Menu
▾
▴
Re: [Firebird-devel] SQL Statement Length
|
From: Mark O'D. <mar...@lu...> - 2001-01-20 09:51:52
|
Hi Andy There is no buffer overrun 'that I know of' but there are quite a few spots where strcpy are used in the code. So it is a potential problem. A lot depends upon your situation and what you think of your users. For instance if you have a web page where people enter their username and address then limiting these fields to 256 chars might be a good idea. Some of this is really a paranoid approach to building an application, so I wouldn't get too worried about it. The main point I wanted to make was that currently the client as well as the server has to be entirely trusted. Cheers Mark Andy Canfield wrote: > It is important for the client application to limit the length of SQL statements so as to avoid buffer overflow errors. Yet I am unable to find any explicit limit on SQL statement length in the beta documentation. For isc_dsql_prepare() and isc_dsql_execute_immediate(), the statement length can be given as an UNSIGNED SHORT parameter. This imples that the maximum statement length is less than 65,536 bytes. My guess is that the maximum SQL statement length that Firebird can handle is 32,767 bytes, the same as the maximum length of a CHAR VARYING field. But it is never stated. Does anyone know? > > > > _______________________________________________ > Firebird-devel mailing list > Fir...@li... > http://lists.sourceforge.net/lists/listinfo/firebird-devel -- Your database needs YOU! http://firebird.sourceforge.net |
