Re: Using base64 encode and decode to store user data in database

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 19, 2010 at 8:18 AM, Dotan Cohen <dotancohen@xxxxxxxxx> wrote:
> In order to prevent SQL injection, can one simply base64 encode the
> data and store that? Then it can be decoded when I need to display it
> on a website. I understand that this means that the data will not be
> searchable, and that I still must sanitize it before printing it on
> the site. Are there any other drawbacks or things to be aware of?
> Thanks.
>
> --
> Dotan Cohen
>

One would be storage space, as base64 requires more space to store the
same data. For a single data element that might not be much, but when
multiplied over all the values stored in your table it makes a
difference.

Also, don't forget to validate/filter non-character data, which you
can't do with base64. Something like this is still vulnerable to SQL
injection even though it 'sanitizes' the expected character input:

<?php
// user_id expects an integer value
$user_id = $_POST['user_id'];

$comment = base64_encode($_POST['comment']);


$sql = "INSERT INTO `comments` (user_id, comment) VALUES ($user_id,
'$comment')";

?>



Andrew

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux