Should we validate max length on string fields?












-2















We have a validation in our application limiting user first and last name length to 255 characters. Is there any technical reason we ought to be doing this? I'm wondering if there is maybe any security concern or risk we put ourselves at by not limiting the length of strings. We're using Postgres text columns.










share|improve this question























  • If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined as varchar(255) over a column defined as varchar(260) or varchar(301) - that 255 is a left-over "magic number" that does have any performance impact

    – a_horse_with_no_name
    Nov 23 '18 at 7:40













  • Related: stackoverflow.com/questions/8295131

    – a_horse_with_no_name
    Nov 23 '18 at 7:43
















-2















We have a validation in our application limiting user first and last name length to 255 characters. Is there any technical reason we ought to be doing this? I'm wondering if there is maybe any security concern or risk we put ourselves at by not limiting the length of strings. We're using Postgres text columns.










share|improve this question























  • If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined as varchar(255) over a column defined as varchar(260) or varchar(301) - that 255 is a left-over "magic number" that does have any performance impact

    – a_horse_with_no_name
    Nov 23 '18 at 7:40













  • Related: stackoverflow.com/questions/8295131

    – a_horse_with_no_name
    Nov 23 '18 at 7:43














-2












-2








-2








We have a validation in our application limiting user first and last name length to 255 characters. Is there any technical reason we ought to be doing this? I'm wondering if there is maybe any security concern or risk we put ourselves at by not limiting the length of strings. We're using Postgres text columns.










share|improve this question














We have a validation in our application limiting user first and last name length to 255 characters. Is there any technical reason we ought to be doing this? I'm wondering if there is maybe any security concern or risk we put ourselves at by not limiting the length of strings. We're using Postgres text columns.







postgresql






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 22 '18 at 23:37









lobatilobati

2,61932241




2,61932241













  • If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined as varchar(255) over a column defined as varchar(260) or varchar(301) - that 255 is a left-over "magic number" that does have any performance impact

    – a_horse_with_no_name
    Nov 23 '18 at 7:40













  • Related: stackoverflow.com/questions/8295131

    – a_horse_with_no_name
    Nov 23 '18 at 7:43



















  • If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined as varchar(255) over a column defined as varchar(260) or varchar(301) - that 255 is a left-over "magic number" that does have any performance impact

    – a_horse_with_no_name
    Nov 23 '18 at 7:40













  • Related: stackoverflow.com/questions/8295131

    – a_horse_with_no_name
    Nov 23 '18 at 7:43

















If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined as varchar(255) over a column defined as varchar(260) or varchar(301) - that 255 is a left-over "magic number" that does have any performance impact

– a_horse_with_no_name
Nov 23 '18 at 7:40







If this is a business constraint, then yes you should reflect that in a database constraint as well. If you are indexing the columns you probably should limit the length as well. Note that there is no optimization whatsoever for column defined as varchar(255) over a column defined as varchar(260) or varchar(301) - that 255 is a left-over "magic number" that does have any performance impact

– a_horse_with_no_name
Nov 23 '18 at 7:40















Related: stackoverflow.com/questions/8295131

– a_horse_with_no_name
Nov 23 '18 at 7:43





Related: stackoverflow.com/questions/8295131

– a_horse_with_no_name
Nov 23 '18 at 7:43












1 Answer
1






active

oldest

votes


















1














Text = variable unlimited length.. If you put limiter why don't use varchar(255)?



For security concern and performance put limiter are good. If your database file heavy and if someone spams to your text, the data type exceeds 8 KB.. That will put heavy in your db and for worst scenario it can Break Down..



EDIT :



As Documentation says:




If you desire to store long strings with no specific upper limit, use
text or character varying without a length specifier, rather than
making up an arbitrary length limit.




Back to your original question "Should we validate max length on string fields"?



When see documentation said.. It would be better you make as Varchar(255) rather than Varchar without length specifier and do limiter in application side



And for performance:




Long strings are compressed by the system automatically, so the
physical requirement on disk might be less. Very long values are also
stored in background tables so that they do not interfere with rapid
access to shorter column values.




I will say great for Postgresql :)






share|improve this answer


























  • The PostgreSQL docs actually suggest that text is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html

    – lobati
    Nov 23 '18 at 2:38











  • @lobati yes.. I am already read that.. about performance which is great postgresql.. And said If you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit...

    – dwir182
    Nov 23 '18 at 2:53











  • I can't see how you could "break down" the database by supplying long strings.

    – a_horse_with_no_name
    Nov 23 '18 at 7:40











  • Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)

    – dwir182
    Nov 23 '18 at 7:44











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53439104%2fshould-we-validate-max-length-on-string-fields%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














Text = variable unlimited length.. If you put limiter why don't use varchar(255)?



For security concern and performance put limiter are good. If your database file heavy and if someone spams to your text, the data type exceeds 8 KB.. That will put heavy in your db and for worst scenario it can Break Down..



EDIT :



As Documentation says:




If you desire to store long strings with no specific upper limit, use
text or character varying without a length specifier, rather than
making up an arbitrary length limit.




Back to your original question "Should we validate max length on string fields"?



When see documentation said.. It would be better you make as Varchar(255) rather than Varchar without length specifier and do limiter in application side



And for performance:




Long strings are compressed by the system automatically, so the
physical requirement on disk might be less. Very long values are also
stored in background tables so that they do not interfere with rapid
access to shorter column values.




I will say great for Postgresql :)






share|improve this answer


























  • The PostgreSQL docs actually suggest that text is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html

    – lobati
    Nov 23 '18 at 2:38











  • @lobati yes.. I am already read that.. about performance which is great postgresql.. And said If you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit...

