Sanitation when storing a serialized array

If I store a serialized array in a mysql database, I must sanitize before or after using the serialization function. Or do I really need to sanitize?

For instance:

$details['name'] = mysql_real_escape_string($_POST['name']); $details['email'] = mysql_real_escape_string($_POST['email']); $details['phone'] = mysql_real_escape_string($_POST['phone']); $serializedDetails = serialize($details); // Do SQL query 

or

 $details['name'] = $_POST['name']; $details['email'] = $_POST['email']; $details['phone'] = $_POST['phone']; $serializedDetails = mysql_real_escape_string(serialize($details)); 

Or maybe on the second I can just do:

 $serializedDetails = serialize($details); 
+4
source share
1 answer

Always use mysql_real_escape_string when dealing with strings that may have quotation marks / slashes. If you do not, you will receive hacked / malicious requests. The output of serialize() sometimes has quotes / slashes, so you should use it. However, there is no need to serialize each element of the array in advance.

 $details['name'] = $_POST['name']; $details['email'] = $_POST['email']; $details['phone'] = $_POST['phone']; $serializedDetails = mysql_real_escape_string(serialize($details)); 

As an example: serializing "hello" will give you: s:5:"hello" .

 $data = 's:5:"hello"'; $query = 'INSERT INTO tbl (data) VALUES ("' . $data . '")'; // leads to a syntax error from mysql // (plus it a huge security hole) mysql_query($query); 
+8
source

Source: https://habr.com/ru/post/1382647/


All Articles