No, don't use base64 encoding as a way to close SQL Injection vulnerabilities. Firstly, SQL Injection is not a problem that needs to be solved; it's been solved already.
It was already solved in the earliest releases of commercial relational databases (e.g. DB2, Oracle, Sybase) All of those provided interfaces that supported prepared statements using placeholders for bind values.
And MySQL has provided the "real escape string" function since aleast since at least version 3.x, fifteen years ago (back in 2000.)
The real problem is developers ignoring SQL injection vulnerabilities in the code they write. When these vulnerabilities are pointed out, the most common response seems to be "Oh, this code is just for learning. I don't need to be concerned with that right now." And they learn by crafting code that is vulnerable, and they adopt these bad coding practices. They share their newly gained know-how, and examples of bad coding practices proliferate, and new programmers learn from those bad examples, and adopt the same bad coding practices.
The best practice to avoid SQL Injection vulnerabilities is to use prepared statements with bind values. That does EXACTLY what you propose in your question, separating the static SQL text which is known to be "safe", from the potentially "unsafe" values supplied. That's the right way to write the code.
(This discussion doesn't address the issue of inserting potentially unsafe values into the database, and how bad code retrieves those values and handles them as if they were "safe", rather than handling them as if they were potentially "unsafe".)
You'd be quite right to point out that earlier versions of MySQL didn't support real "server side" prepared statements; the client library emulated support for prepared statements. The client library accepted the prepared statements and the bind values, and bundled those together into SQL text it sent to the server, but at least the framework was there in the interface. The MySQL client library took care of "escaping" the bind values to make them safe for inclusion in the SQL text, but that responsibility was handled by the client library, not by the caller.)
Some MySQL interfaces (in particular, the deprecated and ever popular PHP mysql interface) does not provide support for prepared statements and bind variables. But it does provide the next best thing, access to the mysql_real_escape_string
function. The documentation explains that this function should be used, but you wouldn't know it's use was at all important, based on the overwhelming volume of code examples that don't use it.
If you have to use the PHP mysql_ interface, then do it right, use the mysql_real_escape_string
function BEFORE including potentially unsafe strings within SQL text.
$sqltext = "SELECT * FROM Users WHERE username= '" . mysql_real_escape_string($userinput) . "'";
mysql_query($sqltext);
If you don't have to use the deprecated mysql interface, then use mysqli or PDO. Both of those interface support prepared statements and bind variables. (Not that you would ever know that these actually provide support for these features, based on the sheer volume of code examples that entirely ignore these features, and blithely continue the same bad coding practices that plague the examples of mysql interface. (Some developers seem to think that mysqli and PDO "fix" SQL injection vulnerabilities, without understanding that its the code that they write that has the SQL Injection vulnerabilities, not the interface they use.
It would be unfair to single out PHP and MySQL as the sole source of SQL injection vulnerabilities. These same vulnerabilities are prevalent in numerous examples of vulnerable code, written using Microsoft Visual Basic, Visual C++, C#, et al.
Bottom line, base64 encoding is NOT the solution to SQL Injection vulnerabilities. (There may be some good reasons to use base64 encoding, but decidedly, avoiding SQL Injection is NOT one of those reasons.)