Simon,

You really should run at least the mysql_real_escape_string function as one
part of a defense against SQL injection attacks. "Serialize"-ing really only
converts your array into a format the database can store and retrieve; it
doesn't do anything to protect you from intentional or unintentional SQL
injection attacks (to the best of my knowledge, at least). The amount of
validation and checking you ultimately need is dependent upon your
individual security concerns/needs, but it's a good rule to avoid inserting
user data without running some sort of minimal (mysql_real_escape_string)
safeguard first.

Hope this helps,
Rich 



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 24, 2006 5:39 AM
To: php-db@lists.php.net
Subject: [PHP-DB] Serialize

Hi,

Is a serialized array a "safe" string to enter into a mysql text field? Or
is a function such as mysql_real_escape_string needed to ensure it is
inserted correctly?

regards
Simon.

--
PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to