Re[2]: [PHP] Serialised Data & DBs
Hi, Wednesday, July 31, 2002, 5:18:05 AM, you wrote: 1JWH> Yes, it'd be really smart to. If any of the data in the serialized string 1JWH> has a ' or " in it, it could break your query. Or the user being able to 1JWH> enter a ' or " into the data could open you to SQL attacks. 1JWH> You want to do addslashes() on the result of serialize(), not the content 1JWH> going into it, too. PHP will introduct double quotes around any strings that 1JWH> are serialized. These should be escaped or they could end up breaking your 1JWH> query. 1JWH> Note that you don't have to do stripslashes() on the serialized string when 1JWH> you pull it out. 1JWH> ---John Holmes... 1JWH> - Original Message - 1JWH> From: "Danny Shepherd" <[EMAIL PROTECTED]> 1JWH> To: "PHP-General" <[EMAIL PROTECTED]> 1JWH> Sent: Tuesday, July 30, 2002 2:56 PM 1JWH> Subject: [PHP] Serialised Data & DBs >> Hi, >> >> Is it necessary to perform addslashes() on serialised data before 1JWH> inserting >> it into a database? >> >> Thanks, >> >> Danny. >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> Another trap to fall into is if you have magic quotes on you will need to run strip slashes on any GET or POST variables BEFORE you serialize them, otherwise addslashes will escape the escapes. -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Serialised Data & DBs
- Original Message - From: "1LT John W. Holmes" <[EMAIL PROTECTED]> To: "Danny Shepherd" <[EMAIL PROTECTED]>; "PHP-General" <[EMAIL PROTECTED]> Sent: Tuesday, July 30, 2002 8:18 PM Subject: Re: [PHP] Serialised Data & DBs > Yes, it'd be really smart to. If any of the data in the serialized string > has a ' or " in it, it could break your query. Or the user being able to > enter a ' or " into the data could open you to SQL attacks. > > You want to do addslashes() on the result of serialize(), not the content > going into it, too. PHP will introduct double quotes around any strings that > are serialized. These should be escaped or they could end up breaking your > query. Yeah, the contents are already stripslashed. > Note that you don't have to do stripslashes() on the serialized string when > you pull it out. Cool, didn't realise that - would've been hard to track down later too! Thanks, Danny. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Serialised Data & DBs
Yes, it'd be really smart to. If any of the data in the serialized string has a ' or " in it, it could break your query. Or the user being able to enter a ' or " into the data could open you to SQL attacks. You want to do addslashes() on the result of serialize(), not the content going into it, too. PHP will introduct double quotes around any strings that are serialized. These should be escaped or they could end up breaking your query. Note that you don't have to do stripslashes() on the serialized string when you pull it out. ---John Holmes... - Original Message - From: "Danny Shepherd" <[EMAIL PROTECTED]> To: "PHP-General" <[EMAIL PROTECTED]> Sent: Tuesday, July 30, 2002 2:56 PM Subject: [PHP] Serialised Data & DBs > Hi, > > Is it necessary to perform addslashes() on serialised data before inserting > it into a database? > > Thanks, > > Danny. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Serialised Data & DBs
Yes, you would need to. serialize() does not encode any of the variable data. -Rasmus On Tue, 30 Jul 2002, Danny Shepherd wrote: > Hi, > > Is it necessary to perform addslashes() on serialised data before inserting > it into a database? > > Thanks, > > Danny. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Serialised Data & DBs
Hi, Is it necessary to perform addslashes() on serialised data before inserting it into a database? Thanks, Danny. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
