Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Stanislav Malyshev:
unserialize() and being practical
Nov 04, 2014 @ 10:49:40

Stanislav Malyshev has a new post to his site talking about his proposal for a filtered unserialize change and why he sees it as a practical next step.

I have recently revived my “filtered unserialize()” RFC and I plan to put it to vote today. Before I do that, I’d like to outline the arguments on why I think it is a good thing and put it in a somewhat larger context. It is known that using unserialize() on outside data can lead to trouble unless you are very careful. Which in projects large enough usually means “always”, since practically you rarely can predict all interactions amongst a million lines of code. So, what can we do?

He touches on three points that would make it difficult to just not use it this way (on external data) including the fact that there's not really any other way to work with serialized data in PHP. He suggests that by adding filtering to the unserialize handling of the language it can protect from issues around working with serialized external data.

Is this a security measure? [...] Yes, it does not provide perfect security, and yes, you should not rely only on that for security. Security, much like ogres and onions, has layers. So this is trying to provide one more layer – in case that is what you need.
tagged: unserialize rfc filter practical security reasons

Link: https://php100.wordpress.com/2014/11/03/unserialize-and-being-practical/

Josh Adell:
Serializing Data Like a PHP Session
May 02, 2013 @ 09:11:33

In this new post Josh Adell looks at working with PHP sessions and how you can manually encode data to look as if it came from the normal session handling.

If you have ever popped open a PHP session file, or stored session data in a database, you may have noticed that this serialization looks very similar to the serialize function's output, but it is not the same. Recently, I needed to serialize data so that it looked like PHP session data (don't ask why; I highly suggest not doing this if it can be avoided.) It turns out, PHP has a function that encodes data in this format: session_encode.

Unfortunately, this method doesn't take arguments - it just outputs the encoded version of the current session data. So, he came up with his own encode/decode methods that use the PHP session, extract the serialized string and return it.

tagged: serialize data session string unserialize

Link: http://blog.everymansoftware.com/2013/05/serializing-data-like-php-session.html

Pavel Shevaev's Blog:
A reliable way to serialize/unserialize objects in PHP
Dec 11, 2007 @ 12:09:00

Pavel Shevaev has posted his method (a reliable way) for serializing and unserializing objects in your applications:

An experienced PHP developer might be wondering why posting this topic in a blog if PHP already has universal and almost transparent tools for this job [...] The key statement here is "almost transparent" which means you have to include all class definitions before invoking unserialize or use some __autoload schema.

The whole problem is due to the fact a serialized object has no idea about its class definition except the class name(the reason behind that is absolutely valid). [...] That's why I decided to hack up, hopefully, a more universal solution to this problem

His method contains things inside of a "serialization container" that automagically includes everything needed before it gets serialized. His code for the method is included as well as some examples of its use.

tagged: serialize unserialize object container method serialize unserialize object container method

Link:

Pavel Shevaev's Blog:
A reliable way to serialize/unserialize objects in PHP
Dec 11, 2007 @ 12:09:00

Pavel Shevaev has posted his method (a reliable way) for serializing and unserializing objects in your applications:

An experienced PHP developer might be wondering why posting this topic in a blog if PHP already has universal and almost transparent tools for this job [...] The key statement here is "almost transparent" which means you have to include all class definitions before invoking unserialize or use some __autoload schema.

The whole problem is due to the fact a serialized object has no idea about its class definition except the class name(the reason behind that is absolutely valid). [...] That's why I decided to hack up, hopefully, a more universal solution to this problem

His method contains things inside of a "serialization container" that automagically includes everything needed before it gets serialized. His code for the method is included as well as some examples of its use.

tagged: serialize unserialize object container method serialize unserialize object container method

Link:

Make Me Pulse Blog:
Serialize and Unserialize SimpleXML in php
Sep 28, 2007 @ 09:30:00

From the "Make Me Pulse" blog (of Nicolas Rajabaly & Antoine Ughetto) there's a quick example of how to use serialized values with SimpleXML:

Serialize is useful for storing or passing PHP values around without losing type and structure. But if you want to serialize a SimpleXml object, you will have some problem on unserialize with the error. [...] Replacing SimpleXMLObject with stdClass is a good idea but in this solution we loose all of attributes, and how can we make simplexml->xpath after?

