How high user-specified SQL LIMITs should I allow?

views:

answers:

How high user-specified SQL LIMITs should I allow?

Hi,

I have a software that LIMITs queries based on user input. I'm aware of SQL injections and DOS possibilities here so I'm not interested in hearing about those. What I wonder is that how high limit should I put for common requests like getting the latest X items? Currently I allow the client to specify the value, and I make sure the LIMIT is always between 1 - 100. Is that good?

+2 A:

It's perfect.

Allowing the client to keep himself within boundaries is great thinking ahead.

Frankie 2010-09-08 16:37:21

You should allow whatever makes sense in the UI. Typically end-users are offered a handful of predefined choices (10, 25, 50, 100, etc...)

Does it make sense to allow them to generate a single row for the UI they are using? 100? 57?

jasonbar 2010-09-08 16:37:33

Yeah, but what about input validation?

Rook 2010-09-08 21:49:09

@Rook, What about it? He said he was aware of the possibility and didn't want a lecture on it. Of course you should validate and sanitize input.

jasonbar 2010-09-08 23:29:33

Yes you can inject sql in the limit, make sure the value is an integer intval($_GET[size]);.

In terms of the size limit. It comes down to resource usage. If you don't have a problem with resource consumption and/or the data you are selecting is very small. Then it follow the cap should be large. 100, even 1,000? If its useful to the user and you can provide it, then you should.

Rook 2010-09-08 21:44:17

@Rook don't understand why anyone would downvote this. Upvoted just to make clear that this answer goes well beyond what was asked and is also good. Even though I believe my "It's perfect" works great this **is a good answer!**

Frankie 2010-09-08 23:18:35

@Frankie Thanks Frankie.

Rook 2010-09-09 01:51:08

ansaurus

tags:

views:

answers:

How high user-specified SQL LIMITs should I allow?

related questions