Query to HttpSolrServer.
SolrQuery solrQuery = new SolrQuery();
solrQuery.setQuery(q);
QueryResponse queryResponse = solrServer.query(solrQuery);
I need to build a solr query, something like "author:*user_inputed_text* title:*user_inputed_text*" I need something like PreparedStatement, but I couldn't find something like that in solrj library. How to construct query that would not containt injection? How to make the string inputed by user - \user_input_text\ safe?
I am constructing query using concatenation. When I have, for example this code:
public String buildQuery(String userInputedText) {
String query = "author:*" + userInputedText + "* OR title:*" + userInputedText + "*";
}
Then user can inject some subquery and receive the results, that is not restricted. For example inputed string was: " OR title:". So, the whole query will be: author:* OR title:* OR title:* OR title:*
In this case user receives all the results (they are not limited) and passes the pattern author:*?* OR title:*?*.
Please consider use of a built-in solrj ClientUtils
utility class. By means of which you can escape userInputText
String escapedUserInputText = ClientUtils.escapeQueryChars(userInputText)
For more details take a look at the queryparser syntax page.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With