is it safe to have a big table in database?

Question

My client's site has a 'online evaluation' section, which consists of a 40 field form. Each field requires user input which I have program to allow from 50 to 200 characters depending on the question.

Then the form is sent to client's mail, but it is also stored in a database so client can check all the forms later.

I'm using codeigniter, and I used active records to prevent sql injections. Also I spambot-validated it with a method i found posted in another question. I have to hidden fields, one hidden with css. If values are filled or do not match then the form does not validate. (Btw, is this enough or should I also add a captcha?).

the code is something like this:

<p class="mail"><input type="text" name="mail" id="mail" /></p> //then I hyde this with css
<input type="hidden" name="mail" value="some value" />

and then i validate it

if( $this->input->post('mail', true) != '' AND $this->input->post('mail', true) != 'some value') 
{
    die('could not send your request');
}
else
{
    process form
}

My question is, when creating the database table since i added 42 fields I dont know if it was my pc, but my internet connection really slowed down and almost crushes. I'm worried that maybe an attacker could try to fill this form several times and filling each field completely, and then database collapses? Is this posible?

Is it safer to have that table divided in maybe two or three different tables? Or is that pointless? I dont know much about security, I'm trying to find places where to learn, but all the info I find is full of terminology I don't really understand, so it's quite hard. I appreaciate your help very much.

edit: what would be the correct way of doing it?

Answer 1

A database is made for storing data.

Of course every system has limitations, but also with a single machine and a classical relational database, the fast majority of all projects have no problems performance wise.

Breaking up into multiple tables makes no sense.

From a performance point of view just make sure that you have your indexes right for your queries. It sounds like text fields would be a good choice for your schema, since you dont need to index the answers and they can vary in length.

Of course you can use captchas, but generally I would recommend only employing it if you in fact do have spam problems.

The honeypot practice you described is, at least for now, a good one.

Also no matter how slow your connection, I do not think that transmitting that little text will fill it up.

I hope that answers all obvious parts of that question. If you need more informaiton, please describe your exact problem a bit more precise and give more information about your system setup.

Answer 2

Don't increase the complexity of your information storage system to accommodate the servers. The KISS principle is something to be well aware of. Databases are designed to store information, and in some web applications, there are absolutely huge databases. As far as security, assuming you've got the obvious down, you should be fine. If you really want to you can add the timestamp and IP address to the list of stored information (if they weren't on there already, which for security and debugging reasons, often should be), and then put in a function which checks how many entries have been recently entered by that IP address and locks someone out if they pass a certain threshold, and if and only if you actually have experienced problems with spam you can add in captcha, but that tends to decrease user satisfaction. Considering that some applications upload images, which can easily be in the tens of megabytes, that's millions of characters, to databases, though at that point it becomes more efficient to store them elsewhere in the server, storing large amounts of text data in a single table shouldn't be an issue.