Is it totally safe to insert array serialized with serialize() into db, or I should do addslashes(serialize($array)) before? Or there can be some mysql specific characters? Can I delete data or whatever with insert?
Asked
Active
Viewed 2,233 times
1
2 Answers
4
No it is not safe at all.
And you should never use addslashes but mysql_real_escape_string instead. Or even better, use PDO with prepared statements instead of escaping.
ThiefMaster
- 310,957
- 84
- 592
- 636
-
2**DO NOT USE `addslashes()`!** Use `mysql_real_escape_string()` to escape your data for a MySQL database. Always. – ThiefMaster May 08 '12 at 10:50
-
..unless you're using data-binding, or writing the data to something which is not mysql. Addslashes is always the wrong answer, mysql_real_escape_string() is not always the right one. – symcbean May 08 '12 at 12:01
-
The question is tagged with [tag:mysql], so in this case it is the correct answer. – ThiefMaster May 08 '12 at 12:03
-
You don't have to. You escape characters which would otherwise have a special meaning in the query. So the data which is actually stored does not contain the escape characters. – ThiefMaster May 08 '12 at 22:14
4
It's totally ***un****safe* to insert the serialized data in the database without database-specific processing.
You should use whatever mechanism is recommended for preventing SQL injections with your chosen database access layer; making the queries safe against injections includes properly escaping the data as well, so you 'll hit two birds with one stone.
See How can I prevent SQL injection in PHP? for specific examples.
-
2@Eugeny89: **Do not do that!** `addslashes` is not a good solution, as it will only work *most* of the time. Please take the time to read the question I linked to. – Jon May 08 '12 at 10:50
-
note that I'm serializing an array. How can I unescape after `mysql_real_escape_string`? – Eugeny89 May 09 '12 at 06:16
-
1