Search Query Parsing
debt(d7/e5/b5/t7)
Closest to 'only careful code review or runtime testing' (d7). The detection_hints mark automated:no; phpstan/semgrep can flag the crude code_pattern (explode(' ', $query) feeding a search client, or json_decode of GET passed raw) but the semantic problems — missing field allowlist, no default operator, crash-on-malformed — are mostly invisible to static analysis and surface only under careful review or runtime testing of edge-case queries.
Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix requires building a quote- and operator-aware lexer, adding field allowlist validation, and routing all query construction through it — more than a parameterised swap; it's a focused refactor of the query layer touching the parser, validation, and engine-handoff code.
Closest to 'persistent productivity tax' (b5). applies_to spans web/api/library contexts and the parser sits between users and the search engine; every new searchable field, operator, or feature must flow through this parsing layer, so the design choice exerts ongoing reach across search-related work streams without quite defining the whole system shape.
Closest to 'serious trap' (t7). The misconception — that query parsing is the same as index-time tokenisation — leads competent developers to conflate two separate stages, and common_mistakes show the 'obvious' whitespace-split approach shreds phrase searches and the naive pass-through exposes field-probing/DoS; the behaviour contradicts the intuitive 'just split and search' model.
Also Known As
TL;DR
Explanation
Search query parsing is the front-end stage of a search pipeline that turns a raw input string into a structured representation the search engine can execute. A user types something like `title:laptop "gaming rig" -refurbished price:<500`, and before any matching happens, the parser must split that string into meaningful units: free-text tokens, quoted phrases, field-scoped terms, boolean and negation operators, range expressions, and modifiers like fuzziness or boost. This is distinct from index-time tokenisation (stemming, lowercasing, stop-word removal) - query parsing decides the shape of the query, not how documents were analysed, though the two must agree on analysis rules to match correctly. A typical parser works in stages. First, lexing splits the input into tokens while respecting quoting and escaping so that a quoted phrase stays intact and a literal colon inside a value is not mistaken for a field separator. Next, operator recognition identifies syntax such as AND/OR/NOT, leading minus for exclusion, field:value pairs, and comparison operators for ranges. Finally, the parser builds an abstract structure - often a tree of clauses - that maps cleanly onto the engine's query DSL (Elasticsearch bool/match queries, Meilisearch filters, or SQL conditions). The hard parts are ambiguity and safety. Users mistype operators, leave quotes unbalanced, or inject control characters, so a robust parser degrades gracefully: an unmatched quote becomes literal text rather than a crash. Field extraction must validate against an allowlist of searchable fields, both to avoid surprising results and to prevent users from probing unindexed or sensitive fields. Many teams expose only a simplified query language to end users and reserve the full DSL for internal callers, because raw DSL passthrough is a common source of denial-of-service and information-disclosure issues. Good parsing also normalises - trimming whitespace, collapsing repeated operators, and applying default operators (usually AND between terms) - so the executed query reflects clear intent. Done well, query parsing is invisible; done badly, it produces zero-result pages, confusing rankings, or security holes.
Common Misconception
Why It Matters
Common Mistakes
- Splitting on whitespace without respecting quotes, so a phrase search like "gaming rig" is shredded into separate terms.
- Passing raw query DSL from users to the engine, exposing it to denial-of-service and field-probing attacks.
- Not validating extracted field names against an allowlist, letting users query unindexed or sensitive fields.
- Crashing on malformed input (unbalanced quotes, dangling operators) instead of degrading to a literal text search.
- Forgetting to apply a default operator, so multi-term queries match unexpectedly broadly or narrowly.
Code Examples
<?php
// Naive parser: split on spaces, pass straight to engine.
function parseQuery(string $input): array {
$tokens = explode(' ', trim($input));
// "gaming rig" becomes two tokens; title:laptop is one opaque token
// -refurbished and quotes are ignored; no field validation
return ['must' => $tokens];
}
// Worse: raw DSL passthrough from user input
$query = json_decode($_GET['q'], true);
$results = $client->search('products', $query); // DoS + field probingAdd a comment or fallback noting unbalanced-quote handling, e.g. a preliminary check `if (substr_count($input, '"') % 2 !== 0) { $input = str_replace('"', '', $input); }` to degrade gracefully to literal text, matching the long-text claim.References
https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-simple-query-string-query.html
https://lucene.apache.org/core/current/queryparser/org/apache/lucene/queryparser/classic/package-summary.html
https://www.meilisearch.com/docs/learn/filtering_and_sorting/filter_expression_reference