Let me start this post by stating two facts, just so there isn't any confusion:
- Base 64 encoding was designed to convert a chunk of binary data into a plain ASCII string. Since, many transfer methods don't deal well with binary data, the process of encoding to Base 64, transferring, then decoding back to binary.
A good example of this would be Base 64 encoding an image file so you can store it into a string variable in your application.
- Base 64 encoding is not encryption! It should never be used in place of encryption to transfer sensitive data.
That being said, I personally have found some other great uses for Base 64 encoding, other than the safe transfer, or storage of binary data.
The Amateur Hacker
Base 64 encoding can come in handy to limit the temptations of amateur hackers to play with query string variables. However, this method should only be used under one of the following conditions:
- The data isn't sensitive, you just don't really want people playing with query string variables.
- It's difficult to maintain an ecryption key across all scripts that make use of the data, and the data is not of a sensitive nature.
An example might be if you send out a mailing to a group of users, which contains a link to see if their order # was selected as a contest winner. The URL within each email might look like:
It is probably not a big deal if a user decided to adjust the order_id parameter to see if any other orders won the contest, so the Base 64 encoding mechanism is acceptable here:
That Warm and Cozy Feeling
When a visitor comes to your site, you want them to feel like they can drop their guard, browse the site, fill out some forms and gather some information with a sense of privacy and anonymity. Passing personal information around in query string parameters may be perfectly secure (if over a secure connection), but it may raise flags for your visitor.
The URL above suggests that the "Thank You" page will use the value of the name query string parameter to display a personalized thank you page. A nice touch, but there's a good chance your visitor will notice that their name is part of the URL in the address bar. This is certainly a step away from that warm and cozy feeling.
Ah, I feel better already! My "Thank You" script can easily Base 64 decode the query string parameter in one line of code.
If your development language supports strings, it most likely offers built-in Base 64 encoding and decoding functions. If your language does not support strings, you may want to try a modern language!
Base 64 is easy. You can pass Base 64 encoded image data in a form variable between a ColdFusion script running on IIS to a Python script running on Apache.
- There's no encryption key
- The data is plain text
- It works in query strings
- It can be inserted into and retrieved from a text-based database field
As we store data in smaller and smaller base, or radix, the amount of storage required to store that data goes up. Although, technically, the amount of individual bits required doesn't change, whether we encode to Base 16 or Base 64, characters are stored on the byte level.
For example, only 6 bits are required for each base 64 digit. So, by Base 64 encoding a string of length 3, our Base 64 encoding requires 4 digits. 4 * 6 = 24.
With a string of length 3, each character consumes one byte. 3 * 8 = 24.
However, our data-types don't get down the bit level, memory is looked up at the byte-level. So, by Base 64 encoding a string of 3 characters, we now have a string of 4 characters: 4 * 8 = 32.
xxx = 3 bytes
ehH4 = 4 bytes
As you can see, Base 64 has uses beyond converting binary data, and you should use it in practice. But, be conscious of when and how you permanently store Base 64 data.