Gavin Sherry <[EMAIL PROTECTED]> writes: >> Yes, but if you just check that the date given by the user matches the >> regular expression "[0-9]+-[0-9]+-[0-9]+", it's still possible to >> crash the backend.
> Anyone who is using that regular expression in an attempt to validate a > user supplied date is already in trouble. I don't understand why extremely strict syntax checks are necessary. The database has to parse it again anyway, and if you can't rely on the database to get this simple parsing right, will it store your data? Such a reasoning doesn't seem to be too far-fetched to me I would probably impose a length limit in the frontend that uses the database, but the PostgreSQL documentation does not state that this is a requirement (because the parsers in the backend are so fragile). -- Florian Weimer [EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
