I'd like to know if it's a security risk to have an URL similar to the following
http://www.mytestapp.com/results?limit=1234
The limit GET parameter would then be checked as valid integer and passed directly into a query.
What would happen if an user changed this parameter to a very large number? For a huge database would that cause an effect similar to denial of service?
What is the best practice for having a variable result limit?
Don't just pass the GET variable directly into your query. If you did, then I could do SQL injection like this:
http://www.mytestapp.com/results?limit=1%3BDROP%20TABLE%20USERS
And your query would end up looking like:
select * from some_table where parameter = 3 limit 1;DROP TABLE USERS
I'm assuming you're trying to do paging. If so, you'll want to have something like:
http://www.mytestapp.com/results?page=1&size=10
Then, on your backend, verify that page and size are both integers, and both of a reasonable size. Maybe set limits on what size can be, perhaps only multiples of 10 up to 100, for example.