[ic] IC Security Issue. -- Searching

john ic at uc9.net
Thu May 5 14:43:04 EDT 2005


Hi all,
I want to set it up so that users can search on lots of different fields.
For example:
category, group, color, size

A user can choose, size 1-4 and category=Cat1 OR Cat2 OR Cat3, and a color 
of RED OR BLUE

I see no way to do this with the built in system of searching.  I do see 
from the docs, that I can set a hidden field of a SQL query.  Is that not 
insecure.  I relize that SAFE prevents someone from doing a delete or 
update.  But why could someone not do a "select * from userdb" or even 
worse "select username as sku,password as comment from ..."  that would 
fill the search page with the passwords.

Does anyone see a way around this, is this a bug?

John


More information about the interchange-users mailing list