Re: ALTER TEXT field to VARCHAR(1024) - Mailing list pgsql-general

From John McKown
Subject Re: ALTER TEXT field to VARCHAR(1024)
Date
Msg-id CAAJSdjgXbJZNfLnfKJ=T4qZG8uDBcB92784Gnc1s5dd+A+atsw@mail.gmail.com
Whole thread Raw
In response to Re: ALTER TEXT field to VARCHAR(1024)  (Rob Sargent <robjsargent@gmail.com>)
List pgsql-general
Sorry guess I wasn't being as clear as I thought. To be a bit more
precise, I really think that validation should occur _first_ at the
point of entry (for a web browser, I put in Javascript code to verify
it there as well as in the web service doing the same validation
because some people disable Javascript as a possible security breach
vector), then also do the same, or even more, validation in the back
end server. I.e. don't trust any step of the process which is not
under your immediate control. As the "owner" of the data base, I want
to validate the data "myself" according to the proper business rules.
The application developer should also validate the input. What I don't
believe in is a "trusted application" from which I would accept data
and not validate it before updating the data base. If such an
application were to exist, due to management dictum, I would audit
everything that I could to prove any corruption to the data base was
caused by this "can't ever be wrong" application. Yes, I am a
paranoid.

On Mon, Sep 22, 2014 at 11:18 AM, Rob Sargent <robjsargent@gmail.com> wrote:
> On 09/22/2014 09:40 AM, John McKown wrote:
>
> On Mon, Sep 22, 2014 at 10:31 AM, Merlin Moncure <mmoncure@gmail.com> wrote:
>
> On Fri, Sep 19, 2014 at 7:16 AM, Bill Moran <wmoran@potentialtech.com>
> wrote:
>
> On Fri, 19 Sep 2014 09:32:09 +0200
> Marius Grama <mariusneo@gmail.com> wrote:
>
> Can anybody explain me what happens in the background when the alter
> statement is executed? I've tried it out on a small copy of the table (70K)
> and the operation completed in 0.2 seconds.
> Will the table be completely locked during the execution of the ALTER
> statement?
>
> I share Gavin's concern that you're fixing this in the wrong place.  I
> expect
> that you'll be better served by configuring the middleware to do the right
> thing.
>
> I'll pile on here: in almost 20 years of professional database
> development I've never had an actual problem that was solved by
> introducing or shortening a length constraint to text columns except
> in cases where overlong strings violate the data model (like a two
> character state code for example).  It's a database equivalent of "C
> programmer's disease".  Input checks from untrusted actors should
> happen in the application.
>
> merlin
>
> I do not have your experience level with data bases, but if I may, I
> will make an addition. Input checks should also happen in the RDBMS
> server. I have learned you cannot trust end users _or_ programmers.
> Most are good and conscientious. But there are a few who just aren't.
> And those few seem to be very prolific in making _subtle_ errors. Had
> one person who was really good at replacing every p with a [ and P
> with {
>
>
> You don't want that string to get all the way to the server and fail, blow
> out a transaction and carry that joyous news back to the user who now has to
> start over completely.  Further no mear length constraint is going to fix
> p<=>[.  Not say the db cannot have the constraint (no [ allowed?) but a good
> app checks input on the fly.
>
>
>



--
There is nothing more pleasant than traveling and meeting new people!
Genghis Khan

Maranatha! <><
John McKown


pgsql-general by date:

Previous
From: Tim Clarke
Date:
Subject: Re: ALTER TEXT field to VARCHAR(1024)
Next
From: Merlin Moncure
Date:
Subject: Re: ALTER TEXT field to VARCHAR(1024)