I have seen queries to the search engine in the error logs that point to our server being attacked by very long search strings.
INSERT INTO ubbt_SEARCH_RESULTS
(SEARCH_SESSION_ID,SEARCH_WORDS,
[...])
VALUES
( '8cfacb698b24bf7b3eff7ec4449a3351' , 'xwkkrgddvl, \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
[...]In which "\" is repeated a million times.
To be honest I think this is a serious weakness - the software shouldn't allow for any large query string (in this case 50MB+) to be sent to SQL.
So I've tried editing the dosearch.inc.php file to insert a maximum length in the search function and throw back an error "You do not have permission to use the search engine." I hope I have fixed this by doing so:
I have found this on line 431:
if (!$Words && !$Name) {
if (!$excluded) {
$html->not_right($ubbt_lang['NO_WORDS']);
}
else {
$html->not_right($ubbt_lang['SHORT']);
}
}
And added this immediately after it:
if (strlen($Words) > 500) {
$html->not_right($ubbt_lang['NO_SEARCH']);
}