Using base64 encode and decode to store user data in database

In order to prevent SQL injection, can one simply base64 encode the
data and store that? Then it can be decoded when I need to display it
on a website. I understand that this means that the data will not be
searchable, and that I still must sanitize it before printing it on
the site. Are there any other drawbacks or things to be aware of?
Thanks.

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

Please CC me if you want to be sure that I read your message. I do not
read all list mail.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Using base64 encode and decode to store user data indatabase

--=-NL4lLUyedpOjgrBCb+MU
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Fri, 2010-02-19 at 15:18 +0200, Dotan Cohen wrote:

> In order to prevent SQL injection, can one simply base64 encode the
> data and store that? Then it can be decoded when I need to display it
> on a website. I understand that this means that the data will not be
> searchable, and that I still must sanitize it before printing it on
> the site. Are there any other drawbacks or things to be aware of?
> Thanks.
>
> --
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
>
> Please CC me if you want to be sure that I read your message. I do not
> read all list mail.
>


I assume this would work. I always use mysql_real_escape_string(),
although that would predetermine your choice of database. That would
allow your content to be searchable though.


Thanks,
Ash
http://www.ashleysheridan.co.uk



--=-NL4lLUyedpOjgrBCb+MU--

Re: Using base64 encode and decode to store user data indatabase

At 3:18 PM +0200 2/19/10, Dotan Cohen wrote:
>In order to prevent SQL injection, can one simply base64 encode the
>data and store that? Then it can be decoded when I need to display it
>on a website. I understand that this means that the data will not be
>searchable, and that I still must sanitize it before printing it on
>the site. Are there any other drawbacks or things to be aware of?
>Thanks.
>
>--
>Dotan Cohen


Dotan:

You're a smart guy, why reinvent the wheel? The entire problem set
has already been solved.

Understand there are two issues here: 1) filtering input into a
database; 2) escaping output to a browser.

Use mysql_real_escape_string() to filter data before it's stored in a
database (input).

Use htmlentities() to retrieve data from the database to be displayed
via a browser (output).

That way whatever problems that might exist within the data will be
rendered harmless.

An excellent book on this (and much more) is Chris Shiflett's
Essential PHP Security. You can pick it up on Amazon for less than
$20 -- well worth the cost.

Cheers,

tedd

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Using base64 encode and decode to store user data in

On Fri, Feb 19, 2010 at 8:18 AM, Dotan Cohen wrote:
> In order to prevent SQL injection, can one simply base64 encode the
> data and store that? Then it can be decoded when I need to display it
> on a website. I understand that this means that the data will not be
> searchable, and that I still must sanitize it before printing it on
> the site. Are there any other drawbacks or things to be aware of?
> Thanks.
>
> --
> Dotan Cohen
>

One would be storage space, as base64 requires more space to store the
same data. For a single data element that might not be much, but when
multiplied over all the values stored in your table it makes a
difference.

Also, don't forget to validate/filter non-character data, which you
can't do with base64. Something like this is still vulnerable to SQL
injection even though it 'sanitizes' the expected character input:

// user_id expects an integer value
$user_id = $_POST['user_id'];

$comment = base64_encode($_POST['comment']);


$sql = "INSERT INTO `comments` (user_id, comment) VALUES ($user_id,
'$comment')";

?>



Andrew

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Using base64 encode and decode to store user data in

On 19 February 2010 16:27, tedd wrote:
> At 3:18 PM +0200 2/19/10, Dotan Cohen wrote:
>>
>> In order to prevent SQL injection, can one simply base64 encode the
>> data and store that? Then it can be decoded when I need to display it
>> on a website. I understand that this means that the data will not be
>> searchable, and that I still must sanitize it before printing it on
>> the site. Are there any other drawbacks or things to be aware of?
>> Thanks.
>>
>> --
>> Dotan Cohen
>
>
> Dotan:
>
> You're a smart guy, why reinvent the wheel? The entire problem set has
> already been solved.
>
> Understand there are two issues here: 1) filtering input into a database; 2)
> escaping output to a browser.
>
> Use mysql_real_escape_string() to filter data before it's stored in a
> database (input).
>

I was under the impression that mysql_real_escape_string() was not a
100% solution. Is it? Note that I serve my pages as UTF-8 and also
declare them as such in the header and meta tag, but that does not
mean that a malicious entity won't return a request in a different
encoding.


