I was wondering …
We all know, that we should validate the user input in the backend, even if we validate it in the frontend. In other words – frontend validation is just for usability, backend validation is for quality and security.
Let’s say I have an input field on my web page and the user can write some text. Is it possible for an attacker to input such a long text, that it would not fit in the variable which holds the text in the backend? What I’ve seen so far is just making sure, that a string would fit in a database field.
String txt = getParameter("usertext");
assert(txt.length() < 201);
// the field in the database:
// user_text varchar(200),
But if the user text is veeery long, so long that String txt would be too small, wouldn’t my program crash at the first line?
I hope this will not be a discussion on how long a String may be. If we can do it w/o heap sizes and virtual memory it will be great 😉
The answer is no: you have no real limit for the String object’s size.
But take into account the following problem: the UTF-8 characters.
I had the problem when the database field sizes were expressed in BYTES (instead of chars, this was the default in my case) for the VARCHAR2 type (it’s an example) and you insert UTF-8 characters which take more than one byte.
Example:
Database field = VARCHAR2 (50)
Validation: string length <= 50
The string €€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€ has less than 50 chars but more than 50 bytes.
The spring validation consider it as passed (length is less than 50) but DB insert statement thrown an exception…