Search API
Posted: Fri Oct 22, 2010 23:35
The Cardscape Search should be powerful but not prone to security holes.
After some planning and evaluation, I came to the following solution:
The query itself will be contained in a single big <textarea> and look something like this:
Okay, that's a more complicated example but you'll get the idea:
All search criteria will be of the form FIELD COMPARE VALUE
Where FIELD is any valid card property field. COMPARE can be any comparison symbol of (=<>) and VALUE can either be a string, a number or a range. Ranges are written in the form of a-b.
A comma translates to AND and a semicolon translates to OR. Braces are used to group several criteria together. A colon is used as a delimiter for global settings for the query like sorting criteria and display criteria (LIMIT).
Of course I do not require the user to enter this query directly into the form. There will be further controls that help the user to construct the query.
To ensure a high level of security, the input is parsed and checked by PHP and transformed into MySQL. The input scheme is relatively simple so that I don't think it will be easy to inject bad code.
Comments are appreciated.
After some planning and evaluation, I came to the following solution:
The query itself will be contained in a single big <textarea> and look something like this:
Code: Select all
(name=ice,cost<3;(name=fire,cost>4,threshold=1-2);name=air,cost=3):sort=name,limit=4
All search criteria will be of the form FIELD COMPARE VALUE
Where FIELD is any valid card property field. COMPARE can be any comparison symbol of (=<>) and VALUE can either be a string, a number or a range. Ranges are written in the form of a-b.
A comma translates to AND and a semicolon translates to OR. Braces are used to group several criteria together. A colon is used as a delimiter for global settings for the query like sorting criteria and display criteria (LIMIT).
Of course I do not require the user to enter this query directly into the form. There will be further controls that help the user to construct the query.
To ensure a high level of security, the input is parsed and checked by PHP and transformed into MySQL. The input scheme is relatively simple so that I don't think it will be easy to inject bad code.
Comments are appreciated.