I used base64_encodeto save the html from the form <textarea>and store the data in the database. When retrieving, it is base64_decodeused and the data is placed in a text field. Is it safe to do this without use mysql_real_escape_string()?
I use mysql_real_escape_stringwhen extracting a $_GETtemplate parameter id.
templates.php?id=4
However, using base64 to save html also saves any malicious sql code that can be added to the text box. So far I have not had any problems.
Is this bad practice to use base64 instead mysql_real_escape_string()?
"Wrong tool for work"?
Note. I use htmlspecialchars($text, ENT_QUOTES);for xss.
source
share