1

I'm facing an odd problem....

$string is user input

$log = serialize(array('string' => $string);

example: "test" would be

"string";s:4:"test";

However problems arise when the user submits quotes and some other characters like ; Of course I escape the string first, but the serialized data cannot be unserialized.

htmlentities before submitting to db wouldn't work either since ; messes up the data...

Any suggestions?

Please don't tell me to create db fields and not use serialize()

Josh
  • 8,082
  • 5
  • 43
  • 41
domino
  • 7,271
  • 12
  • 36
  • 48
  • 1
    Erm: "problems arise when the user submits quotes and some other characters like ; " => no they don't, try it. – Wrikken Jan 29 '12 at 02:04
  • "sanitizing" for a database depends ENTIERLY on whatever database and database interface library you're using. E.g. suggesting to use mysql_real_escape_string() would be pointless if you're using Postgres. And would also be entirely redundant if you're using PDO. As well, using htmlentitiees for DB sanitization is the equivalent of using gasoline for putting out a fire. – Marc B Jan 29 '12 at 02:27

2 Answers2

2

I am not sure if this is the best practice but a quick hack would be using : http://php.net/manual/en/function.base64-encode.php and http://www.php.net/manual/en/function.base64-decode.php to encrypt the data when sending it to DB and then decrypting it when you retrieve it. now if you think there might be a security issues encrypting using base64 here is a link to do it in a better way : Best way to use PHP to encrypt and decrypt passwords?

Community
  • 1
  • 1
Ahoura Ghotbi
  • 2,866
  • 12
  • 36
  • 65
  • Excellent idea, thank you. I don't see what security issues could there be, as it's not sensitive data being transferred. encode - escape - db - decode - htmlentitles. – domino Jan 29 '12 at 12:44
  • Base64 is encoding, not encryption. Anyone can decode Base64 using terminals, programming languages, online tools... – Sumak Oct 26 '21 at 07:41
1

You need to escape user input before inserting it to the database not only because it can break your application but because it is a serious security vulnerability if you don't do so.

Please read this article: http://phpsec.org/projects/guide/3.html#3.2

I strongly suggest using PDO with prepared statements in your application, or implementing an abstraction over escaping and using it always in your application (for example with mysqli_real_escape_string).

gphilip
  • 1,114
  • 15
  • 33