Search Results
This is an open discussion with 40 replies, filed under Extensions.
Search
Outstanding! I’m going to give this bad boy a spin this weekend. It could REALLY come in handy on a few sites I’m doing.
Nice! Looks very similar to how my forthcoming Site Index extension works, by allowing the developer to pass a list of sections to the search at runtime.
Beware that this is potentially a security risk if a user changes the form implementation to include IDs of all sections. You might have a “Users” section in which you store personal information which instantly becomes searchable by modifying the URL. Also, look out for SQL injection vulnerabilities when you concatenate the SQL statement together as a string.
I’m attempting to solve this problem with Site Index by providing configuration for which sections and which fields are searchable; but the UI is a little way off completion.
This is a great start for an instant search though :-)
I agree with you on the security risk issue. Perhaps I could include a configuration file with the event to have the configuration seperated from the HTML.
For the SQL injection: I htmlentities and strip_tags the input queries. I think that is able to prevent SQL injection. Or is this a wrong way to collect safe input?
Search Results
updated to version 0.2
on 18th of March 2010
- Used other function to prevent SQL injection.
- Made configuration in an external file.
- Added ‘status’-node to the events’ output to provide a success or a failure-status.
For the SQL injection: I htmlentities and strip_tags the input queries. I think that is able to prevent SQL injection. Or is this a wrong way to collect safe input?
HTML tags won’t hurt your database but quotes will.
Yeah, a little Google-time showed me that answer. That’s why I now use the this function to render quotes harmless:
private function sql_quote($value) { if(get_magic_quotes_gpc()) { $value = stripslashes($value); } //check if this function exists if(function_exists( "mysql_real_escape_string")) { $value = mysql_real_escape_string($value); } else { //for PHP version < 4.3.0 use addslashes $value = addslashes($value); } return $value; }
Symphony 2 won’t work on PHP 4, so you might simplify this function.
hehe, just copy-pasted the code from this website, but you’re right :-P
I implemented this extension (event) and ran into a peculiar problem. I get extra stuff printed below the footer of my web page. I finally tracked down the source. Apparently the XML for all events is added to the end of the HTML as a comment. And it seems, at least in FireFox, that there is a limit to the length of an HTML comment. At some point it forgets that it’s a comment and starts displaying it. How do I get rid of the “events comment?”
I forgot to add that the search function itself seems to be working great.
How do I get rid of the “events comment?”
Thats a line in your config file:
'display_event_xml_in_source' => 'yes',
Not to worry though, only logged in users will see them. They are pretty handy when it comes to debugging “old school Events” (the ones with forms).
Now why didn’t I think to look there? And will I remember to turn it back on when I need it? Thanks phoque.
@kanduvisla or @wisolman -
Would y’all mind sharing step-by-step, how you implemented this on your sites? I followed the README and keep getting the following error…
Symphony Fatal Database Error Unknown column 'value' in 'where clause' An error occurred while attempting to execute the following query SELECT `entry_id` FROM `books_entries_data_35` WHERE `value` LIKE '%John%' OR `value` LIKE '%Piper%'; Backtrace: [/home/sites/bookstore/public_html/symphony/lib/toolkit/class.mysql.php:275] MySQL->__error(); [/home/sites/bookstore/public_html/symphony/lib/toolkit/class.mysql.php:313] MySQL->query(); [/home/sites/bookstore/public_html/workspace/events/event.searchresults.php:155] MySQL->fetch(); [/home/sites/bookstore/public_html/workspace/events/event.searchresults.php:111] eventsearchresults->__trigger(); [/home/sites/bookstore/public_html/symphony/lib/toolkit/class.frontendpage.php:548] eventsearchresults->load(); [/home/sites/bookstore/public_html/symphony/lib/toolkit/class.frontendpage.php:233] FrontendPage->processEvents(); [/home/sites/bookstore/public_html/symphony/lib/toolkit/class.frontendpage.php:63] FrontendPage->__buildPage(); [/home/sites/bookstore/public_html/symphony/lib/core/class.frontend.php:50] FrontendPage->generate(); [/home/sites/bookstore/public_html/index.php:20] Frontend->display(); Database