> Use htmlentities() to retrieve data from the database to be displayed via a
> browser (output).
>

This I do. I'm not sure if it's enough, so I'd like some reassurance
on the matter. :)


> An excellent book on this (and much more) is Chris Shiflett's Essential PHP
> Security. You can pick it up on Amazon for less than $20 -- well worth the
> cost.
>

They don't ship to Israel! I have looked for it locally, but not found
it. I'm sure that I could "acquire" a copy on some p2p service but I
really don't like doing that. Maybe I could Paypal $20 to Chris
himself if that remains my only option! Chris, what say you? (CCed)


--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Using base64 encode and decode to store user data in

> One would be storage space, as base64 requires more space to store the
> same data. For a single data element that might not be much, but when
> multiplied over all the values stored in your table it makes a
> difference.
>

That is a good point, thanks.


> Also, don't forget to validate/filter non-character data, which you
> can't do with base64. Something like this is still vulnerable to SQL
> injection even though it 'sanitizes' the expected character input:
>
> > // user_id expects an integer value
> $user_id = $_POST['user_id'];
>
> $comment = base64_encode($_POST['comment']);
>
>
> $sql = "INSERT INTO `comments` (user_id, comment) VALUES ($user_id,
> '$comment')";
>
> ?>

I see what you mean. In fact, userIDs are stored, and indeed I ensure
that they are integers!


--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

Please CC me if you want to be sure that I read your message. I do not
read all list mail.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Using base64 encode and decode to store user data in

On Fri, Feb 19, 2010 at 05:43:15PM +0200, Dotan Cohen wrote:




>
> They don't ship to Israel! I have looked for it locally, but not found
> it. I'm sure that I could "acquire" a copy on some p2p service but I
> really don't like doing that. Maybe I could Paypal $20 to Chris
> himself if that remains my only option! Chris, what say you? (CCed)

Wow, that sucks! This is an O'Reilly book. Perhaps they would ship to
Israel?

Paul

--
Paul M. Foster

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Using base64 encode and decode to store user data indatabase

On Fri, 2010-02-19 at 11:45 -0500, Paul M Foster wrote:
> On Fri, Feb 19, 2010 at 05:43:15PM +0200, Dotan Cohen wrote:
> > They don't ship to Israel! I have looked for it locally, but not found
> > it. I'm sure that I could "acquire" a copy on some p2p service but I
> > really don't like doing that. Maybe I could Paypal $20 to Chris
> > himself if that remains my only option! Chris, what say you? (CCed)

Another idea: There are forwarding services for sale, e.g. on eBay.
Order the book and have it sent it to an address in the USA, and this
service forwards it to you anywhere.
Yet another idea: There are file sharing services e.g. rapidshare.com
which might serve the book. I thought this was legal since premium users
pay for the service?

Teus.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Using base64 encode and decode to store user data in database

At 5:43 PM +0200 2/19/10, Dotan Cohen wrote:
>On 19 February 2010 16:27, tedd wrote:
> > An excellent book on this (and much more) is Chris Shiflett's Essential PHP
>> Security. You can pick it up on Amazon for less than $20 -- well worth the
>> cost.
>>
>
>They don't ship to Israel! I have looked for it locally, but not found
>it. I'm sure that I could "acquire" a copy on some p2p service but I
>really don't like doing that. Maybe I could Paypal $20 to Chris
>himself if that remains my only option! Chris, what say you? (CCed)
>
>
>--
>Dotan Cohen


Dotan:

What about eBook ($23.99)?

http://oreilly.com/catalog/9780596006563

If you can get this, you can get that.

Cheers,

tedd

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Using base64 encode and decode to store user data in

> What about eBook ($23.99)?
>
> http://oreilly.com/catalog/9780596006563
>
> If you can get this, you can get that.
>

That may be a good idea. Certainly better than the pirate bay.

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

Please CC me if you want to be sure that I read your message. I do not
read all list mail.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php