Wednesday, July 31, 2002, 5:18:05 AM, you wrote:
1JWH> Yes, it'd be really smart to. If any of the data in the serialized string
1JWH> has a ' or " in it, it could break your query. Or the user being able to
1JWH> enter a ' or " into the data could open you to SQL attacks.
1JWH> You want to do addslashes() on the result of serialize(), not the content
1JWH> going into it, too. PHP will introduct double quotes around any strings that
1JWH> are serialized. These should be escaped or they could end up breaking your
1JWH> Note that you don't have to do stripslashes() on the serialized string when
1JWH> you pull it out.
1JWH> ---John Holmes...
1JWH> ----- Original Message -----
1JWH> From: "Danny Shepherd" <[EMAIL PROTECTED]>
1JWH> To: "PHP-General" <[EMAIL PROTECTED]>
1JWH> Sent: Tuesday, July 30, 2002 2:56 PM
1JWH> Subject: [PHP] Serialised Data & DBs
>> Is it necessary to perform addslashes() on serialised data before
>> it into a database?
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
Another trap to fall into is if you have magic quotes on you will need
to run strip slashes on any GET or POST variables BEFORE
you serialize them, otherwise addslashes will escape the escapes.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php