Can we use encryption (like base64 and...) instead of using real_escape_string for GET and POST data?
I know that it will slow the application down but how about the security?
Can we use encryption (like base64 and...) instead of using real_escape_string for GET and POST data?
I know that it will slow the application down but how about the security?
Both options are equally useless and error-prone.
If your intention is performing client-side encryption as a means to protect communication client to application communication, you may find HTTPS / SSL encryption is a preferable alternative to doing it yourself. Hand-rolling encryption and decryption introduces another element of design complexity to your application's communication, which may be easy to circumvent depending on how it is designed.
EDIT: Encrypting data does not negate the risk of injection attacks as you will need to decode it on the application server. A clever assailant could simply piggyback your encryption method prior to transmission, injecting any payload they please.
Firstly, base 64 has nothing to do with encryption: it's an encoding mechanism, which allows for arbitrary binary data to be encoded as text, and decoded back when necessary.
Secondly, use prepared statements (or at least an API with bound parameters), not *_real_escape_string
.
Anyone can base64 encode their own bad injections with base64 so it's not at all a good idea. Also it's fairly easy to reverse engineer a custom salt for 6b4 encoded data so no.