Serialize

Serialize

am 24.05.2006 11:39:24 von phplist

Hi,

Is a serialized array a "safe" string to enter into a mysql text field? Or is a
function such as mysql_real_escape_string needed to ensure it is inserted
correctly?

regards
Simon.

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Serialize

am 24.05.2006 14:39:29 von Richard.Hutchins

Simon,

You really should run at least the mysql_real_escape_string function as one
part of a defense against SQL injection attacks. "Serialize"-ing really only
converts your array into a format the database can store and retrieve; it
doesn't do anything to protect you from intentional or unintentional SQL
injection attacks (to the best of my knowledge, at least). The amount of
validation and checking you ultimately need is dependent upon your
individual security concerns/needs, but it's a good rule to avoid inserting
user data without running some sort of minimal (mysql_real_escape_string)
safeguard first.

Hope this helps,
Rich



-----Original Message-----
From: phplist@f2s.com [mailto:phplist@f2s.com]
Sent: Wednesday, May 24, 2006 5:39 AM
To: php-db@lists.php.net
Subject: [PHP-DB] Serialize

Hi,

Is a serialized array a "safe" string to enter into a mysql text field? Or
is a function such as mysql_real_escape_string needed to ensure it is
inserted correctly?

regards
Simon.

--
PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Serialize

am 14.06.2006 07:03:32 von Scott Hurring

------=_Part_845_28440637.1150261412600
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

you should definitely quote it because serialized strings can still contain
quotes, semicolons, commas, etc... and other stuff thats used in sql
injection attacks.

On 5/24/06, phplist@f2s.com wrote:
>
> Hi,
>
> Is a serialized array a "safe" string to enter into a mysql text field? Or
> is a
> function such as mysql_real_escape_string needed to ensure it is inserted
> correctly?
>
> regards
> Simon.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


--
Scott Hurring [scott dot hurring dot lists at gmail dot com]
http://hurring.com/

------=_Part_845_28440637.1150261412600--