[EMAIL PROTECTED] (Florian Weimer) wrote in [EMAIL PROTECTED]:">news:[EMAIL PROTECTED]:
> Gavin Sherry <[EMAIL PROTECTED]> writes: > >>> Yes, but if you just check that the date given by the user matches the >>> regular expression "[0-9]+-[0-9]+-[0-9]+", it's still possible to >>> crash the backend. > >> Anyone who is using that regular expression in an attempt to validate a >> user supplied date is already in trouble. > > I don't understand why extremely strict syntax checks are necessary. > The database has to parse it again anyway, and if you can't rely on > the database to get this simple parsing right, will it store your > data? Such a reasoning doesn't seem to be too far-fetched to me I believe this is often referred to as the layered onion approach of security, besides that what constitutes extremely strict syntax checking is somewhat subjective. What about checking the input for backslash, quote, and double quote (\'")? If you are not taking care of those in input then crashing the backend is going to be the least of your worries. I think there needs to be some level of checking before the input is blindly passed to the backend for parsing. Typically the input for an individual field wouldnt be more than ~255 characters, unless you are dealing with TEXT or lo's. I dont consider adding a length check to the usual \'" check to be extreme... but perhaps just as necssary? ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
