This sounds good. As for the code injection it is up to you to sanitize the request before it goes to lucene, probably by filling the email field yourself and not rely on the user input for the email address.
HTH Aviran http://www.aviransplace.com http://shaveh.co.il -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2007 8:35 AM To: java-user@lucene.apache.org Subject: Lucene code injection? Hi, I indexed emails. And now i want to restrict the search functionality for users so they only can search for emails to/from him. i know the email address of the user so my plan is to do it in the following way: The user enters some search parameters, they are combined in a query. This is a mix of TermQueries and WildcardQueries combined with BooleanQueries. This query i will combine with a TermQuery which include only hits with the email address of the user. (parameter-query) AND (emailaddress-query) Is this good practice? And is this save? Or can a user do some kind of code injection to get other emails? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
