WebApp Sec mailing list archives
Re: PHP for preventing SQL injections?
From: "Sverre H. Huseby" <shh () thathost com>
Date: Mon, 22 Sep 2003 20:01:34 +0200
[Ulf Harnhammar] | That's an interesting idea! [...] | | PHP has built-in base64_encode() and base64_decode() functions. I don't see what you win. Instead of having to remember to call e.g. sqlStringEscape, you have to remember to call base64_encode. Why is it more easy to remember to use an artificial encoding rather than using "the real thing"? In addition you will now have to remember to decode everything you read from the database, and you will also have a hard time accessing the database using tools other than the web application. And of course, the field size requirements of the application increase. If you use Base64, I even think it will be impossible to create working LIKE clauses, as the bits from a single original character may or may not be split in two depending on the position the character has in the sequence. Even sorting won't work as expected: "aaa" encodes to "YWFh", while "aaz" ( > "aaa") encodes to "YWF6" ( < "YWFh"). But most of these aside, the main thing is that I don't undertand why encoding everything is better than escaping just the SQL meta- characters. What am I missing? Sverre. -- shh () thathost com http://shh.thathost.com/
Current thread:
- PHP for preventing SQL injections? Ulf Harnhammar (Sep 17)
- <Possible follow-ups>
- Re: PHP for preventing SQL injections? b0iler _ (Sep 21)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 22)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? David Cameron (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 23)