As you might have heard about the Unserialization exploit , PHP 7 has overcome this issue but since it hasnt yet released, I was looking for an alternate way to implement the same in unseriallization.
Can someone please help me with the same.
The safest way is to use json_encode() when saving and json_decode() when loading.
If you're planning to trust the end user with a serialized blob, however, I'd also recommend looking into authenticated secret-key encryption. Libsodium is great; defuse/php-encryption is probably the easiest solution (we contribute significantly to it). I don't recommend a non-expert write their own OpenSSL wrapper, but if you think you can do better than Defuse Security or Paragon Initiative Enterprises, feel free.
So is there no way we can implement PHP 7's way to handle unserialize exploit?
Nothing is impossible. Create a function (e.g. safe_unserialize()) with identical behavior and presto, you have a safe unserialize().
I would recommend just waiting until PHP 7 is released. It won't be long now.
Yes that was my question, how do I implement the *identical behavior*?
Originally Posted by phantom007
Basically, reverse engineer the new feature by parsing the string manually. I didn't say it would be a cakewalk.
I am trying to use the `unserialize` function with the second param that was introduced in php7 (http://www.php.net/manual/en/function.unserialize.php)
However, it looks like php generates an error saying the second param should be an array and not a bool value https://3v4l.org/9PhpO
Does anyone have any idea why this behaviour?
I think (have never used it) you need to do:
unserialize($foo, ['allowed_classes' => true]);
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)