 |
 |
 |
 |
|
|
Date: 07/30/02
- Next message: Kerry Gray: "[PHP] Re: Mail Form"
- Previous message: Tech Support: "Re: [PHP] mcrypt"
- In reply to: Danny Shepherd: "[PHP] Serialised Data & DBs"
- Next in thread: Danny Shepherd: "Re: [PHP] Serialised Data & DBs"
- Reply: Danny Shepherd: "Re: [PHP] Serialised Data & DBs"
- Reply: Tom Rogers: "Re[2]: [PHP] Serialised Data & DBs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Yes, it'd be really smart to. If any of the data in the serialized string
has a ' or " in it, it could break your query. Or the user being able to
enter a ' or " into the data could open you to SQL attacks.
You want to do addslashes() on the result of serialize(), not the content
going into it, too. PHP will introduct double quotes around any strings that
are serialized. These should be escaped or they could end up breaking your
query.
Note that you don't have to do stripslashes() on the serialized string when
you pull it out.
---John Holmes...
----- Original Message -----
From: "Danny Shepherd" <danny <email protected>>
To: "PHP-General" <php-general <email protected>>
Sent: Tuesday, July 30, 2002 2:56 PM
Subject: [PHP] Serialised Data & DBs
> Hi,
>
> Is it necessary to perform addslashes() on serialised data before
inserting
> it into a database?
>
> Thanks,
>
> Danny.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
- Next message: Kerry Gray: "[PHP] Re: Mail Form"
- Previous message: Tech Support: "Re: [PHP] mcrypt"
- In reply to: Danny Shepherd: "[PHP] Serialised Data & DBs"
- Next in thread: Danny Shepherd: "Re: [PHP] Serialised Data & DBs"
- Reply: Danny Shepherd: "Re: [PHP] Serialised Data & DBs"
- Reply: Tom Rogers: "Re[2]: [PHP] Serialised Data & DBs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]