Posted on Leave a comment

Here are the recommended maximum data-length limits for common database and programming fields

image thumb 12 1

Software system data schematic

When creating a database, programmers typically stop and scratch their heads when deciding on a maximum data length for the field.  Similarly, hackers fuzzing a field may wonder how many characters should be allocated to the target.  Although there are no definitive standards, we can come close using governmental standards, ISO recommendations, and database best practices based on maximum known values.  Below are common database fields along with their maximum recommended allowable length and data type.

FieldMax lengthNotes
First name35 chars (US), 50 (other)
Last name35 chars (US), 50 (other)
Display name70 chars (US) 100 (other)
Street address35 chars (US) 100 (other)The longest street name in the United States is 34 characters long.  The longest in the world (in New Zealand) is 92 letters long.
Town25 chars (US) 60 (other)
State15 chars (US) 50 (other)
Country name55 chars Currently the longest country name in the world is 53 characters long
Postal code9 chars
Monetary amounts16 charsUse common sense here, a smaller field size would likely work
Dates10 charsCCYY-MM-DD
Email address254 chars According to spec with clarification from IETF RFC Errata in 2010
Phone number15 charsAccording to ITU-T
Phone number extension11 chars
Credit card number19 digitsMost are 16 digits
CVV field4 digitsSome are only 3 digits
IP address12 digits
Company name100 charsHighly variable but the longest name in the US is believed to be a law firm with a 92 character name.
Longitude9 (with 6 decimal places)6 decimal positions for .1m resolution or 5 decimal positions for 1m resolution
Latitude8 (with 6 decimal places)6 decimal positions for .1m resolution or 5 decimal positions for 1m resolution


Remember that in most databases, there may be no overhead distance between a smaller sized field and a larger sized field.  You can err on the side of caution and allow more characters but the practice is not considered secure.