Re: Validating Data

From: Robert Klemme <>
Date: Sun, 26 Feb 2012 00:39:11 +0100
Message-ID: <>

On 24.02.2012 07:41, Mladen Gogala wrote:
> On Thu, 23 Feb 2012 06:51:33 -0800, ExecMan wrote:

>> We have a stored procedure called from a PHP web application. The
>> parameters received are of VARCHAR2, but we've seen non-printable
>> characters come through, which throw errors.
>> If there any type of RegExp of anything I can run to detect if the
>> parameter contains non-ascii characters? (Granted, application should
>> check this before sending it to the database, but I did not write the
>> application).

> With all due respect, why would you use a database for such thing?

The most prominent reason is that general rule to check inputs when they enter a system. Granted, it's debatable where we would see the system boundary in this case, but a stored procedure per se is public and can be invoked from any piece of software which can provide the proper credentials. If the SP imposes restrictions on the content of arguments it is reasonable to enforce them. OTOH, if it just passes the data on the check could be done elsewhere (constraint for example).

Of course should the application make sure it does not pass illegal data on to the database layer. But we do have FK constraints and other constraints in the DB already - which is reasonable since data can be fed to tables via SQL PLus or other means at will (and in fact this is one of the features of using a RDBMS with a well known query language).   Proper constraints help maintain data integrity even at the expense of duplicating checks.

Of course the OP's issue can still be just an NLS thing as Joel indicated and might be fixed by other means.

Kind regards


remember.guy do |as, often| as.you_can - without end
Received on Sat Feb 25 2012 - 17:39:11 CST

Original text of this message