, `name`, `handle` FROM `books_sections` WHERE `handle` = 'books';; [0.0001]
SELECT `id`, `name`, `handle` FROM `books_sections` WHERE `handle` = 'publishers';; [0.0001]
SELECT `id`, `name`, `handle` FROM `books_sections` WHERE `handle` = 'book-categories';; [0.0001]
SELECT `id`, `name`, `handle` FROM `books_sections` WHERE `id` IN (11,13,12);; [0.0001]
SELECT DISTINCT `id`, `label`, `element_name` FROM `books_fields` WHERE `parent_section` = 11;; [0.0001]
SELECT `entry_id` FROM `books_entries_data_45` WHERE `value` LIKE '%John%' OR `value` LIKE '%Piper%';; [0.0002]
SELECT `entry_id` FROM `books_entries_data_46` WHERE `value` LIKE '%John%' OR `value` LIKE '%Piper%';; [0.0014]
SELECT `entry_id` FROM `books_entries_data_61` WHERE `value` LIKE '%John%' OR `value` LIKE '%Piper%';; [0.0000]

How many pages do I need to append the event to? Do I need datasources for each of those sections?

Actually, if you don’t mind, a basic little step-by-step, “I took these steps”, would be a huge help!

Thank you all for your help!

What field is ID “35” in your database? (look in sym_fields)? I think there’s a bug with this script such that it assumes that every field in your section will have a value column, which isn’t necessarily the case.

@nickdunn - The field was a selectbox link field. I removed the section that had that field from the config file. Then I tried it again. Same result. It gave me that same error for another field, which was also a selectbox link field (in another section).

It looks like it’s failing on sections with selectbox link fields.

FYI… I went ahead and posted, posted the database log as well, http://getsymphony.com/discuss/thread/41239/1/#position-14

Any thoughts on why this script has trouble with selectbox link fields?

I think there’s a bug with this script such that it assumes that every field in your section will have a value column, which isn’t necessarily the case.

This script will work when your section just has basic fields such as Text Input, Textarea, Checkbox etc. because these fields all use a value column to store their values. A Select Box Link does not have a value column, so when the SQL tries to query from one an error is thrown.

So I think what it needs is some error checking so that it only tries to query fields that have a value column.

Sorry bzerangue, I’ve been tied up with other stuff for a couple of days. And it’s getting late here tonight. I’ll try to respond to your request first thing tomorrow.

Create an account or sign in to comment.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.3
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details