Re: Using base64 encode and decode to store user data in database

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 3:18 PM +0200 2/19/10, Dotan Cohen wrote:
In order to prevent SQL injection, can one simply base64 encode the
data and store that? Then it can be decoded when I need to display it
on a website. I understand that this means that the data will not be
searchable, and that I still must sanitize it before printing it on
the site. Are there any other drawbacks or things to be aware of?
Thanks.

--
Dotan Cohen


Dotan:

You're a smart guy, why reinvent the wheel? The entire problem set has already been solved.

Understand there are two issues here: 1) filtering input into a database; 2) escaping output to a browser.

Use mysql_real_escape_string() to filter data before it's stored in a database (input).

Use htmlentities() to retrieve data from the database to be displayed via a browser (output).

That way whatever problems that might exist within the data will be rendered harmless.

An excellent book on this (and much more) is Chris Shiflett's Essential PHP Security. You can pick it up on Amazon for less than $20 -- well worth the cost.

Cheers,

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux