On Wed, 2005-01-26 at 00:08 -0700, Michael Fuhr wrote: > On Wed, Jan 26, 2005 at 12:27:17AM -0600, Dale Sykora wrote: > > > I would like to use a text field in a table and limit the size to > > reduce the chance of denial-of-service/buffer overflow/etc. I assume I > > can define table fields similar to the following > > "field_name text check (len(field) < 160)" although my syntax is > > probably wrong. > > You could use varchar(n) instead of text with a check constraint. In this case I would advise using text instead of varchar(n). The reason is that varchar(n) implies an intrinsic, unchangable rule that the field never exceed a length of n. An example of that might be a state abbreviation. The check constraint is more able to adjust to changing needs. In fact, I may go so far as to say that it's the application's responsibility to verify the length (at the same time that it's escaping the SQL special chars). The reason for that is because the database wouldn't be corrupt or invalid in any way if the text field contained (for example) 161 chars. So, it should really be more a matter of security against DoS attacks, which is the domain of the application. Also the application is the only one that knows what to do in case the string is too long, so why bother sending it to the database to see if it is too long? But from a technical standpoint, it's really all the same, so he can use whatever he feels comfortable with. As for choosing a maximum number, you basically want it high enough that no significant number of well-meaning people are thwarted by it (you don't want someone with a long name being upset with you and going to a competitor), and low enough to make an attacker realize that he's not going to accomplish anything and go away. If the number is 1000, it might make the attacker think he's accomplishing something and he might hang around longer looking for other openings. Regards, Jeff Davis ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to majordomo@xxxxxxxxxxxxxx
