9

Query to HttpSolrServer.

SolrQuery solrQuery = new SolrQuery();
solrQuery.setQuery(q);
QueryResponse queryResponse = solrServer.query(solrQuery);

I need to build a solr query, something like "author:*user_inputed_text* title:*user_inputed_text*" I need something like PreparedStatement, but I couldn't find something like that in solrj library. How to construct query that would not containt injection? How to make the string inputed by user - \user_input_text\ safe?

I am constructing query using concatenation. When I have, for example this code:

public String buildQuery(String userInputedText) {
    String query = "author:*" + userInputedText + "* OR title:*" + userInputedText + "*";
}

Then user can inject some subquery and receive the results, that is not restricted. For example inputed string was: " OR title:". So, the whole query will be: author:* OR title:* OR title:* OR title:*

In this case user receives all the results (they are not limited) and passes the pattern author:*?* OR title:*?*.

John
  • 91
  • 1
  • 4
  • whats the problem...Explain problem you are facing – kirti Nov 11 '14 at 10:32
  • Actually it is not clear to me what you mean saying that you need to make it safe. Could you please post an example of how to make "unsafe" a query on Solr? Your're performing a query, so it is not possible to damage your indeces. I think you should give more details about your goal. – Max Nov 18 '14 at 10:16

1 Answers1

9

Please consider use of a built-in solrj ClientUtils utility class. By means of which you can escape userInputText 

String escapedUserInputText = ClientUtils.escapeQueryChars(userInputText)

For more details take a look at the queryparser syntax page.

Dmytro Chyzhykov
  • 1,814
  • 1
  • 20
  • 17