-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, that's all fine as long as the hacker does not connect directly
to the database server when attempting his attack. Check it in the app
yes, but if this is really a genuine concern, it should be reinforced
by the server as an added precaution.
On Jan 26, 2005, at 3:01 AM, Jeff Davis wrote:
> In fact, I may go so far as to say that it's the application's
> responsibility to verify the length (at the same time that it's
> escaping
> the SQL special chars). The reason for that is because the database
> wouldn't be corrupt or invalid in any way if the text field contained
> (for example) 161 chars. So, it should really be more a matter of
> security against DoS attacks, which is the domain of the application.
> Also the application is the only one that knows what to do in case the
> string is too long, so why bother sending it to the database to see if
> it is too long?
- -----------------------------------------------------------
Frank D. Engel, Jr. <fde101@fjrhome.net>
$ ln -s /usr/share/kjvbible /usr/manual
$ true | cat /usr/manual | grep "John 3:16"
John 3:16 For God so loved the world, that he gave his only begotten
Son, that whosoever believeth in him should not perish, but have
everlasting life.
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFB95gk7aqtWrR9cZoRAvk0AJwPM0obldPGktkjJWkBC11iMrPtTQCgiQfa
WbG/Bdj+yG9DSaTbSvRUlT0=
=c4+z
-----END PGP SIGNATURE-----
___________________________________________________________
$0 Web Hosting with up to 120MB web space, 1000 MB Transfer
10 Personalized POP and Web E-mail Accounts, and much more.
Signup at www.doteasy.com