The solution? Serializing the XML content and then outputting it from the SimpleXML object as an XML string (to be stored). This process is reversed when the data is needed back out.

tagged: serialize unserialize simplexml object xml store serialize unserialize simplexml object xml store

Link:

Make Me Pulse Blog:
Serialize and Unserialize SimpleXML in php
Sep 28, 2007 @ 09:30:00

From the "Make Me Pulse" blog (of Nicolas Rajabaly & Antoine Ughetto) there's a quick example of how to use serialized values with SimpleXML:

Serialize is useful for storing or passing PHP values around without losing type and structure. But if you want to serialize a SimpleXml object, you will have some problem on unserialize with the error. [...] Replacing SimpleXMLObject with stdClass is a good idea but in this solution we loose all of attributes, and how can we make simplexml->xpath after?

The solution? Serializing the XML content and then outputting it from the SimpleXML object as an XML string (to be stored). This process is reversed when the data is needed back out.

tagged: serialize unserialize simplexml object xml store serialize unserialize simplexml object xml store

Link:

Hardened-PHP Project:
Advisory - PHP unserialize() Array Creation Integer Overflow
Oct 09, 2006 @ 13:41:22

The Hardened-PHP project has just released another advisory about core PHP functionality, specifically in the unserialize function when dealing with arrays.

The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc() that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch.

It was discovered that such an integer overflow can be triggered when user input is passed to the unserialize() function.

You can get the full details from this advisory release including a recommendation to patch the installation until it is corrected in the current distribution.

tagged: advisory unserialize core array creation integer overflow advisory unserialize core array creation integer overflow

Link:

Hardened-PHP Project:
Advisory - PHP unserialize() Array Creation Integer Overflow
Oct 09, 2006 @ 13:41:22

The Hardened-PHP project has just released another advisory about core PHP functionality, specifically in the unserialize function when dealing with arrays.

The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc() that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch.

It was discovered that such an integer overflow can be triggered when user input is passed to the unserialize() function.

You can get the full details from this advisory release including a recommendation to patch the installation until it is corrected in the current distribution.

tagged: advisory unserialize core array creation integer overflow advisory unserialize core array creation integer overflow

Link:

Lukas Smith's Blog:
To serialize or to not serialize?
Jun 12, 2006 @ 06:01:46

In his latest post, Lukas Smith talks about serializing data - some of the pros and cons about it, as well as his experiences with it in the development of his own framework.

In my own framework I have decided that there is plenty of structured data that I will never query on that I will just stick into the database as a serialized array. Now the other day I modified the auto type handling in MDB2's quote() method to automatically serialize array's if no type is explicitly passed to the quote() method.

I send out a question to pear-dev@ and it was not unanimously well received. So I sat down and pondered a more elegant approach. Actually there is already one approach implemented in MDB2 since ages.

This implementation uses a seperate module that abuses PHP5's overloading functionality to integrate it easily. He also looked into another solution, however - creating a "datatype map" to help with the custom automatic serialization of datatypes (not just dependant on the variable type like before). Be sure to check out the comments for more thoughts on the subject, including validation of the custom datatypes.

tagged: serialize unserialize custom datatypes overloading modle mdb2 serialize unserialize custom datatypes overloading modle mdb2

Link:

Lukas Smith's Blog:
To serialize or to not serialize?
Jun 12, 2006 @ 06:01:46

In his latest post, Lukas Smith talks about serializing data - some of the pros and cons about it, as well as his experiences with it in the development of his own framework.

In my own framework I have decided that there is plenty of structured data that I will never query on that I will just stick into the database as a serialized array. Now the other day I modified the auto type handling in MDB2's quote() method to automatically serialize array's if no type is explicitly passed to the quote() method.

I send out a question to pear-dev@ and it was not unanimously well received. So I sat down and pondered a more elegant approach. Actually there is already one approach implemented in MDB2 since ages.

This implementation uses a seperate module that abuses PHP5's overloading functionality to integrate it easily. He also looked into another solution, however - creating a "datatype map" to help with the custom automatic serialization of datatypes (not just dependant on the variable type like before). Be sure to check out the comments for more thoughts on the subject, including validation of the custom datatypes.

tagged: serialize unserialize custom datatypes overloading modle mdb2 serialize unserialize custom datatypes overloading modle mdb2

Link: