It shouldn't be easy to attack if programmed safely and paying attention to all user-inputs (like any responsible programmer should do
).
Accepting only alphanumerical chars and readig them directly from the POST_VARS header, should be enough to prevent any attack, afaik.
As for support searches I would suggest for instance not to search in T&T (it's not much data, but it is a slightly bigger haystack to search indeed) And only show the 20 most relevant threads. I think this would lower b/w along with with the fact not showing posts, but whole threads. This would dramatically decrease b/w usage (although increasing server load a bit) and would be more useful for support.
Tbh, if you look for uninstalling
sponsor and the first thing you find is this post... It's not very useful. So better search by threads so we can make sure the first result will be enough.
/ –
