存储序列化数组时进行消毒

时间:2011-11-23 07:15:39

标签: php mysql serialization sanitization

如果我将序列化数组存储到mysql数据库,我应该在使用serialize函数之前或之后进行清理。或者我甚至需要消毒?

例如:

$details['name'] = mysql_real_escape_string($_POST['name']);
$details['email'] = mysql_real_escape_string($_POST['email']);
$details['phone'] = mysql_real_escape_string($_POST['phone']);

$serializedDetails = serialize($details);

// Do SQL query

或者

$details['name'] = $_POST['name'];
$details['email'] = $_POST['email'];
$details['phone'] = $_POST['phone'];

$serializedDetails = mysql_real_escape_string(serialize($details));

也许在第二个我可以做到:

$serializedDetails = serialize($details);

1 个答案:

答案 0 :(得分:8)

在处理可能带引号/斜杠的字符串时,

始终使用mysql_real_escape_string。如果不这样做,您将遭到破坏/恶意查询。 serialize()的输出有时会带引号/斜杠,因此您应该使用它。但是,不需要预先序列化数组的每个项目。

$details['name']  = $_POST['name'];
$details['email'] = $_POST['email'];
$details['phone'] = $_POST['phone'];

$serializedDetails = mysql_real_escape_string(serialize($details));

举个例子:序列化“你好”会给你:s:5:"hello"

$data  = 's:5:"hello"';
$query = 'INSERT INTO tbl (data) VALUES ("' . $data . '")';

// leads to a syntax error from mysql
// (plus it's a huge security hole)
mysql_query($query);