1

Do I need to escape my object data if I'm serializing for mysql injection?

ie:

class Object
{
   public $description;
}

$obj = new Object();
$obj->description = mysql_real_escape_string("this is my crazy string with lot's of bad // characters");

$data = serialize($obj); // <-- $data will be stored in DB

or will this suffice:

class Object
{
   public $description;
}

$obj = new Object();
$obj->description = "this is my crazy string with lot's of bad // characters";

$data = serialize($obj);
Improve this question
2
  • 1
    FWIW, there should be no apostrophe in "lot's" so it's safe anyway. (just joking!) Commented Jun 30, 2010 at 23:32
  • @Bill lol. that's hilarious. I couldn't think of anything to write. So, you got me ;) Commented Jun 30, 2010 at 23:36

2 Answers 2

Reset to default
3

Yes, you must escape it (or use prepared statements).

<?php
$obj = (object) array("--'--'" => "--'--");
var_dump(serialize($obj));

yields

string(44) "O:8:"stdClass":1:{s:6:"--'--'";s:5:"--'--";}"

As you can see, there's no escaping.

On a side note, you should use the mysqli extension for new code, not the mysql extension.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Run mysql_real_escape_string() after you've serialized. That's the string you are going to put in the database after all.

Improve this answer

1 Comment

Always run mysql_real_escape_string on input, or better yet, use prepared statements. The more of a habit you make it, the better.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.