I'm trying to construct a MySQL fulltext search query from user input, but I'm confused as how to best format it for insertion into the prepared statement the sql module creates. Essentially right now I'm taking the term, splitting it on spaces, and creating a slice with the words. Then I format the slice parts with a + in front. So right now the input will look like "+my +cool +search"
A small snippet example
terms := strings.Split(strings.TrimSpace("my cool search"), " ")
var searchquery []string
for _, term := range terms {
searchquery = append(searchquery, fmt.Sprintf("+%s", term))
}
dbase.Query(`SELECT blah FROM blah WHERE blah
AND MATCH(title) AGAINST (? IN BOOLEAN MODE)`, strings.Join(searchquery, " "))
The problem is it doesn't seem to escape characters the way I'd expect, because the IN BOOLEAN MODE has certain special operators like the +, -, >, < symbols. If a user inserts any of those characters it messes up the search. I've read you need to enclose terms with double quotes, but does that mean the sql driver isn't doing it when it inserts the parameter? It's ambiguous as to what the '?' is being replaced with, I guess.
I haven't been able to find many examples of how to dynamically construct these types of queries on the internet either, so maybe theres a completely better way to do it in general? Thanks!
