I have seen queries to the search engine in the error logs that point to our server being attacked by very long search strings.

INSERT INTO ubbt_SEARCH_RESULTS
(SEARCH_SESSION_ID,SEARCH_WORDS,[...])
VALUES
( '8cfacb698b24bf7b3eff7ec4449a3351' , 'xwkkrgddvl, \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\[...]

In which "\" is repeated a million times.

To be honest I think this is a serious weakness - the software shouldn't allow for any large query string (in this case 50MB+) to be sent to SQL.

So I've tried editing the dosearch.inc.php file to insert a maximum length in the search function and throw back an error "You do not have permission to use the search engine." I hope I have fixed this by doing so:

I have found this on line 431:
PHP Code

		// Make sure they are searching for something
		if (!$Words && !$Name) {
			if (!$excluded) {
				$html->not_right($ubbt_lang['NO_WORDS']);
			}
			else {
				$html->not_right($ubbt_lang['SHORT']);
			}
		}



And added this immediately after it:

PHP Code

		// try and limit the length of the query - KAYJEY
		if (strlen($Words) > 500) {
				$html->not_right($ubbt_lang['NO_SEARCH']);
		}

straydesign.com