All geek questions in one place

Store php objects in html form element and pass php objects via GET method?

I may seem a little strange, but is there a way? For example, I have a PHP object $foo .

Is there a way to save this object in HTML form (hidden input) using some object encryption function and later get it using the decryption function.

Similarly, can I pass these objects using the GET method?

+4
source share
3 answers

As mentioned elsewhere, you can use serialization to turn an object into a string.

 $foo = (object) array( 'foo' => 'foo & bär', 'bar' => new StdClass ); $serialized = serialize($foo);

This gives:

 O:8:"stdClass":2:{s:3:"foo";s:10:"foo & bär";s:3:"bar";O:8:"stdClass":0:{}}

As you can see, there are quotation marks in this line, so you cannot insert this into the link without risking breaking the markup:

 <a href="http://example.com?s=O:8:" <-- quote closes href

So at least you need htmlspecialchars or urlencode . However, this still leaves the content easy to read. You can use the PHP MCrypt library to add strong encryption to the string. But if the data is really that sensitive, you should probably find another means of transmission, away from the public part of your site.

If the data is less sensitive, then you can probably protect some processor cycles by simply messing up the string. The easiest way to do this is to run it through gzdeflate :

 echo gzdeflate(serialize($foo));

gives something like

 󷲰R*.Iq I,.V 2  . 2 RJ  W . 24 …

Using gzdeflate also shorten large serialized strings. The disadvantage is that it makes the output unsuitable for transmission over HTTP, so you should also base64_encode that:

 echo base64_encode(gzdeflate(serialize($foo)));

which will then give

 87eysFIqLklxzkksLlayMrKqLrYytlJKy89Xsi62MjQAMxXUFJIOLykCiQDlkhKBLH9UfQZW1bW1AA==

And it is safe to pass, and also quite confusing from the original serialized string. Since we compressed the string before we installed base64, anyone smart enough to understand its base64 will still need to understand the compressed string when trying to change it.

To return a string back to an object, do

 unserialize( gzinflate( base64_decode( $obfuscatedString ) ) )

and return your object. Demo

Safety note

The above is still unsafe. You should not rely on obfuscation to ensure safety. If you pass an object or the entire graph of an object through HTTP, you should consider them as user input on the receiving side. User cannot be entered. . Malicious users figuring out how a string was messed up may provide altered input. Since you are not serializing objects back into the program flow, you must be absolutely paranoid with respect to the resulting object.

See http://www.sektioneins.com/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/ for an example.

+13
source

If it does not contain sensitive data, you can serialize() it (or even optionally encrypt serialized data), for example:

 <input type="hidden" name="foo" value="<?php echo htmlspecialchars(serialize($foo), ENT_QUOTES); ?>" />

Upon receiving the script, unseralize() POST data to return the object:

 $foo = unserialize($_POST['foo']);
+3
source

You can use serialize and unserialize methods:

 $serialized = serialize($foo);

Now you can save $serialized in your hidden input field. You can later read it and convert it to an object using the unserialize method. For instance:

 $foo = unserialize($_POST['my_hidden_field']); // back to object
+2
source

Source: https://habr.com/ru/post/1337649/

More articles:


All Articles