views:

41

answers:

3

Hi,

I have a software that LIMITs queries based on user input. I'm aware of SQL injections and DOS possibilities here so I'm not interested in hearing about those. What I wonder is that how high limit should I put for common requests like getting the latest X items? Currently I allow the client to specify the value, and I make sure the LIMIT is always between 1 - 100. Is that good?

+2  A: 

It's perfect.

Allowing the client to keep himself within boundaries is great thinking ahead.

Frankie
A: 

You should allow whatever makes sense in the UI. Typically end-users are offered a handful of predefined choices (10, 25, 50, 100, etc...)

Does it make sense to allow them to generate a single row for the UI they are using? 100? 57?

jasonbar
Yeah, but what about input validation?
Rook
@Rook, What about it? He said he was aware of the possibility and didn't want a lecture on it. Of course you should validate and sanitize input.
jasonbar
A: 

Yes you can inject sql in the limit, make sure the value is an integer intval($_GET[size]);.

In terms of the size limit. It comes down to resource usage. If you don't have a problem with resource consumption and/or the data you are selecting is very small. Then it follow the cap should be large. 100, even 1,000? If its useful to the user and you can provide it, then you should.

Rook
@Rook don't understand why anyone would downvote this. Upvoted just to make clear that this answer goes well beyond what was asked and is also good. Even though I believe my "It's perfect" works great this **is a good answer!**
Frankie
@Frankie Thanks Frankie.
Rook