[ic] IC Security Issue. -- Searching
ic at uc9.net
Thu May 5 14:43:04 EDT 2005
I want to set it up so that users can search on lots of different fields.
category, group, color, size
A user can choose, size 1-4 and category=Cat1 OR Cat2 OR Cat3, and a color
of RED OR BLUE
I see no way to do this with the built in system of searching. I do see
from the docs, that I can set a hidden field of a SQL query. Is that not
insecure. I relize that SAFE prevents someone from doing a delete or
update. But why could someone not do a "select * from userdb" or even
worse "select username as sku,password as comment from ..." that would
fill the search page with the passwords.
Does anyone see a way around this, is this a bug?
More information about the interchange-users