-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Well, that's all fine as long as the hacker does not connect directly to the database server when attempting his attack. Check it in the app yes, but if this is really a genuine concern, it should be reinforced by the server as an added precaution.
On Jan 26, 2005, at 3:01 AM, Jeff Davis wrote:
In fact, I may go so far as to say that it's the application's
responsibility to verify the length (at the same time that it's escaping
the SQL special chars). The reason for that is because the database
wouldn't be corrupt or invalid in any way if the text field contained
(for example) 161 chars. So, it should really be more a matter of
security against DoS attacks, which is the domain of the application.
Also the application is the only one that knows what to do in case the
string is too long, so why bother sending it to the database to see if
it is too long?
- ----------------------------------------------------------- Frank D. Engel, Jr. <[EMAIL PROTECTED]>
$ ln -s /usr/share/kjvbible /usr/manual
$ true | cat /usr/manual | grep "John 3:16"
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFB95gk7aqtWrR9cZoRAvk0AJwPM0obldPGktkjJWkBC11iMrPtTQCgiQfa WbG/Bdj+yG9DSaTbSvRUlT0= =c4+z -----END PGP SIGNATURE-----
___________________________________________________________ $0 Web Hosting with up to 120MB web space, 1000 MB Transfer 10 Personalized POP and Web E-mail Accounts, and much more. Signup at www.doteasy.com
---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
