![]() ![]() ![]() Yes, in an ideal world, there should be no limits, and every limit that you choose is "wrong" the moment you choose it. I've been using that magic number since then, and so far not had any complaints. I decided for the number 50 a decade or so ago because the longest realistic name I could come up with ad hoc was 15 characters, and 3x15 = 45 (3x for being safe), rounded up to 50. For consistency, one should assign the same amount for the first name(s). Given a large enough sample, that should ensure you will be giving your users enough breathing room but not allowing a malicious user to try to exploit your system.ĥ0 characters (of which 15-25, depending on layout, are visible in the form input field) for the family name should be plenty. To that end, I think a reasonable limit should be (arbitrarily) 25% longer than the longest name in your current data set. It should be transparently secure and usable. The problem is that no limit is not an option for several reasons some arguably subjective while others objective, real, and unavoidable.īut we also don't want to have users be unduly constrained.Ī well designed system will ensure that both needs are met without the user ever knowing that there is a limitation in place to begin with. But even that is a limit which is a technical limitation of the data store. There is nobody in any culture in the entire world that has a name that is legitimately 1,073,741,823 bytes long (the upper bound of a ntext data type in SQL Server). There is another objective limitation: storage capacity. But in the case where a weakness in your sanitation is discovered, the validation step (including checking for length) offers protection by limiting how the attacker can exploit a vulnerability. Input should be sanitized to prevent little bobby tables from ruining your day. Input should be validated to ensure it is of the correct type, length, format, and range. There is one limitation that is not subjective: security.Īny interface that accepts and internalizes user input absolutely must without question treat input as a threat that must be validated and sanitized. You could research multiple services to see what their length limits are, but the truth is you need to decide for yourself what is acceptable. In Active Directory the Display-Name attribute is limited to 256 characters. Length is not explicitly mentioned, however according to this SO post the limit is currently 50 chars. Offensive or suggestive content of any kind.Words, phrases, or nicknames in place of a middle name.Titles of any kind (ex: professional, religious, etc).Symbols, numbers, unusual capitalization, repeating characters or punctuation.To this end Facebook, for example, has a fairly straight forward set of constraints they enforce: These limitations can be subjective, such as what constitutes a "real" name so that you don't end up with names like :Īaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa In practice that is not possible to implement. Allow the user to enter whatever their name is using whatever characters are available to them so that you will never run into a circumstance where someone is prevented from entering their valid real name. In theory the correct answer is no upper limit for name lengths.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |