escaping characters and security

2007-11-06 Thread Micah Wedemeyer 
Are there any security risks to passing a query directly to Solr without
doing any sort of escaping?  I am using URL encoding, so '&' and such
are being encoded into their %XX equivalents.

Still, should I be doing anything else?  Is there such a thing as a
Solr-injection attack?

Thanks,
Micah

Re: escaping characters and security

2007-11-06 Thread Micah Wedemeyer 
Thanks.  That's what I wanted to know.

Micah

Walter Underwood wrote:
> Also, this page has a list of special characters that you may want
> to escape:
> 
>   http://lucene.apache.org/java/docs/queryparsersyntax.html
> 
> wunder
> 
> On 11/6/07 9:15 AM, "Walter Underwood" <[EMAIL PROTECTED]> wrote:
> 
>> Solr queries can't do updates, so passing on raw user queries is OK.
>>
>> Solr errors for bad query syntax are not pretty, so you will want to
>> catch those and print a real error message.
>>
>> wunder
>>
>> On 11/6/07 8:52 AM, "Micah Wedemeyer" <[EMAIL PROTECTED]> wrote:
>>
>>> Are there any security risks to passing a query directly to Solr without
>>> doing any sort of escaping?  I am using URL encoding, so '&' and such
>>> are being encoded into their %XX equivalents.
>>>
>>> Still, should I be doing anything else?  Is there such a thing as a
>>> Solr-injection attack?
>>>
>>> Thanks,
>>> Micah
> 
>

Solr in a highly memory constrained environment (ie. VPS) - stupid idea?

2008-03-03 Thread Micah Wedemeyer 

Hi,

I've used Solr a little at work where we have our own hardware with all 
the memory we want.  However, I would also like to use Solr on a 
small-ish website that I run off of a VPS with 512MB of RAM.  I tried 
this (untuned) for a while, and Tomcat/Solr would just grab up all my 
memory until the server slowed to a crawl.


Performance really isn't a huge factor.  There are probably around 5000 
documents with an average size of 1-2k per document.  A document (wiki 
page) is re-indexed roughly every time it is saved, and with our 
current traffic, that's probably around 5/minute at our busiest times.  
Plus, the search feature isn't all that prominent, meaning that actual 
searches occur fairly rarely, perhaps 1/minute at peak.


So, my basic question is: Can I constrain and constrict Solr in order 
to run it in a tiny slice of memory, say 64-128MB?  What will happen if 
I set the -xmx option to 64M?  I saw some other posts about OutOfMemory 
errors, but I couldn't get a clear idea about how well Solr recovered 
from them.


Also, is there a way to turn off (or severely limit) caching and 
buffering?  What happens if I set maxBufferedDocs to 1 or 10?  Can I go 
through and set the filter, query, and document caches to some small 
number like 1 or 10?


Finally, am I trying to do something that's just plain stupid?  I like 
Solr and I'd like to try some neat stuff with facets on my site, but 
Sphinx ( http://www.sphinxsearch.com/ ) is another option that I know 
people have gotten to work with a small memory footprint.  I just don't 
know Sphinx that well.


Thanks in advance,
Micah