I have been using serialize() for a while. How can this result in security holes if values are verified before being used in scripts?Cookies names can be set as array names and will be available to your PHP scripts as arrays but separate cookies are stored on the users system. Consider explode() to set one cookie with multiple names and values. It is not recommended to use serialize() for this purpose, because it can result in security holes.
Cookie Security
Moderator: General Moderators
Cookie Security
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Hmm, I'll guess by the amount of views this topic has, and no replies, that it must not be a very big security issue? 
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Yes, it would appear so. 
I can't think of any situation where using serialize would be more harmul than not. I mean, a cookie is on the client side and the user can always change it's contents, be it serialized or not. No matter in what format the content is stored, the user can change the actual content to whatever he-she wants (except if it's encrypted).
But, just because I don't know any security issues, that doesn't mean there is none. Claiming that may be ignorant and arrogant.
I can't think of any situation where using serialize would be more harmul than not. I mean, a cookie is on the client side and the user can always change it's contents, be it serialized or not. No matter in what format the content is stored, the user can change the actual content to whatever he-she wants (except if it's encrypted).
But, just because I don't know any security issues, that doesn't mean there is none. Claiming that may be ignorant and arrogant.
1. there were bugs in unserialize which could lead to arbitrary code execution
2. consider PHP5 with __autoload function defined. If an object happens to be in serialized string, server would first use __autoload to include a class definition (where className is controlled by the user) and then invoke __wakeup method on the restored object. While it's not arbitrary code execution on it's own, isn't it too much control granted to untrusted party?
2. consider PHP5 with __autoload function defined. If an object happens to be in serialized string, server would first use __autoload to include a class definition (where className is controlled by the user) and then invoke __wakeup method on the restored object. While it's not arbitrary code execution on it's own, isn't it too much control granted to untrusted party?
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Currently I am only using cookies for convenience.
Remembering a username (for easy login)
And search form preferences
Remembering a username (for easy login)
And search form preferences
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.