On 19 February 2010 16:27, tedd <tedd.sperl...@gmail.com> wrote:
> At 3:18 PM +0200 2/19/10, Dotan Cohen wrote:
>> In order to prevent SQL injection, can one simply base64 encode the
>> data and store that? Then it can be decoded when I need to display it
>> on a website. I understand that this means that the data will not be
>> searchable, and that I still must sanitize it before printing it on
>> the site. Are there any other drawbacks or things to be aware of?
>> Thanks.
>> --
>> Dotan Cohen
> Dotan:
> You're a smart guy, why reinvent the wheel? The entire problem set has
> already been solved.
> Understand there are two issues here: 1) filtering input into a database; 2)
> escaping output to a browser.
> Use mysql_real_escape_string() to filter data before it's stored in a
> database (input).

I was under the impression that mysql_real_escape_string() was not a
100% solution. Is it? Note that I serve my pages as UTF-8 and also
declare them as such in the header and meta tag, but that does not
mean that a malicious entity won't return a request in a different

> Use htmlentities() to retrieve data from the database to be displayed via a
> browser (output).

This I do. I'm not sure if it's enough, so I'd like some reassurance
on the matter. :)

> An excellent book on this (and much more) is Chris Shiflett's Essential PHP
> Security. You can pick it up on Amazon for less than $20 -- well worth the
> cost.

They don't ship to Israel! I have looked for it locally, but not found
it. I'm sure that I could "acquire" a copy on some p2p service but I
really don't like doing that. Maybe I could Paypal $20 to Chris
himself if that remains my only option! Chris, what say you? (CCed)

Dotan Cohen


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to