Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, 2010-02-19 at 15:18 +0200, Dotan Cohen wrote: In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. I assume this would work. I always use mysql_real_escape_string(), although that would predetermine your choice of database. That would allow your content to be searchable though. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Using base64 encode and decode to store user data in database
At 3:18 PM +0200 2/19/10, Dotan Cohen wrote: In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen Dotan: You're a smart guy, why reinvent the wheel? The entire problem set has already been solved. Understand there are two issues here: 1) filtering input into a database; 2) escaping output to a browser. Use mysql_real_escape_string() to filter data before it's stored in a database (input). Use htmlentities() to retrieve data from the database to be displayed via a browser (output). That way whatever problems that might exist within the data will be rendered harmless. An excellent book on this (and much more) is Chris Shiflett's Essential PHP Security. You can pick it up on Amazon for less than $20 -- well worth the cost. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, Feb 19, 2010 at 8:18 AM, Dotan Cohen dotanco...@gmail.com wrote: In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen One would be storage space, as base64 requires more space to store the same data. For a single data element that might not be much, but when multiplied over all the values stored in your table it makes a difference. Also, don't forget to validate/filter non-character data, which you can't do with base64. Something like this is still vulnerable to SQL injection even though it 'sanitizes' the expected character input: ?php // user_id expects an integer value $user_id = $_POST['user_id']; $comment = base64_encode($_POST['comment']); $sql = INSERT INTO `comments` (user_id, comment) VALUES ($user_id, '$comment'); ? Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On 19 February 2010 16:27, tedd tedd.sperl...@gmail.com wrote: At 3:18 PM +0200 2/19/10, Dotan Cohen wrote: In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen Dotan: You're a smart guy, why reinvent the wheel? The entire problem set has already been solved. Understand there are two issues here: 1) filtering input into a database; 2) escaping output to a browser. Use mysql_real_escape_string() to filter data before it's stored in a database (input). I was under the impression that mysql_real_escape_string() was not a 100% solution. Is it? Note that I serve my pages as UTF-8 and also declare them as such in the header and meta tag, but that does not mean that a malicious entity won't return a request in a different encoding. Use htmlentities() to retrieve data from the database to be displayed via a browser (output). This I do. I'm not sure if it's enough, so I'd like some reassurance on the matter. :) An excellent book on this (and much more) is Chris Shiflett's Essential PHP Security. You can pick it up on Amazon for less than $20 -- well worth the cost. They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could acquire a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
One would be storage space, as base64 requires more space to store the same data. For a single data element that might not be much, but when multiplied over all the values stored in your table it makes a difference. That is a good point, thanks. Also, don't forget to validate/filter non-character data, which you can't do with base64. Something like this is still vulnerable to SQL injection even though it 'sanitizes' the expected character input: ?php // user_id expects an integer value $user_id = $_POST['user_id']; $comment = base64_encode($_POST['comment']); $sql = INSERT INTO `comments` (user_id, comment) VALUES ($user_id, '$comment'); ? I see what you mean. In fact, userIDs are stored, and indeed I ensure that they are integers! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, Feb 19, 2010 at 05:43:15PM +0200, Dotan Cohen wrote: snip They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could acquire a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) Wow, that sucks! This is an O'Reilly book. Perhaps they would ship to Israel? Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, 2010-02-19 at 11:45 -0500, Paul M Foster wrote: On Fri, Feb 19, 2010 at 05:43:15PM +0200, Dotan Cohen wrote: They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could acquire a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) Another idea: There are forwarding services for sale, e.g. on eBay. Order the book and have it sent it to an address in the USA, and this service forwards it to you anywhere. Yet another idea: There are file sharing services e.g. rapidshare.com which might serve the book. I thought this was legal since premium users pay for the service? Teus. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
At 5:43 PM +0200 2/19/10, Dotan Cohen wrote: On 19 February 2010 16:27, tedd tedd.sperl...@gmail.com wrote: An excellent book on this (and much more) is Chris Shiflett's Essential PHP Security. You can pick it up on Amazon for less than $20 -- well worth the cost. They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could acquire a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) -- Dotan Cohen Dotan: What about eBook ($23.99)? http://oreilly.com/catalog/9780596006563 If you can get this, you can get that. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
What about eBook ($23.99)? http://oreilly.com/catalog/9780596006563 If you can get this, you can get that. That may be a good idea. Certainly better than the pirate bay. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php