lucene-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mordo, Aviran (EXP N-NANNATEK)" <>
Subject RE: Lucene code injection?
Date Thu, 24 May 2007 13:03:41 GMT
This sounds good. As for the code injection it is up to you to sanitize
the request before it goes to lucene, probably by filling the email
field yourself and not rely on the user input for the email address.



-----Original Message-----
From: Joe [] 
Sent: Thursday, May 24, 2007 8:35 AM
Subject: Lucene code injection?


I indexed emails. And now i want to restrict the search functionality
for users so they only can search for emails to/from him.

i know the email address of the user so my plan is to do it in the
The user enters some search parameters, they are combined in a query.
This is a mix of TermQueries and WildcardQueries combined with

This query i will combine with a TermQuery which include only hits with
the email address of the user. (parameter-query) AND

Is this good practice?
And is this save?
Or can a user do some kind of code injection to get other emails?

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message