On Wed, Jan 26, 2005 at 12:27:17AM -0600, Dale Sykora wrote:
> I would like to use a text field in a table and limit the size to
> reduce the chance of denial-of-service/buffer overflow/etc. I assume I
> can define table fields similar to the following
> "field_name text check (len(field) < 160)" although my syntax is
> probably wrong.
You could use varchar(n) instead of text with a check constraint.
> Is checking text length considered a good idea?
That depends on the application and the trustworthiness of the data
source. If you know that values should never exceed a certain
length and you want to prevent obviously bad values from being
inserted, then enforcing a length limit makes sense.
> If so, what would be a reasonable limit? I was thinking about
> 10 * average_field_char_length (if avg value is 16 char, set
> limit to 160 char).
Again, that depends on the application. If you're storing product
part numbers then most of them will probably fall close to the
average length, so allowing ten times the average length would be
unnecessary. On the other hand, if you're storing product descriptions
then you might need to allow for greater variation. Use whatever
makes sense for the type of data you're storing.
--
Michael Fuhr
http://www.fuhr.org/~mfuhr/