Query Log: SET NAMES 'utf8'; [0.0001] SET CHARACTER SET 'utf8'; [0.0001] SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendInitialised' AND t1.status = 'enabled'; [0.0001] SELECT SQL_NO_CACHE * FROM `books_cache` WHERE `hash` = '_session_config' AND (`expiry` IS NULL OR UNIX_TIMESTAMP() <= `expiry`) LIMIT 1; [0.0003] SELECT `session_data` FROM `books_sessions` WHERE `session` = '71t4hevni1d6frthjubplgm137' LIMIT 1; [0.0002] SELECT `id` FROM `books_authors` WHERE `username` = 'admin' AND `password` = 'c33bf947567a14ecad88f96a235bb13a' LIMIT 1; [0.0001] UPDATE books_authors SET `last_seen` = '2010-04-21 13:07:38' WHERE `id` = '1'; [0.0004] SELECT * FROM `books_authors` WHERE `id` = '1' LIMIT 1; [0.0001] SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendDevKitResolve' AND t1.status = 'enabled'; [0.0002] SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendPrePageResolve' AND t1.status = 'enabled'; [0.0001] SELECT * FROM `books_pages` WHERE `path` IS NULL AND `handle` = 'search-results' LIMIT 1; [0.0001] SELECT `params` FROM `books_pages` WHERE `id` = '96' LIMIT 1; [0.0001] SELECT `type` FROM `books_pages_types` WHERE `page_id` = '96'; [0.0001] SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendPageResolved' AND t1.status = 'enabled'; [0.0001] SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendParamsResolve' AND t1.status = 'enabled'; [0.0001] SELECT t1.*, t2.callback FROM `books_extensions` as t1 LEFT JOIN `books_extensions_delegates` as t2 ON t1.id = t2.extension_id WHERE (t2.page IN ('/frontend/', '*')) AND t2.delegate = 'FrontendProcessEvents' AND t1.status = 'enabled'; [0.0001] SELECT `id`, `name`, `handle` FROM `books_sections` WHERE `handle` = 'books';; [0.0001] SELECT `id`, `name`, `handle` FROM `books_sections` WHERE `handle` = 'publishers';; [0.0001] SELECT `id`, `name`, `handle` FROM `books_sections` WHERE `handle` = 'book-categories';; [0.0001] SELECT `id`, `name`, `handle` FROM `books_sections` WHERE `id` IN (11,13,12);; [0.0001] SELECT DISTINCT `id`, `label`, `element_name` FROM `books_fields` WHERE `parent_section` = 11;; [0.0001] SELECT `entry_id` FROM `books_entries_data_45` WHERE `value` LIKE '%John%' OR `value` LIKE '%Piper%';; [0.0002] SELECT `entry_id` FROM `books_entries_data_46` WHERE `value` LIKE '%John%' OR `value` LIKE '%Piper%';; [0.0014] SELECT `entry_id` FROM `books_entries_data_61` WHERE `value` LIKE '%John%' OR `value` LIKE '%Piper%';; [0.0000]
How many pages do I need to append the event to? Do I need datasources for each of those sections?
Actually, if you don’t mind, a basic little step-by-step, “I took these steps”, would be a huge help!
Thank you all for your help!
What field is ID “35” in your database? (look in sym_fields
)? I think there’s a bug with this script such that it assumes that every field in your section will have a value
column, which isn’t necessarily the case.
@nickdunn - The field was a selectbox link field. I removed the section that had that field from the config file. Then I tried it again. Same result. It gave me that same error for another field, which was also a selectbox link field (in another section).
It looks like it’s failing on sections with selectbox link fields.
FYI… I went ahead and posted, posted the database log as well, http://getsymphony.com/discuss/thread/41239/1/#position-14
Any thoughts on why this script has trouble with selectbox link fields?
I think there’s a bug with this script such that it assumes that every field in your section will have a value column, which isn’t necessarily the case.
This script will work when your section just has basic fields such as Text Input, Textarea, Checkbox etc. because these fields all use a value
column to store their values. A Select Box Link does not have a value
column, so when the SQL tries to query from one an error is thrown.
So I think what it needs is some error checking so that it only tries to query fields that have a value
column.
Sorry bzerangue, I’ve been tied up with other stuff for a couple of days. And it’s getting late here tonight. I’ll try to respond to your request first thing tomorrow.
Create an account or sign in to comment.
A new extension, “Search Results” is now available for download. Comments and feedback can be left here but if you discover any issues, please post it on the issue tracker.