Should we validate max length on string fields?
We have a validation in our application limiting user first and last name length to 255 characters. Is there any technical reason we ought to be doing this? I'm wondering if there is maybe any security concern or risk we put ourselves at by not limiting the length of strings. We're using Postgres text
columns.
postgresql
add a comment |
We have a validation in our application limiting user first and last name length to 255 characters. Is there any technical reason we ought to be doing this? I'm wondering if there is maybe any security concern or risk we put ourselves at by not limiting the length of strings. We're using Postgres text
columns.
postgresql
If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined asvarchar(255)
over a column defined asvarchar(260)
orvarchar(301)
- that255
is a left-over "magic number" that does have any performance impact
– a_horse_with_no_name
Nov 23 '18 at 7:40
Related: stackoverflow.com/questions/8295131
– a_horse_with_no_name
Nov 23 '18 at 7:43
add a comment |
We have a validation in our application limiting user first and last name length to 255 characters. Is there any technical reason we ought to be doing this? I'm wondering if there is maybe any security concern or risk we put ourselves at by not limiting the length of strings. We're using Postgres text
columns.
postgresql
We have a validation in our application limiting user first and last name length to 255 characters. Is there any technical reason we ought to be doing this? I'm wondering if there is maybe any security concern or risk we put ourselves at by not limiting the length of strings. We're using Postgres text
columns.
postgresql
postgresql
asked Nov 22 '18 at 23:37
lobatilobati
2,61932241
2,61932241
If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined asvarchar(255)
over a column defined asvarchar(260)
orvarchar(301)
- that255
is a left-over "magic number" that does have any performance impact
– a_horse_with_no_name
Nov 23 '18 at 7:40
Related: stackoverflow.com/questions/8295131
– a_horse_with_no_name
Nov 23 '18 at 7:43
add a comment |
If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined asvarchar(255)
over a column defined asvarchar(260)
orvarchar(301)
- that255
is a left-over "magic number" that does have any performance impact
– a_horse_with_no_name
Nov 23 '18 at 7:40
Related: stackoverflow.com/questions/8295131
– a_horse_with_no_name
Nov 23 '18 at 7:43
If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined as
varchar(255)
over a column defined as varchar(260)
or varchar(301)
- that 255
is a left-over "magic number" that does have any performance impact– a_horse_with_no_name
Nov 23 '18 at 7:40
If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined as
varchar(255)
over a column defined as varchar(260)
or varchar(301)
- that 255
is a left-over "magic number" that does have any performance impact– a_horse_with_no_name
Nov 23 '18 at 7:40
Related: stackoverflow.com/questions/8295131
– a_horse_with_no_name
Nov 23 '18 at 7:43
Related: stackoverflow.com/questions/8295131
– a_horse_with_no_name
Nov 23 '18 at 7:43
add a comment |
1 Answer
1
active
oldest
votes
Text
= variable unlimited length.. If you put limiter why don't use varchar(255)
?
For security concern and performance put limiter are good. If your database file heavy and if someone spams to your text
, the data type exceeds 8 KB.. That will put heavy in your db and for worst scenario it can Break Down
..
EDIT :
As Documentation
says:
If you desire to store long strings with no specific upper limit, use
text or character varying without a length specifier, rather than
making up an arbitrary length limit.
Back to your original question "Should we validate max length on string fields"?
When see documentation said.. It would be better you make as Varchar(255)
rather than Varchar
without length specifier and do limiter in application side
And for performance:
Long strings are compressed by the system automatically, so the
physical requirement on disk might be less. Very long values are also
stored in background tables so that they do not interfere with rapid
access to shorter column values.
I will say great for Postgresql :)
The PostgreSQL docs actually suggest thattext
is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html
– lobati
Nov 23 '18 at 2:38
@lobati yes.. I am already read that.. about performance which is greatpostgresql
.. And saidIf you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit.
..
– dwir182
Nov 23 '18 at 2:53
I can't see how you could "break down" the database by supplying long strings.
– a_horse_with_no_name
Nov 23 '18 at 7:40
Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)
– dwir182
Nov 23 '18 at 7:44
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53439104%2fshould-we-validate-max-length-on-string-fields%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Text
= variable unlimited length.. If you put limiter why don't use varchar(255)
?
For security concern and performance put limiter are good. If your database file heavy and if someone spams to your text
, the data type exceeds 8 KB.. That will put heavy in your db and for worst scenario it can Break Down
..
EDIT :
As Documentation
says:
If you desire to store long strings with no specific upper limit, use
text or character varying without a length specifier, rather than
making up an arbitrary length limit.
Back to your original question "Should we validate max length on string fields"?
When see documentation said.. It would be better you make as Varchar(255)
rather than Varchar
without length specifier and do limiter in application side
And for performance:
Long strings are compressed by the system automatically, so the
physical requirement on disk might be less. Very long values are also
stored in background tables so that they do not interfere with rapid
access to shorter column values.
I will say great for Postgresql :)
The PostgreSQL docs actually suggest thattext
is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html
– lobati
Nov 23 '18 at 2:38
@lobati yes.. I am already read that.. about performance which is greatpostgresql
.. And saidIf you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit.
..
– dwir182
Nov 23 '18 at 2:53
I can't see how you could "break down" the database by supplying long strings.
