Andi Gutmans wrote:
At 04:25 AM 1/21/2006, Jared Williams wrote:
What are the security implications of doing this?
Creating objects based on a string from a untrusted source seems not
good idea, unless can prevent tampering (with an HMAC or
something).
Well I think the right thing to do is pass an array of "allowed" classes
into json_decode() and raise an error/exception if it's not in the list.
I think it wasn't clear to some people why this is needed.
I think enabling the seamless mapping of objects in between the client
and server is extremely useful. It'll save PHP developers from having to
unpack/pack their PHP objects into the right structures. So basically I
think there should be a way for an object to say what it's key/value
pairs are (__json_serialize_elements()?) and during decode() allow to
map directly to classes. In both cases I think if neither a serializing
interface is implemented, nor are valid "classes" provided to decode()
it should work like today via StdClass.
Just as the classmap option for ext/soap?
Regards,
David
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
