1

I'm trying to protect my back end from possible malicious POST's.

Each back end method has a certain set of variables expected in JSON that corresponds to a field in a mysql table so I figured it would be good if I limited the maximum number of characters receivable in any of those methods to the sum of what could possibly go into these fields + overhead from json formatting.

How can I find out the maximum length in string representation to any of the fields that I have in my tables?

phpmyadmin displays a (number) next to the type of each field when viewing the structure of a table that seems to be what I want, like an UNSIGNED INT can have a maximum of 10 characters, UNSIGNED BIGINT is 20 and CHAR(127) is 127.. but I'm unsure what this number really means.

user81993
  • 6,167
  • 6
  • 32
  • 64
  • `like an UNSIGNED INT can have a maximum of 10 characters, UNSIGNED BIGINT is 20` Thats wrong https://dev.mysql.com/doc/refman/8.0/en/integer-types.html ... `UNSIGNED INT(20)` the `(20)` here is used for ZEROFILL ( https://dev.mysql.com/doc/refman/5.5/en/numeric-type-attributes.html ) not for defining maximum characters size. – Raymond Nijland Sep 10 '18 at 12:51
  • Isn't it better/faster just have some mappings in PHP of what field can have what length? Why do query DB with each insert/update? What will you do with `TEXT` fields? – Justinas Sep 10 '18 at 12:56
  • "I'm trying to protect my back end from possible malicious POST's. " Kinda broad by the way are you trying to protect against SQL injections, Cross side scripting there are alot of possible attacks on web applications.. – Raymond Nijland Sep 10 '18 at 12:58
  • @Justinas not every insert, I'd just do it once during setup and save the information in a local file, this way it would be fully automated and most accurate, for types like text I'd have manual entry – user81993 Sep 10 '18 at 13:00
  • @RaymondNijland its not injections I'm trying to protect with this but rather malicious waste of bandwidth – user81993 Sep 10 '18 at 13:01
  • your beter of indeed writing a filter in a client programming language (PHP in this case) and make a filter.. if you have a name field don't allow `!@#$%^&*()_+{}:"|<>?[];'\,./` (as example) in the name post data if there is just don't accepted the data.. Do **NOT** fix the post field data by removing those bad chars. – Raymond Nijland Sep 10 '18 at 13:02
  • "its not injections I'm trying to protect with this but rather malicious waste of bandwidth " You meaning incomming data from a client here right i doubt you can even prevent that it is just the way IP/TCP protocol works... This goes more into the direction of prevent ddos attacks (which is a extremely malicious waste of bandwidth) with special hardware.. – Raymond Nijland Sep 10 '18 at 13:18

1 Answers1

1

You can query the metadata from MySQL (there's more than what I showed too).

select COLUMN_NAME, DATA_TYPE, CHARACTER_MAXIMUM_LENGTH,
    NUMERIC_SCALE, NUMERIC_PRECISION
from information_schema.columns
where table_name = '<table_name>'
and table_schema = '<schema_name>'

This will give you what you're looking for.

I'm not sure your basic plan will work great though. The web server will still take the request and have to get it to you for you to analyze which will take a lot of the overhead. But it won't hurt to cut it off there... so I guess it will be beneficial.

Update

You can limit the post size with the info in this related question: Is there a max size for POST parameter content?.

John Humphreys
  • 37,047
  • 37
  • 155
  • 255
  • ah.. I thought I'd somehow be able to terminate the incoming stream of data (using PHP) and was working on trying to detect the problem first but looks like more research required – user81993 Sep 10 '18 at 12:58
  • "RaymondNijland its not injections I'm trying to protect with this but rather malicious waste of bandwidth " setting the max POST size on the server wil not stop malicious waste of bandwidth from a client by the way @user81993 .. the max POST size tell the server to not accept the data if the POST size was to big so it was already sended by the client to the server. – Raymond Nijland Sep 10 '18 at 13:15