– a_horse_with_no_name
Nov 23 '18 at 7:40
Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)
– dwir182
Nov 23 '18 at 7:44
add a comment |
Text
= variable unlimited length.. If you put limiter why don't use varchar(255)
?
For security concern and performance put limiter are good. If your database file heavy and if someone spams to your text
, the data type exceeds 8 KB.. That will put heavy in your db and for worst scenario it can Break Down
..
EDIT :
As Documentation
says:
If you desire to store long strings with no specific upper limit, use
text or character varying without a length specifier, rather than
making up an arbitrary length limit.
Back to your original question "Should we validate max length on string fields"?
When see documentation said.. It would be better you make as Varchar(255)
rather than Varchar
without length specifier and do limiter in application side
And for performance:
Long strings are compressed by the system automatically, so the
physical requirement on disk might be less. Very long values are also
stored in background tables so that they do not interfere with rapid
access to shorter column values.
I will say great for Postgresql :)
The PostgreSQL docs actually suggest thattext
is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html
– lobati
Nov 23 '18 at 2:38
@lobati yes.. I am already read that.. about performance which is greatpostgresql
.. And saidIf you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit.
..
– dwir182
Nov 23 '18 at 2:53
I can't see how you could "break down" the database by supplying long strings.
– a_horse_with_no_name
Nov 23 '18 at 7:40
Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)
– dwir182
Nov 23 '18 at 7:44
add a comment |
Text
= variable unlimited length.. If you put limiter why don't use varchar(255)
?
For security concern and performance put limiter are good. If your database file heavy and if someone spams to your text
, the data type exceeds 8 KB.. That will put heavy in your db and for worst scenario it can Break Down
..
EDIT :
As Documentation
says:
If you desire to store long strings with no specific upper limit, use
text or character varying without a length specifier, rather than
making up an arbitrary length limit.
Back to your original question "Should we validate max length on string fields"?
When see documentation said.. It would be better you make as Varchar(255)
rather than Varchar
without length specifier and do limiter in application side
And for performance:
Long strings are compressed by the system automatically, so the
physical requirement on disk might be less. Very long values are also
stored in background tables so that they do not interfere with rapid
access to shorter column values.
I will say great for Postgresql :)
Text
= variable unlimited length.. If you put limiter why don't use varchar(255)
?
For security concern and performance put limiter are good. If your database file heavy and if someone spams to your text
, the data type exceeds 8 KB.. That will put heavy in your db and for worst scenario it can Break Down
..
EDIT :
As Documentation
says:
If you desire to store long strings with no specific upper limit, use
text or character varying without a length specifier, rather than
making up an arbitrary length limit.
Back to your original question "Should we validate max length on string fields"?
When see documentation said.. It would be better you make as Varchar(255)
rather than Varchar
without length specifier and do limiter in application side
And for performance:
Long strings are compressed by the system automatically, so the
physical requirement on disk might be less. Very long values are also
stored in background tables so that they do not interfere with rapid
access to shorter column values.
I will say great for Postgresql :)
edited Nov 23 '18 at 7:42
a_horse_with_no_name
305k46466562
305k46466562
answered Nov 23 '18 at 0:30
dwir182dwir182
1,445619
1,445619
The PostgreSQL docs actually suggest thattext
is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html
– lobati
Nov 23 '18 at 2:38
@lobati yes.. I am already read that.. about performance which is greatpostgresql
.. And saidIf you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit.
..
– dwir182
Nov 23 '18 at 2:53
I can't see how you could "break down" the database by supplying long strings.
– a_horse_with_no_name
Nov 23 '18 at 7:40
Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)
– dwir182
Nov 23 '18 at 7:44
add a comment |
The PostgreSQL docs actually suggest thattext
is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html
– lobati
Nov 23 '18 at 2:38
@lobati yes.. I am already read that.. about performance which is greatpostgresql
.. And saidIf you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit.
..
– dwir182
Nov 23 '18 at 2:53
I can't see how you could "break down" the database by supplying long strings.
– a_horse_with_no_name
Nov 23 '18 at 7:40
Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)
– dwir182
Nov 23 '18 at 7:44
The PostgreSQL docs actually suggest that
text
is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html– lobati
Nov 23 '18 at 2:38
The PostgreSQL docs actually suggest that
text
is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html– lobati
Nov 23 '18 at 2:38
@lobati yes.. I am already read that.. about performance which is great
postgresql
.. And said If you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit.
..– dwir182
Nov 23 '18 at 2:53
@lobati yes.. I am already read that.. about performance which is great
postgresql
.. And said If you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit.
..– dwir182
Nov 23 '18 at 2:53
I can't see how you could "break down" the database by supplying long strings.
– a_horse_with_no_name
Nov 23 '18 at 7:40
I can't see how you could "break down" the database by supplying long strings.
– a_horse_with_no_name
Nov 23 '18 at 7:40
Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)
– dwir182
Nov 23 '18 at 7:44
Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)
– dwir182
Nov 23 '18 at 7:44
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53439104%2fshould-we-validate-max-length-on-string-fields%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined as
varchar(255)
over a column defined asvarchar(260)
orvarchar(301)
- that255
is a left-over "magic number" that does have any performance impact– a_horse_with_no_name
Nov 23 '18 at 7:40
Related: stackoverflow.com/questions/8295131
– a_horse_with_no_name
Nov 23 '18 at 7:43