views:

52

answers:

1

I'm writing a PHP script which uses serialized arrays to store data. How can I prevent injection in serialization? It would be very easy to name your account:

something";s:6:"access";s:5:"admin";

for a simple example. The user could then add the rest of the needed parameters somehow. Would addslashes work for this? Does the php unserialize pick up on that as being an escaped character? If so, is it possible to apply addslashes to an entire array without iterating through?

Thanks for the help!

+2  A: 

The best way to find out would be to try serializing an array with a string that has " in it

Anyways: yes, serialize does account for double quotes in the data you are storing:

$ php -r "var_dump(unserialize(serialize(array('\"'))));"
array(1) {
  [0]=>
  string(1) """
}
AlReece45