On 19 February 2010 16:27, tedd <tedd.sperling@xxxxxxxxx> wrote: > At 3:18 PM +0200 2/19/10, Dotan Cohen wrote: >> >> In order to prevent SQL injection, can one simply base64 encode the >> data and store that? Then it can be decoded when I need to display it >> on a website. I understand that this means that the data will not be >> searchable, and that I still must sanitize it before printing it on >> the site. Are there any other drawbacks or things to be aware of? >> Thanks. >> >> -- >> Dotan Cohen > > > Dotan: > > You're a smart guy, why reinvent the wheel? The entire problem set has > already been solved. > > Understand there are two issues here: 1) filtering input into a database; 2) > escaping output to a browser. > > Use mysql_real_escape_string() to filter data before it's stored in a > database (input). > I was under the impression that mysql_real_escape_string() was not a 100% solution. Is it? Note that I serve my pages as UTF-8 and also declare them as such in the header and meta tag, but that does not mean that a malicious entity won't return a request in a different encoding. > Use htmlentities() to retrieve data from the database to be displayed via a > browser (output). > This I do. I'm not sure if it's enough, so I'd like some reassurance on the matter. :) > An excellent book on this (and much more) is Chris Shiflett's Essential PHP > Security. You can pick it up on Amazon for less than $20 -- well worth the > cost. > They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could "acquire" a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
