Is PHP Serialized Object Data Clean For Mysql Injection?

Question

Do I need to escape my object data if I'm serializing for mysql injection?

ie:

class Object
{
   public $description;
}

$obj = new Object();
$obj->description = mysql_real_escape_string("this is my crazy string with lot's of bad // characters");

$data = serialize($obj); // <-- $data will be stored in DB

or will this suffice:

class Object
{
   public $description;
}

$obj = new Object();
$obj->description = "this is my crazy string with lot's of bad // characters";

$data = serialize($obj);

Answer 1

Run mysql_real_escape_string() after you've serialized. That's the string you are going to put in the database after all.

Answer 2

Yes, you must escape it (or use prepared statements).

<?php
$obj = (object) array("--'--'" => "--'--");
var_dump(serialize($obj));

yields

string(44) "O:8:"stdClass":1:{s:6:"--'--'";s:5:"--'--";}"

As you can see, there's no escaping.

On a side note, you should use the mysqli extension for new code, not the mysql extension.