On Fri, Feb 19, 2010 at 8:18 AM, Dotan Cohen <dotancohen@xxxxxxxxx> wrote: > In order to prevent SQL injection, can one simply base64 encode the > data and store that? Then it can be decoded when I need to display it > on a website. I understand that this means that the data will not be > searchable, and that I still must sanitize it before printing it on > the site. Are there any other drawbacks or things to be aware of? > Thanks. > > -- > Dotan Cohen > One would be storage space, as base64 requires more space to store the same data. For a single data element that might not be much, but when multiplied over all the values stored in your table it makes a difference. Also, don't forget to validate/filter non-character data, which you can't do with base64. Something like this is still vulnerable to SQL injection even though it 'sanitizes' the expected character input: <?php // user_id expects an integer value $user_id = $_POST['user_id']; $comment = base64_encode($_POST['comment']); $sql = "INSERT INTO `comments` (user_id, comment) VALUES ($user_id, '$comment')"; ?> Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
