refactored tsquery sql to use rails escaping mechanisms

2013-03-07 16:34:12 -05:00
parent b7a5612c82
commit 2338f004eb
10 changed files with 23 additions and 21 deletions
--- a/app/logical/post_query_builder.rb
+++ b/app/logical/post_query_builder.rb
@@ -1,11 +1,6 @@
 class PostQueryBuilder
  attr_accessor :query_string, :has_constraints
  def self.escape_string_for_tsquery(token)
    escaped_token = token.gsub(/\\|'/, '\0\0\0\0').gsub("?", "\\\\77").gsub("%", "\\\\37")
    "''" + escaped_token + "''"
  end
  def initialize(query_string)
    @query_string = query_string
    @has_constraint = false
@@ -53,7 +48,7 @@ class PostQueryBuilder
  def escape_string_for_tsquery(array)
    array.map do |token|
-      PostQueryBuilder.escape_string_for_tsquery(token)
+      token.to_escaped_for_tsquery
    end
  end
@@ -75,7 +70,7 @@ class PostQueryBuilder
    end
    if tag_query_sql.any?
-      relation = relation.where("posts.tag_index @@ to_tsquery('danbooru', E'" + tag_query_sql.join(" & ") + "')")
+      relation = relation.where("posts.tag_index @@ to_tsquery('danbooru', E?)", tag_query_sql.join(" & "))
    end
    relation
--- a/app/models/artist.rb
+++ b/app/models/artist.rb
@@ -210,7 +210,7 @@ class Artist < ActiveRecord::Base
    end
    def other_names_match(string)
-      where("other_names_index @@ to_tsquery('danbooru', ?)", Artist.normalize_name(string))
+      where("other_names_index @@ to_tsquery('danbooru', E?)", Artist.normalize_name(string).to_escaped_for_tsquery)
    end
    def group_name_matches(name)
@@ -225,8 +225,8 @@ class Artist < ActiveRecord::Base
    def any_name_matches(name)
      stripped_name = normalize_name(name).to_escaped_for_sql_like
-      name_for_tsquery = normalize_name(name).gsub(/\(/, "\\(").gsub(/\)/, "\\)")
+      name_for_tsquery = normalize_name(name).to_escaped_for_tsquery
-      where("(name LIKE ? ESCAPE E'\\\\' OR other_names_index @@ to_tsquery('danbooru', ?))", stripped_name, name_for_tsquery)
+      where("(name LIKE ? ESCAPE E'\\\\' OR other_names_index @@ to_tsquery('danbooru', E?))", stripped_name, name_for_tsquery)
    end
    def search(params)
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -16,7 +16,7 @@ class Comment < ActiveRecord::Base
    end
    def body_matches(query)
-      where("body_index @@ plainto_tsquery(?)", query).order("comments.id DESC")
+      where("body_index @@ plainto_tsquery(?)", query.to_escaped_for_tsquery_split).order("comments.id DESC")
    end
    def hidden(user)
@@ -28,7 +28,7 @@ class Comment < ActiveRecord::Base
    end
    def post_tags_match(query)
-      joins(:post).where("posts.tag_index @@ to_tsquery('danbooru', E?)", query)
+      joins(:post).where("posts.tag_index @@ to_tsquery('danbooru', ?)", query.to_escaped_for_tsquery_split)
    end
    def for_creator(user_id)
--- a/app/models/dmail.rb
+++ b/app/models/dmail.rb
@@ -99,7 +99,7 @@ class Dmail < ActiveRecord::Base
    end
    def search_message(query)
-      where("message_index @@ plainto_tsquery(?)", query)
+      where("message_index @@ plainto_tsquery(?)", query.to_escaped_for_tsquery_split)
    end
    def unread
--- a/app/models/forum_post.rb
+++ b/app/models/forum_post.rb
@@ -13,7 +13,7 @@ class ForumPost < ActiveRecord::Base
  module SearchMethods
    def body_matches(body)
-      where("forum_posts.text_index @@ plainto_tsquery(?)", body)
+      where("forum_posts.text_index @@ plainto_tsquery(E?)", body.to_escaped_for_tsquery)
    end
    def for_user(user_id)
@@ -41,7 +41,7 @@ class ForumPost < ActiveRecord::Base
      end
      if params[:topic_title_matches].present?
-        q = q.joins(:topic).where("forum_topics.text_index @@ plainto_tsquery(?)", params[:topic_title_matches])
+        q = q.joins(:topic).where("forum_topics.text_index @@ plainto_tsquery(E?)", params[:topic_title_matches].to_escaped_for_tsquery_split)
      end
      if params[:body_matches].present?
--- a/app/models/forum_topic.rb
+++ b/app/models/forum_topic.rb
@@ -14,7 +14,7 @@ class ForumTopic < ActiveRecord::Base
  module SearchMethods
    def title_matches(title)
-      where("text_index @@ plainto_tsquery(?)", title)
+      where("text_index @@ plainto_tsquery(E?)", title.to_escaped_for_tsquery_split)
    end
    def active
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -19,11 +19,11 @@ class Note < ActiveRecord::Base
    end
    def body_matches(query)
-      where("body_index @@ plainto_tsquery(?)", query.scan(/\S+/).join(" & "))
+      where("body_index @@ plainto_tsquery(E?)", query.to_escaped_for_tsquery_split)
    end
    def post_tags_match(query)
-      joins(:post).where("posts.tag_index @@ to_tsquery('danbooru', ?)", query)
+      joins(:post).where("posts.tag_index @@ to_tsquery('danbooru', E?)", query.to_escaped_for_tsquery_split)
    end
    def creator_name(name)
--- a/app/models/post.rb
+++ b/app/models/post.rb
@@ -938,8 +938,7 @@ class Post < ActiveRecord::Base
    end
    def raw_tag_match(tag)
-      tag = PostQueryBuilder.escape_string_for_tsquery(tag)
+      where("posts.tag_index @@ to_tsquery('danbooru', E?)", tag.to_escaped_for_tsquery)
      where("posts.tag_index @@ to_tsquery('danbooru', E'" + tag + "')")
    end
    def tag_match(query)
--- a/app/models/wiki_page.rb
+++ b/app/models/wiki_page.rb
@@ -21,7 +21,7 @@ class WikiPage < ActiveRecord::Base
    end
    def body_matches(query)
-      where("body_index @@ plainto_tsquery(?)", query.scan(/\S+/).join(" & "))
+      where("body_index @@ plainto_tsquery(?)", query.to_escaped_for_tsquery_split)
    end
    def search(params = {})
--- a/config/initializers/core_extensions.rb
+++ b/config/initializers/core_extensions.rb
@@ -5,6 +5,14 @@ module Danbooru
        return self.gsub(/\\/, '\0\0').gsub(/(%|_)/, "\\\\\\1").gsub(/\*/, '%')
      end
      def to_escaped_for_tsquery_split
        scan(/\S+/).map {|x| x.to_escaped_for_tsquery}.join(" & ")
      end
      def to_escaped_for_tsquery
        "'#{gsub(/\\|'/, '\0\0\0\0')}'"
      end
      def to_escaped_js
        return self.gsub(/\\/, '\0\0').gsub(/['"]/) {|m| "\\#{m}"}.gsub(/\r\n|\r|\n/, '\\n')
      end