info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-13 09:13:58 +02:00
Code Issues Projects Releases Wiki Activity

Update advice for unserializing user input

Browse Source
This commit is contained in:
svdv22
2023-04-13 22:24:21 +02:00
committed by GitHub
parent bcbf43b2bd
commit ea075da56f
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
_posts/10-04-01-Data-Filtering.md
View File

@@ -52,7 +52,7 @@ libraries like [HTML Purifier][html-purifier] exist for this reason.
It is dangerous to `unserialize()` data from users or other untrusted sources. Doing so can allow malicious users to instantiate objects (with user-defined properties) whose destructors will be executed, **even if the objects themselves aren't used**. You should therefore avoid unserializing untrusted data.
If you absolutely must unserialize data from untrusted sources, use PHP 7's [`allowed_classes`][unserialize] option to restrict which object types are allowed to be unserialized.
Use a safe, standard data interchange format such as JSON (via [`json_decode`][json_decode] and [`json_encode`][json_encode]) if you need to pass serialized data to the user.
### Validation
@@ -69,4 +69,5 @@ phone number, or age when processing a registration submission.
[5]: https://www.php.net/function.filter-input
[6]: https://www.php.net/security.filesystem.nullbytes
[html-purifier]: http://htmlpurifier.org/
[unserialize]: https://www.php.net/manual/function.unserialize.php
[json_decode]: https://www.php.net/manual/function.json-decode.php
[json_encode]: https://www.php.net/manual/en/function.json-encode.php