----- Original Message ----- From: "1LT John W. Holmes" <[EMAIL PROTECTED]> To: "Danny Shepherd" <[EMAIL PROTECTED]>; "PHP-General" <[EMAIL PROTECTED]> Sent: Tuesday, July 30, 2002 8:18 PM Subject: Re: [PHP] Serialised Data & DBs
> Yes, it'd be really smart to. If any of the data in the serialized string > has a ' or " in it, it could break your query. Or the user being able to > enter a ' or " into the data could open you to SQL attacks. > > You want to do addslashes() on the result of serialize(), not the content > going into it, too. PHP will introduct double quotes around any strings that > are serialized. These should be escaped or they could end up breaking your > query. Yeah, the contents are already stripslashed. > Note that you don't have to do stripslashes() on the serialized string when > you pull it out. Cool, didn't realise that - would've been hard to track down later too! Thanks, Danny. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
