mirror of
https://github.com/codeguy/php-the-right-way.git
synced 2025-08-15 10:13:58 +02:00
Update advice for unserializing user input
This commit is contained in:
svdv22
GitHub
@@ -52,7 +52,7 @@ libraries like [HTML Purifier][html-purifier] exist for this reason.
|
|||||||
|
|
||||||
It is dangerous to `unserialize()` data from users or other untrusted sources. Doing so can allow malicious users to instantiate objects (with user-defined properties) whose destructors will be executed, **even if the objects themselves aren't used**. You should therefore avoid unserializing untrusted data.
|
It is dangerous to `unserialize()` data from users or other untrusted sources. Doing so can allow malicious users to instantiate objects (with user-defined properties) whose destructors will be executed, **even if the objects themselves aren't used**. You should therefore avoid unserializing untrusted data.
|
||||||
|
|
||||||
If you absolutely must unserialize data from untrusted sources, use PHP 7's [`allowed_classes`][unserialize] option to restrict which object types are allowed to be unserialized.
|
Use a safe, standard data interchange format such as JSON (via [`json_decode`][json_decode] and [`json_encode`][json_encode]) if you need to pass serialized data to the user.
|
||||||
|
|
||||||
### Validation
|
### Validation
|
||||||
|
|
||||||
@@ -69,4 +69,5 @@ phone number, or age when processing a registration submission.
|
|||||||
[5]: https://www.php.net/function.filter-input
|
[5]: https://www.php.net/function.filter-input
|
||||||
[6]: https://www.php.net/security.filesystem.nullbytes
|
[6]: https://www.php.net/security.filesystem.nullbytes
|
||||||
[html-purifier]: http://htmlpurifier.org/
|
[html-purifier]: http://htmlpurifier.org/
|
||||||
[unserialize]: https://www.php.net/manual/function.unserialize.php
|
[json_decode]: https://www.php.net/manual/function.json-decode.php
|
||||||
|
[json_encode]: https://www.php.net/manual/en/function.json-encode.php
|
||||||
|
|||||||
Reference in New Issue
Block a user