[ic] "SOLVED" RE: search problem on any table
IC Support
ic_support at mnwebdesign.com
Wed Oct 5 15:59:06 UTC 2011
On Tuesday, October 04, 2011 7:41 PM Peter said:
> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org
> [mailto:interchange-users-bounces at icdevgroup.org] On Behalf Of Peter
> Sent: Tuesday, October 04, 2011 7:41 PM
> To: interchange-users at icdevgroup.org
> Subject: Re: [ic] "SOLVED" RE: search problem on any table
>
> On 05/10/11 12:10, IC Support wrote:
> > Just to follow up, I did end up figuring out I needed to add the
> > NoSearch directive to my search pages.
> >
> > [calc]
> > $CGI->{mv_todo} = 'search';
> > $Config->{NoSearch} = '';
> > [/calc]
>
> This is not a good idea, I (or someone with worse intentions
> than me) can now create a specially crafted search query to
> get data out of your userdb, transactions, orderline, access,
> tables and more. You should specify the NoSedarch directive
> once in your catalog.cfg and list every table that you do not
> anticipate a search running on, or better yet upgrade to a
> more recent version of IC that has much better limitations on
> search to prevent this.
I'm running IC 5.6.3, I don't sell products, this is a member directory, all
search pages are members only, members must be a part of each organizations
cat, there is no way to create a new account by the general public, accounts
for members are created in advance by an admin, and I have this in
catalog.cfg:
AllowRemoteSearch reunion news photos userdb
After Peter sent this reply, I made some changes and I can search all db's
except userdb at this point, without unsetting the NoSearch directive on
those searches.
Adding this to catalog.cfg did not seem to do anything:
NoSearch state country
I had to add the NoSearch directive to my userdb search pages. I have
several saved emails from Mike Heins and others proclaiming that, while it
may not be the best idea, it is the way to do it.
I only have a few tables that I am not searching. Am I really gaining
anything by adding this to catalog.cfg?
NoSearch state country
Thank you!
Curt
More information about the interchange-users
mailing list