Entering single quotes in search box is broken

[cgorringe]

Which means you're out of luck if searching for a person with an Irish last name...

---

Request:

• URL : http://timebank.sfbace.org/searches?q=pam+O%27dea
• Parameters: {"action"=>"index", "q"=>"pam O'dea", "controller"=>"searches"}
• Rails root: /app

---

A ActiveRecord::StatementInvalid occurred in searches#index:

PGError: ERROR: syntax error in tsquery: "'pam' & 'O'dea'"
: SELECT people.*, ts_rank_cd((to_tsvector('english', coalesce("people"."name", '') || ' ' || coalesce("people"."description", ''))),
to_tsquery('''pam'' & ''O''dea''')) as rank FROM "people" WHERE (to_tsvector('english', coalesce("people"."name", '') || ' ' || coalesce("people"."description", '')) @@ to_tsquery('''pam'' & ''O''dea''')) ORDER BY rank DESC
[RAILS_ROOT]/.bundle/gems/ruby/1.8/gems/activerecord-2.3.11/lib/active_record/connection_adapters/abstract_adapter.rb:227:in `log'

[mtravers]

http://xkcd.com/327/

[cgorringe]

I remember that one on xkcd!

I haven't tested if an SQL injection would work, though I'm somewhat
surprised it isn't using parameterized queries... (unless it is)

If I had my BACE dev machine with me right now I'd fix this...

-Carl

On Wed, 2012-05-02 at 18:32 -0700, Mike Travers wrote:

http://xkcd.com/327/

---

Reply to this email directly or view it on GitHub:
#23 (comment)

[cgorringe]

Looks like the bug is in the "texticle" gem. It's been fixed in a newer version of the gem, but the version available depends on a newer version of activerecord (if I remember correctly) which may be hard to upgrade? Maybe someone can figure this out.