info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-08 06:56:33 +02:00
Code Issues Projects Releases Wiki Activity

Mention the filtered unserialize feature of PHP 7

Browse Source
This commit is contained in:
Colin O'Dell
2015-12-04 14:28:11 -05:00
parent 323e0d6865
commit cdb60772d2
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
_posts/10-04-01-Data-Filtering.md
View File

@@ -48,6 +48,12 @@ libraries like [HTML Purifier][html-purifier] exists for this reason.
[See Sanitization Filters][2] [See Sanitization Filters][2]
### Unserialization
It is dangerous to `unserialize()` data from users or other untrusted sources. Doing so can allow malicious users to instantiate objects (with user-defined properties) whose destructors will be executed, **even if the objects themselves aren't used**. You should therefore avoid unserializing untrusted data.
If you absolutely must unserialize data from untrusted sources, use PHP 7's [`allowed_classes`][unserialize] option to restrict which object types are allowed to be unserialized.
### Validation ### Validation
Validation ensures that foreign input is what you expect. For example, you may want to validate an email address, a Validation ensures that foreign input is what you expect. For example, you may want to validate an email address, a
@@ -63,3 +69,4 @@ phone number, or age when processing a registration submission.
[5]: http://php.net/function.filter-input [5]: http://php.net/function.filter-input
[6]: http://php.net/security.filesystem.nullbytes [6]: http://php.net/security.filesystem.nullbytes
[html-purifier]: http://htmlpurifier.org/ [html-purifier]: http://htmlpurifier.org/
[unserialize]: https://secure.php.net/manual/en/function.unserialize.php