I’ve been using base64_encode to preserve html from a <textarea> form and storing the data in the database. Upon retrieval base64_decode is used and the data is put into the textarea. Is this safe to do without using mysql_real_escape_string()?
I do I use mysql_real_escape_string when retrieving the $_GET parameter of template id.
templates.php?id=4
However using base64 to preserve the html also preserves any malicious sql code one might add in the textarea. I have not had any problems, so far.
Is this bad practice to use base64 instead of mysql_real_escape_string()?
“Wrong tool for the job” ?
Note: I use htmlspecialchars($text, ENT_QUOTES); for xss.
Technically
base64_encodewill never output anything that can be used for SQL injection. Insofar, it’s safe.However, I would make it a habit to always SQL escape any parameters used in any query or to always use parameterized queries to begin with (really, go with the times!). It’s simpler, it’s straight-forward, it won’t open you to problems later when you change your code around.