shameless self-promoting website
»Rejourn root
Posted Saturday, 07 March 2009 by Miklos
Tags: en hacking

We all know the usual problem with sql escaping, there is even a comic about it.

There is an other SQL-related project, sphinx, which is a quite efficient search indexer (especially for whole word search), but it also needs escaping. Given that in sphinx "foo-bar" means "all records containing foo, but not bar", if you really want a single-word "foo-bar", then you need to use "foo\-bar".

And that's the fun part, as the escaping order matters a lot. Basically if you escape mysql first and then just insert the sphinx query, then you just created an injection yourself. ;)

So the final query will look like "foo\\-bar" if you did the escaping in the right order.

It's also notable that the official sphinx php API seems not escaping the ";" char, which is also a bug, as this way you can modify the search query in the way you want.