current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite
1

I try to realize search from album where I set artist in form. I get variable from form and I make query. Successfully I get variable from the form.

$words = $_REQUEST['SQLfield'];
$tempquery =  "SELECT * FROM album WHERE to_tsvector(artist) @@ to_tsquery('$words')";
do_sql($tempquery);

When I search for example Jimi Hendrix the result is:

query #1: SQLSTATE[42601]: Syntax error: 7 ERROR: syntax error in tsquery: "Jimi Hendrix "
share|improve this question
1  
passing user provided variable directly into query, w/o any escaping is VERY BAD THING. –  Marcin Orlowski Apr 8 '13 at 9:48

1 Answer 1

up vote 2 down vote accepted

I haven't used Full Text Search in PostgreSQL but after quick scanning the documentation I think that you should use plainto_tsquery function instead of to_tsquery, since to_tsquery expects something like 'jimi & hendrix' when plainto_tsquery will accept phrases like 'Jimi Hendrix'.

share|improve this answer
    
Thank you very much. I only changed to_tsquery to plainto_tsquery. –  vili Apr 8 '13 at 12:15

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.