I've updated this question as a perplexing new twist to the problem has shown up.
MySQL is not handling hyphens or braces correctly.
SELECT * FROM users WHERE MATCH(firstname, lastname, about) AGAINST('-' IN BOOLEAN MODE)
returns
syntax error, unexpected $end
The same thing happens if I enter a ( or ). I know it's only those because entering anything else such as test works just fine
I'm on MySQL 5.7.4M
---UPDATE---
This error disappears if I switch from InnoDB to MyISAM. Is this a bug with the relatively new FULLTEXT support in InnoDB?
------OLD Question----
I'm implementing a "search users" feature in my application built off of Laravel and PHP, and I'm making use of the fulltext search in MySQL. Laravel not having a function for this, I used a basic DB::select() to get the job done. The problem is that while it is using a prepared statement, it's acting like it isn't (kinda).
My Code:
return DB::select("SELECT * FROM users WHERE MATCH(firstname,lastname,about) AGAINST(? IN BOOLEAN MODE)", array($query));
FYI for those who want to know, this is the DB::select() function
public function select($query, $bindings = array())
{
return $this->run($query, $bindings, function($me, $query, $bindings)
{
if ($me->pretending()) return array();
// For select statements, we'll simply execute the query and return an array
// of the database result set. Each element in the array will be a single
// row from the database table, and will either be an array or objects.
$statement = $me->getReadPdo()->prepare($query);
$statement->execute($me->prepareBindings($bindings));
return $statement->fetchAll($me->getFetchMode());
});
}
However, if I put in something like: -- (to emulate a comment in a mysql injection), I get the following error:
SQLSTATE[42000]: Syntax error or access violation: 1064 syntax error, unexpected '-'
I know it's only stuff like this, as putting in Test or Hello World works perfectly fine.
