Cyclone
Reputation: 18295
Serializing array in PHP, preventing injection
I'm writing a PHP script which uses serialized arrays to store data. How can I prevent injection in serialization? It would be very easy to name your account:
something";s:6:"access";s:5:"admin";
for a simple example. The user could then add the rest of the needed parameters somehow. Would addslashes work for this? Does the php unserialize pick up on that as being an escaped character? If so, is it possible to apply addslashes to an entire array without iterating through?
Thanks for the help!
Upvotes: 2
Views: 905
Answers (1)
Reece45
Reputation: 2779
The best way to find out would be to try serializing an array with a string that has " in it
Anyways: yes, serialize does account for double quotes in the data you are storing:
$ php -r "var_dump(unserialize(serialize(array('\"'))));"
array(1) {
[0]=>
string(1) """
}
Upvotes: 3
Related Questions
- PHP strict unserialize
- PHP serialize() for object injection
- PHP serialize array
- sanitizing a string before serializing and inserting to db
- Limiting unserialize() to return arrays?
- Sanitizing when storing serialized array
- PHP Arrays, Serialization and Unserialization
- Inserting into a serialized array in PHP
- Sanitising a POST array for INSERT query
- Is PHP Serialized Object Data Clean For Mysql Injection?