存储序列化数组时进行消毒 [英] Sanitizing when storing serialized array

问题描述

如果我将序列化数组存储到mysql数据库中，则应该在使用序列化函数之前或之后进行清理.还是我甚至都需要消毒?

If I am storing a serialized array to a mysql database should I sanitize before or after using the serialize function. Or do I even need to sanitize at all?

例如:

$details['name'] = mysql_real_escape_string($_POST['name']);
$details['email'] = mysql_real_escape_string($_POST['email']);
$details['phone'] = mysql_real_escape_string($_POST['phone']);

$serializedDetails = serialize($details);

// Do SQL query

或

$details['name'] = $_POST['name'];
$details['email'] = $_POST['email'];
$details['phone'] = $_POST['phone'];

$serializedDetails = mysql_real_escape_string(serialize($details));

或者也许第二秒我可以简单地做:

Or perhaps on the second I can simply do:

$serializedDetails = serialize($details);

推荐答案

始终在处理可能带有引号/斜杠的字符串时始终使用mysql_real_escape_string.如果不这样做，您将得到损坏的/恶意的查询. serialize()的输出有时带有引号/斜杠，因此您应该使用它.不过，无需事先序列化数组的每个项目.

Always use mysql_real_escape_string when dealing with strings that might have quotation marks / slashes. If you don't, you'll get broken / malicious queries. The output of serialize() sometimes has quotation marks / slashes, so you should use it. There's no need to serialize the each item of the array beforehand though.

$details['name']  = $_POST['name'];
$details['email'] = $_POST['email'];
$details['phone'] = $_POST['phone'];

$serializedDetails = mysql_real_escape_string(serialize($details));

仅作为示例:序列化"hello"将为您提供:s:5:"hello".

Just as an example: serializing "hello" will give you: s:5:"hello".

$data  = 's:5:"hello"';
$query = 'INSERT INTO tbl (data) VALUES ("' . $data . '")';

// leads to a syntax error from mysql
// (plus it's a huge security hole)
mysql_query($query);

这篇关于存储序列化数组时进行消毒的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！