Re: Using base64 encode and decode to store user data in database

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 19 February 2010 16:27, tedd <tedd.sperling@xxxxxxxxx> wrote:
> At 3:18 PM +0200 2/19/10, Dotan Cohen wrote:
>>
>> In order to prevent SQL injection, can one simply base64 encode the
>> data and store that? Then it can be decoded when I need to display it
>> on a website. I understand that this means that the data will not be
>> searchable, and that I still must sanitize it before printing it on
>> the site. Are there any other drawbacks or things to be aware of?
>> Thanks.
>>
>> --
>> Dotan Cohen
>
>
> Dotan:
>
> You're a smart guy, why reinvent the wheel? The entire problem set has
> already been solved.
>
> Understand there are two issues here: 1) filtering input into a database; 2)
> escaping output to a browser.
>
> Use mysql_real_escape_string() to filter data before it's stored in a
> database (input).
>

I was under the impression that mysql_real_escape_string() was not a
100% solution. Is it? Note that I serve my pages as UTF-8 and also
declare them as such in the header and meta tag, but that does not
mean that a malicious entity won't return a request in a different
encoding.


> Use htmlentities() to retrieve data from the database to be displayed via a
> browser (output).
>

This I do. I'm not sure if it's enough, so I'd like some reassurance
on the matter. :)


> An excellent book on this (and much more) is Chris Shiflett's Essential PHP
> Security. You can pick it up on Amazon for less than $20 -- well worth the
> cost.
>

They don't ship to Israel! I have looked for it locally, but not found
it. I'm sure that I could "acquire" a copy on some p2p service but I
really don't like doing that. Maybe I could Paypal $20 to Chris
himself if that remains my only option! Chris, what say you? (CCed)


-- 
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux