使用PDO序列化数据有危险吗 [英] Is serialize data dangerous with PDO

问题描述

我有8 input type text. name=favour_01

我将这8个input分别制成array和serialize

I make those 8 input into an array and serialize it

我使用PDO将其保存到数据库中.

i use PDO to save it into DB.

比将其反序列化以输出

$favour[]='apple'; $favour[]='banana';

$favours = serialize($favours);

prepare(...

$food->bindValue(':favours', $favours, PDO::PARAM_STR);

这安全吗?我读过序列化输入很容易受到攻击.

is this secure? I have read serialize input is vulnerable.

我没有为此使用任何类，这是我已阅读 https://www.owasp.org/index.php/PHP_Object_Injection

I didn't use any class for this, here is one post i have read https://www.owasp.org/index.php/PHP_Object_Injection

推荐答案

仅当您序列化的数据包含敏感信息时，序列化数据才是安全隐患.风险是您序列化包含密码的数据，然后将序列化的表单存储在不安全的地方.

Serializing data is only a security risk when the data you serialize contains sensitive information. The risk is that you serialize data that contains passwords for example and then you store the serialized form somewhere insecure.

反序列化数据会带来安全风险.反序列化过程可以实例化对象，因此数据输入可能会执行您未预料到的事情.

Unserializing data is a security risk if you try to unserialize data that you got from an untrusted source. The unserialization process can instantiate objects and the data input may therefore do things you don't anticipate.

从安全的角度来看，您要序列化一个简单的值数组以将其绑定到SQL参数的操作是可以的，但是请记住，您将无法高效地在数据库中搜索特定值该序列化的数组.基本上，您的数据库变成一个黑匣子:您可以将整个数组塞入其中，然后取出整个数组以进行反序列化，但是您无法使用SQL轻松读取或写入数组的各个元素.

What you're doing for serializing a simple array of values to bind it to a SQL parameter is okay from a security point of view, but keep in mind you won't be able to search the database efficiently for specific values within that serialized array. Basically your database becomes a black box: you can stuff a whole array into it, and fetch the whole array out to deserialize it, but you can't easily read or write individual elements of the array with SQL.

更好的做法是创建一个子表，并在该表中每行存储一个元素.

It's better practice to create a child table and store one element per row in that table.

这篇关于使用PDO序列化数据有危险吗的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！