Re: field validation (was Re: COBOL/DB2 Date edit question)



"Howard Brazee" <howard@xxxxxxxxxx> wrote in message
news:kgi3c3hhkvnto090oq9tsa97509uunq5g2@xxxxxxxxxx
On Wed, 15 Aug 2007 03:22:49 +1200, "Pete Dashwood"
<dashwood@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Why are they counting digits? Because editing is Right and Proper?

No, Howard, editing string length for input fields on web pages is a
valuable and accepted line of defence against SQL inection attacks. (It
is
only one measure, but a very important one)

It is a pain (I hate writing it), but in today's world it is a necessary
evil.

Then allow me to enter my complete Zip code. Are 9 digit postal
codes more dangerous to enter than are 5 digit postal codes?

Allowing a longer input where a shorter one would do, is in principle,
higher risk.

I don't know about your Zip codes, specifically, so I can't comment on that.

I do know that allowing excessive length ('excessive' being 'more than
required') on a web input field is taking a risk that can be eliminated if
you don't allow it. Certainly, I can't think of much I can do with 4
characters of SQL, but there are smarter people than me out there (maybe
tokenized...I dunno.) Why take the risk?

I would add that if you think the use of a web page is stupid, most Web
Masters would be pleased to have your input (I like it when people complain
about my pages because I fix them and the complaints diminish... Then the
next site I build, I have all that user experience :-))

Pete.
--
"I used to write COBOL...now I can do anything."


.