Page 1 of 1

Search API

Posted: Fri Oct 22, 2010 23:35
by Ravenchild
The Cardscape Search should be powerful but not prone to security holes.

After some planning and evaluation, I came to the following solution:

The query itself will be contained in a single big <textarea> and look something like this:

Code: Select all

Okay, that's a more complicated example but you'll get the idea:
All search criteria will be of the form FIELD COMPARE VALUE
Where FIELD is any valid card property field. COMPARE can be any comparison symbol of (=<>) and VALUE can either be a string, a number or a range. Ranges are written in the form of a-b.

A comma translates to AND and a semicolon translates to OR. Braces are used to group several criteria together. A colon is used as a delimiter for global settings for the query like sorting criteria and display criteria (LIMIT).

Of course I do not require the user to enter this query directly into the form. There will be further controls that help the user to construct the query.

To ensure a high level of security, the input is parsed and checked by PHP and transformed into MySQL. The input scheme is relatively simple so that I don't think it will be easy to inject bad code.

Comments are appreciated.