At 3:18 PM +0200 2/19/10, Dotan Cohen wrote:
In order to prevent SQL injection, can one simply base64 encode the
data and store that? Then it can be decoded when I need to display it
on a website. I understand that this means that the data will not be
searchable, and that I still must sanitize it before printing it on
the site. Are there any other drawbacks or things to be aware of?

Dotan Cohen


You're a smart guy, why reinvent the wheel? The entire problem set has already been solved.

Understand there are two issues here: 1) filtering input into a database; 2) escaping output to a browser.

Use mysql_real_escape_string() to filter data before it's stored in a database (input).

Use htmlentities() to retrieve data from the database to be displayed via a browser (output).

That way whatever problems that might exist within the data will be rendered harmless.

An excellent book on this (and much more) is Chris Shiflett's Essential PHP Security. You can pick it up on Amazon for less than $20 -- well worth the cost.




PHP General Mailing List (
To unsubscribe, visit:

Reply via email to