How to find "*" with contains clause in a textindex?
52 views
Skip to first unread message
BadDotNetCoda
Nov 3, 2009, 2:51:01 AM11/3/09
to SQL Anywhere Web Development
Hi,
how can I escape special characters and keywords like "*", "AND" and
"OR" to use it in a query with contains clause?
Unfortunately I can' t find some documentation about this
functionality.
Can someone point to a Web resource?
Best Regards.
how can I escape special characters and keywords like "*", "AND" and
"OR" to use it in a query with contains clause?
Unfortunately I can' t find some documentation about this
functionality.
Can someone point to a Web resource?
Best Regards.
Jim Graham
Nov 3, 2009, 10:17:29 AM11/3/09
to SQL Anywhere Web Development
Full text indexes are an index of terms. Terms are groups of
alphanumeric characters. You cannot search for an asterisk because the
asterisk will not be in the index. I find sa_char_terms useful for
better understanding full text indexes and searches. It allows you to
see how values are broken into terms for indexing.
Searching for AND and OR is possible, but they must be enclosed in
double quotes to avoid being interpreted as operators. Users need to
be aware of these words that have special meaning. Google search works
the same way.
http://dcx.sybase.com/index.html#1101en/dbreference_en11/sa-char-terms-system-procedure.html
http://dcx.sybase.com/index.html#1101en/dbreference_en11/contains-search-condition.html
http://dcx.sybase.com/index.html#1101en/dbusage_en11/ug-queries-b-3903166.html
alphanumeric characters. You cannot search for an asterisk because the
asterisk will not be in the index. I find sa_char_terms useful for
better understanding full text indexes and searches. It allows you to
see how values are broken into terms for indexing.
Searching for AND and OR is possible, but they must be enclosed in
double quotes to avoid being interpreted as operators. Users need to
be aware of these words that have special meaning. Google search works
the same way.
http://dcx.sybase.com/index.html#1101en/dbreference_en11/sa-char-terms-system-procedure.html
http://dcx.sybase.com/index.html#1101en/dbreference_en11/contains-search-condition.html
http://dcx.sybase.com/index.html#1101en/dbusage_en11/ug-queries-b-3903166.html
philM
Nov 3, 2009, 10:25:33 AM11/3/09
to SQL Anywhere Web Development
Your best bet (and this is generally always the best for security and
internationalization) is to use a host variable. So, for example
(warning: the code below is untested):
$stmt = sasql_prepare( $conn, "select * from student where name in
( ?, ?, ? )" );
sasql_stmt_bind_param( $stmt, "sss", "John", "Jill", "Adam" );
if( sasql_stmt_execute( $stmt ) ) {
echo "Execute success\n";
// do fetching, etc... here
} else {
echo "Execute FAIL!\n";
}
sasql_stmt_close( $stmt );
Hope this helps.
Cheers,
Phil
internationalization) is to use a host variable. So, for example
(warning: the code below is untested):
$stmt = sasql_prepare( $conn, "select * from student where name in
( ?, ?, ? )" );
sasql_stmt_bind_param( $stmt, "sss", "John", "Jill", "Adam" );
if( sasql_stmt_execute( $stmt ) ) {
echo "Execute success\n";
// do fetching, etc... here
} else {
echo "Execute FAIL!\n";
}
sasql_stmt_close( $stmt );
Hope this helps.
Cheers,
Phil
philM
Nov 3, 2009, 10:29:21 AM11/3/09
to SQL Anywhere Web Development
Sorry...I just realized my example has nothing to do with what you're
trying to do. You might try:
$stmt = sasql_prepare( $conn, "select title from books where
description contains ?" );
sasql_stmt_bind_param( $stmt, "s", $search_terms );
provided as user input is a recipe for SQL injection vulnerabilities.
Cheers,
Phil
trying to do. You might try:
$stmt = sasql_prepare( $conn, "select title from books where
description contains ?" );
sasql_stmt_bind_param( $stmt, "s", $search_terms );
if( sasql_stmt_execute( $stmt ) ) {
echo "Execute success\n";
// do fetching, etc... here
} else {
echo "Execute FAIL!\n";
}
sasql_stmt_close( $stmt );
Relying on escaping keywords, especially if these keywords are
echo "Execute success\n";
// do fetching, etc... here
} else {
echo "Execute FAIL!\n";
}
sasql_stmt_close( $stmt );
provided as user input is a recipe for SQL injection vulnerabilities.
Cheers,
Phil
Reply all
Reply to author
Forward
0 new messages