On Mon, Aug 13, 2007 at 02:25:18PM -0400, Andrew Nagy wrote:
> > This project introduced me to SOLR, which means I am as noob as you can
> > get :-) But, it does seem strange that there doesn't exist some sort
> > of parameterizing capabilities. I'll take your word for it. I
> > suppose it wouldn't be too difficult to develop our own. We just need
> > a
> > list of all potentially offensive characters, e.g., square brackets
> > (),
> > carrots (^), etc., and also reserved words, e.g., and,not,or, etc.
> > These are things that need to be addressed before even considering
> > putting this into production.
> Solr can only be accessed via read-only from VuFind, so there is no reason to be worried about data security. The only issue with solr is to make sure that you have your SOLR server locked down by a firewall so that the public cannot access the admin pages to solr.
> Solr also has a built in stopword list and can be configured to your liking. It is located in the solr/conf/stopwords.txt file. There is also a protected words file and a synonyms file that you can play around with. More info on them can be found in the solr wiki.
> With solr we want to allow any character to be used - for example the ^, ~, etc charcaters has meaning in solr that the user can take advantage of. There are some characters, "" and ":", that do need to be stripped out from search queries. But the only harmful thing that they can cause is an error on the screen :)
If you allow any character to be used, then how does someone search
for the string "not"? I never get a result (In fact, I get error
messages at the top of the screen). A user would need to know how and
when to escape keywords such as "not" (e.g., \n\o\t). Also, try
entering single or double-quotes and you will also get errors. They
too would need to be escaped, eg., \' and \"
> The only security concerns that I can see at this point are with the MySQL database. This needs to be tested for SQL injection, etc.
For this, using prepared statements with bind variables will help. :-)