What is base64 encoding and how can we benefit from it

Featured Image

What is base64 encoding/decoding and how we can benefit from this representation

Base64 schemes represent binary data in an ASCII string format (English alphabet, common punctuation chars, control chars) by translating it into a base-64 representation. This basically means that all kind of characters (ASCII, UTF8, UTF16…) with control characters can be mapped for example in English alphabet a-z, A-Z, 0-9 and you would be able to read them all on screen, or even print them out.
First of all, Magento is using base64 encode/decode each time you want to add product in your cart. Magento will redirect you to something like this: “http://loc.magento.com/checkout/cart/add/uenc/aHR0cDovL2xvYy5tYWdlbn…93/” with some POST data (product=93&related_product=&super_attribute[502]=37&qty=2).

These chars “aHR0cDovL2xvYy5tYWdlbnRvLmNvbS9hc2ljcy1tZW4tcy1nZWwta2F5YW5vLXhpaS5odG1s” are base64 encoded strings and POST data you can see (HTTP header traffic) with Firebug, LiveHTTPHeaders (addon for FF), Charles proxy,…

If you don’t know what does it mean (encoded chars) and how they are generated – keep reading.

Additionally, if you have any useful example where did you use base64 encode/decode, feel free to share your ideas with others.

From wiki: “Base64 encoding schemes are commonly used when there is a need to encode binary data that needs be stored and transferred over media that are designed to deal with textual data. This is to ensure that the data remains intact without modification during transport”.

In our case uenc = url encoded = aHR0cDovL2xvYy5tYWdlbnRvLmNvbS9hc2ljcy1tZW4tcy1nZWwta2F5YW5vLXhpaS5odG1s = http://loc.magento.com/asics-men-s-gel-kayano-xii.html.

What do you think why doesn’t Magento use normal strings in URL instead of base64 which is around 33% longer? Hint: you’ll get this later in the article…

As you can see we can’t put char “/” in URL if we want to send last visited URL as parameter because we would break attribute/value rule for “MOD rewrite” – GET parameter.
A full example would be: “http://loc.magento.com/checkout/cart/add/uenc/http://loc.magento.com/asics-men-s-gel-kayano-xii.html/product/93/” – sure it’s wrong.

This is just one example where you can use base64. Also in administration part when you search in grid in some column some value you can see that Magento is using base64 to encode your filter(s). In other words, you don’t need to worry about which character sets client’s browser can accept. You are sure that all characters will be transferred over the wire with base64!

So, what do I need to do to convert characters into base64 encoded schema? Just a little bit of math or you can use any trusted code which will do that for you. You have bunch of “online base64 decode/encode” scripts on web, just google them. What programming language to use to develop scripts for such of things? Sure, javascript to send “safe” data over the wire and you can use PHP to decode them, vice-versa.

Additionally, you can find base64 encoding algorithms in javascript in Magento’s folder webroot/js/mage/adminhtml/hash.js around line 57, function encode_base64( what ) {…

Another example could be the following: you have a web service that accept only ASCII chars. You want to save and then transfer user’s data to some other location (API) but recipient want receive untouched data. Again base64 is for that also. The only downside is that base64 encoding will require around 33%  more space than regular strings.

So with base64 you can encode and transfer any sets of binary data through any system and then decode them to original binary data. Cool, right?

Does gmail use base64? Sure!

Instead of “reinventing the wheel” and showing you how base64 works please take a look this pdf where you can see nice examples and table with ASCII chars. http://www.aardwulf.com/tutor/base64/base64.pdf

You can also build your own base64 algorithm for your specific needs!

For the end, did you maybe buy some extension that has weird characters in it and you didn’t know how to see source code? If your answer is yes, while reading this article did you maybe recognize that the code you have is probably base64 encoded? And can you perhaps see “eval()” function in that code?

If the answer is yes, then in my next article I’ll show you how to do “reverse engineering” and see your source code for bunch of extensions,… which you can buy and which are base64 encoded.

Stay tuned!


  1. Hi Ivan,
    I found your post whilst looking for how I can have any email addresses displayed on a Magento site to be base64 encoded. It seems, with your article, I am one step closer.

    For instance, it is common to display an email address for people to contact the site owner. In WordPress sites I use a plugin that will encode all email addresses via various methods. One of those methods is Base64 encoding. Apparently it will fool most email address collecting bots. But I didn’t find any such extension for Magento.

    Based on your knowledge of Magento and how it handles Base64 encoding, can you suggest a way to obscure email addresses in this way?


  2. Perfect explanation of URL endcode in Magento.
    Keep posted with good articles to help developers. -:)

  3. @Ivan

    It is totally irelevant what “developers thought”, and I would really want to see “those developers” 😉

    I was merely stating the difference for the sake of conversation and I’m totally aware what Pavel wanted to say.

  4. @Tomas
    Why Pavel used term “encryption” is because lots of developers when they saw for the first time some code which is base64 “encrypted” (encoded), they mean that code is actually “encrypted”. So when they want to look for the solution they will for sure google something like… “how to decrepit xyz extension” and not how to decode xyz extension. So it’s not correct to use term encryption for base64 encoding (because there isn’t key) but it’s reasonable to use term encryption/decription for this example. Is this correct Pavel?

    p.s. “Strictly speaking, encryption is an encoding operation, but the term encoding is generally used in cryptography to mean that secrecy is not involved.

    encryption: 1.The process of changing plaintext into ciphertext using a cryptographic algorithm and key.”

    I hope you both agree with this…

  5. Just for the record. Base64 encode IS NOT encryption.
    It is merely used to represent binary data using printable characters.

  6. A lot of wordpress themes are encrypted only for saving designer’s copyrights.
    If you make a research youl’ll see that there are 2 ways of encoding: first — simple obfuscation and base64 encodyng; second — 2 base64 blocks (first block should be evaled to get functions wich later read from the same file the second block and decode it)

  7. Yes. But not only for Magento, for any source code which is encrypted using base64. I didn’t yet need to decrepit anything for myself but I think even if you bought something you want to know can that code produce some “unexpected” issues.

  8. Thanks Pavel.
    Agree, forgot to mention that for default abse64 (even if I often use both of the functions to check some values…)

    But base64 isn’t unique, you can build your “safe” base64 algorithm and you can use some other chars, perhaps: «__», «_» and «-» instead of «=», «+» and «/» so if you have last two chars «__» your algorithm can know what they mean, you’ll lose max 1 char,…

    This post I’ve written mostly because lots of developers are afraid when they saw base64 with eval() function, but they shouldn’t be…

  9. Base64 uses not only alphabetic and numeric characters, but also «=», «+» and «/» symbols. But do not forget, that browser converts most non-alphanumeric characters to the % sign followed by two hex digits form. Ex. space is encoded as «+» and «+» is transferred to the «%2B». So you can not say that base64 is enough for “safe” sending of the binary data. You should also use urlencode() function before sending and urldecode() while accepting data to be sure that there is no any encoding error in your query string.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <blockquote cite=""> <code> <del datetime=""> <em> <s> <strike> <strong>. You may use following syntax for source code: <pre><code>$current = "Inchoo";</code></pre>.