0

I have problems with PDO in OOP and its serializable security.

I want to save my session of the object but I get:

Fatal error: Uncaught PDOException: You cannot serialize or unserialize PDO

The problem is that if I serialize it outside of the object, I am exposed to attacks with Object injection.

I'm thinking, as soon as the "new" object is called, save a session inside it (and retrieve it) and destroy it (when the session ends) every "n" minutes.

Without having to call

$object = new ExampleObject ();
$_SESSION['serialize']   = serialize ($object)   // security issues
$_SESSION['unserialize'] = unserialize ($object) // security issues

Let the ExampleObject automatically create the session. Is there any way to do it? If possible, could you show a basic example?

Note: I am trying to protect an object that is a connection PDO to mysql.

drakgoku
  • 1
  • 3
  • 1
    What are you trying to protect? And if it needs protection why are you trying to store it in a session variable? – Jay Blanchard Aug 18 '20 at 15:29
  • I am creating a session of an object, but I need the object to create the session for me, without having to call it outside of the object itself, as I say. The object is a PDO connection to mysql. – drakgoku Aug 18 '20 at 15:31
  • You cannot serialize a connection, nor should you want to. A PDO connection is a resource, not an object. – Jay Blanchard Aug 18 '20 at 15:32
  • PDO connections don't persist between script executions, you need to reconnect each time. – Barmar Aug 18 '20 at 15:32
  • In a multiplayer application, having many requests and connecting each time will cause the DB to explode in a matter of seconds. – drakgoku Aug 18 '20 at 15:34
  • 1
    Then you may need to rethink your design that starts a new PHP script invocation each time. Consider using a persistent server that communicates with clients using WebSockets. – Barmar Aug 18 '20 at 15:36
  • You do realize that some of the largest web sites on the planet have scripts that connect to the database thousands of times/second? You're trying to solve a problem that you likely will not run afoul of. – Jay Blanchard Aug 18 '20 at 15:38
  • I was thinking of doing it by Java webservices -> php. But if you tell me websockets ... totally change my layout. I'm doubting, I don't know if websockets is going to be more reliable than javawebservices ... both in speed, functions, typing, functionality, persistence ... – drakgoku Aug 18 '20 at 15:40

0 Answers0