How high user-specified SQL LIMITs should I allow?
I have a software that LIMITs queries based on user input. I'm aware of SQL injections and DOS possibilities here so I'm not interested in hearing about those. What I wonder is that how high limit should I put for common requests like getting the latest X items? Currently I allow the client to specify the value, and I make sure the LIMIT is always between 1 - 100. Is that 开发者_如何学JAVAgood?
It's perfect.
Allowing the client to keep himself within boundaries is great thinking ahead.
You should allow whatever makes sense in the UI. Typically end-users are offered a handful of predefined choices (10, 25, 50, 100, etc...)
Does it make sense to allow them to generate a single row for the UI they are using? 100? 57?
Yes you can inject sql in the limit
, make sure the value is an integer intval($_GET[size]);
.
In terms of the size limit. It comes down to resource usage. If you don't have a problem with resource consumption and/or the data you are selecting is very small. Then it follow the cap should be large. 100, even 1,000? If its useful to the user and you can provide it, then you should.
精彩评论