    – dwir182
    Nov 23 '18 at 2:53











  • I can't see how you could "break down" the database by supplying long strings.

    – a_horse_with_no_name
    Nov 23 '18 at 7:40











  • Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)

    – dwir182
    Nov 23 '18 at 7:44
















1














Text = variable unlimited length.. If you put limiter why don't use varchar(255)?



For security concern and performance put limiter are good. If your database file heavy and if someone spams to your text, the data type exceeds 8 KB.. That will put heavy in your db and for worst scenario it can Break Down..



EDIT :



As Documentation says:




If you desire to store long strings with no specific upper limit, use
text or character varying without a length specifier, rather than
making up an arbitrary length limit.




Back to your original question "Should we validate max length on string fields"?



When see documentation said.. It would be better you make as Varchar(255) rather than Varchar without length specifier and do limiter in application side



And for performance:




Long strings are compressed by the system automatically, so the
physical requirement on disk might be less. Very long values are also
stored in background tables so that they do not interfere with rapid
access to shorter column values.




I will say great for Postgresql :)






share|improve this answer


























  • The PostgreSQL docs actually suggest that text is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html

    – lobati
    Nov 23 '18 at 2:38











  • @lobati yes.. I am already read that.. about performance which is great postgresql.. And said If you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit...

    – dwir182
    Nov 23 '18 at 2:53











  • I can't see how you could "break down" the database by supplying long strings.

    – a_horse_with_no_name
    Nov 23 '18 at 7:40











  • Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)

    – dwir182
    Nov 23 '18 at 7:44














1












1








1







Text = variable unlimited length.. If you put limiter why don't use varchar(255)?



For security concern and performance put limiter are good. If your database file heavy and if someone spams to your text, the data type exceeds 8 KB.. That will put heavy in your db and for worst scenario it can Break Down..



EDIT :



As Documentation says:




If you desire to store long strings with no specific upper limit, use
text or character varying without a length specifier, rather than
making up an arbitrary length limit.




Back to your original question "Should we validate max length on string fields"?



When see documentation said.. It would be better you make as Varchar(255) rather than Varchar without length specifier and do limiter in application side



And for performance:




Long strings are compressed by the system automatically, so the
physical requirement on disk might be less. Very long values are also
stored in background tables so that they do not interfere with rapid
access to shorter column values.




I will say great for Postgresql :)






share|improve this answer















Text = variable unlimited length.. If you put limiter why don't use varchar(255)?



For security concern and performance put limiter are good. If your database file heavy and if someone spams to your text, the data type exceeds 8 KB.. That will put heavy in your db and for worst scenario it can Break Down..



EDIT :



As Documentation says:




If you desire to store long strings with no specific upper limit, use
text or character varying without a length specifier, rather than
making up an arbitrary length limit.




Back to your original question "Should we validate max length on string fields"?



When see documentation said.. It would be better you make as Varchar(255) rather than Varchar without length specifier and do limiter in application side



And for performance:




Long strings are compressed by the system automatically, so the
physical requirement on disk might be less. Very long values are also
stored in background tables so that they do not interfere with rapid
access to shorter column values.




I will say great for Postgresql :)







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 23 '18 at 7:42









a_horse_with_no_name

305k46466562




305k46466562










answered Nov 23 '18 at 0:30









dwir182dwir182

1,445619




1,445619













  • The PostgreSQL docs actually suggest that text is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html

    – lobati
    Nov 23 '18 at 2:38











  • @lobati yes.. I am already read that.. about performance which is great postgresql.. And said If you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit...

    – dwir182
    Nov 23 '18 at 2:53











  • I can't see how you could "break down" the database by supplying long strings.

    – a_horse_with_no_name
    Nov 23 '18 at 7:40











  • Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)

    – dwir182
    Nov 23 '18 at 7:44



















  • The PostgreSQL docs actually suggest that text is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html

    – lobati
    Nov 23 '18 at 2:38











  • @lobati yes.. I am already read that.. about performance which is great postgresql.. And said If you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit...

    – dwir182
    Nov 23 '18 at 2:53











  • I can't see how you could "break down" the database by supplying long strings.

    – a_horse_with_no_name
    Nov 23 '18 at 7:40











  • Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)

    – dwir182
    Nov 23 '18 at 7:44

















The PostgreSQL docs actually suggest that text is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html

– lobati
Nov 23 '18 at 2:38





The PostgreSQL docs actually suggest that text is no less performant, though, if you need something variable length, and may be better since they don't need to check the length before storing a value. See the Tip here: postgresql.org/docs/10/datatype-character.html

– lobati
Nov 23 '18 at 2:38













@lobati yes.. I am already read that.. about performance which is great postgresql.. And said If you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit...

– dwir182
Nov 23 '18 at 2:53





@lobati yes.. I am already read that.. about performance which is great postgresql.. And said If you desire to store long strings with no specific upper limit, use text or character varying without a length specifier, rather than making up an arbitrary length limit...

– dwir182
Nov 23 '18 at 2:53













I can't see how you could "break down" the database by supplying long strings.

– a_horse_with_no_name
Nov 23 '18 at 7:40





I can't see how you could "break down" the database by supplying long strings.

– a_horse_with_no_name
Nov 23 '18 at 7:40













Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)

– dwir182
Nov 23 '18 at 7:44





Yes.. I want to remove that @a_horse_with_no_name but if i remove the first argument i show i think that's not good.. That's just my speculation.. If i am wrong you can dv me.. :)

– dwir182
Nov 23 '18 at 7:44




















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53439104%2fshould-we-validate-max-length-on-string-fields%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







這個網誌中的熱門文章

Post-Redirect-Get with Spring WebFlux and Thymeleaf

Xamarin.form Move up view when keyboard appear

JBPM : POST request for execute process go wrong