lucene-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daan de Wit" <d.de....@wis.nl>
Subject RE: Lucene code injection?
Date Thu, 24 May 2007 13:19:35 GMT
Hi Joe,

It might be possible when you append the restriction before parsing the
user query with the QueryParser, but I'm not sure. I recommend first
parsing the query, and then constructing a BooleanQuery with the parsed
user query and the e-mail term both as must. Another approach would be
to use a QueryFilter. Using a QueryFilter might be the best solution
here because the filter is cached, and hence applies very fast on
subsequent searches.

Kind regards,
Daan

-----Original Message-----
From: Joe [mailto:fischauto333@yahoo.de] 
Sent: Thursday, May 24, 2007 15:14
To: java-user@lucene.apache.org
Subject: Re: Lucene code injection?

Hi,
> This sounds good. As for the code injection it is up to you to
sanitize
> the request before it goes to lucene, probably by filling the email
> field yourself and not rely on the user input for the email address

I hoped i havent to sanitize the user input cause the email address 
query is ANDed by the
application, after the user finished his input.

(user_query) AND (email_query)

So is it possible to produce a user_query which will ignore the ANDed 
(email_query)?



---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-user-help@lucene.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-user-help@lucene.apache.org


Mime
View raw message