[Discussion] How do you handle attacks?

[GenieTim]

I get attacks on my (paginated) search form, such as myurl.com/search?direction=asc&page=199999%22%20union%20select%20unhex%28hex%28version%28%29%29%29%20--%20%22x%22%3D%22x (instead of just myurl.com/search?direction=asc&page=1), which lead to Uncaught PHP Exception Elastica\Exception\ResponseException: "Result window is too large, from + size must be less than or equal to: [10000] but was [2999985]. See the scroll api for a more efficient way to request large data sets. This limit can be set by changing the [index.max_result_window] index level setting. [reason: all shards failed]".

I can imagine a few ways to handle this:

• pre-validate all pagination parameters too
• catch the exception
• let elastica ignore all errors

What is the recommended/best practice approach in this case?

[cbastienbaron]

on your query you must set a maxium size

        $querySort = new \Elastica\Query($bool);
        $querySort
           ...
            ->setSize(9999)
        ;