php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #47565 Extend serialize and unserialize with encryption key.
Submitted: 2009-03-04 21:23 UTC Modified: 2012-04-14 03:00 UTC
From: martin at itmission dot com Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 5.3.0beta1 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: martin at itmission dot com
New email:
PHP Version: OS:

 

 [2009-03-04 21:23 UTC] martin at itmission dot com 
Description:
------------
Request: Add simple encryption support to serialize and unserialize.

Rationale: It is useful to be able to serialize an object and hide it in a form variable on a web page.  This is vulnerable to tampering by the end user.

serialize(mixed $value[, string $key])
unserialize(string $str[, string $key])

This new definition won't break existing code and could be implemented using a TEA variant in a few lines.  It would be nice if objects didn't have to be persisted in $_SESSION, because some power users want to use multiple windows to work with different objects simultaneously (editing two "invoice" objects at the same time, but commiting only complete changes of each).

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-04-13 21:05 UTC] nikic@php.net
-Status: Open +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: nikic
 [2012-04-13 21:05 UTC] nikic@php.net 
serialize() and unserialize() are not really the right place to put encryption code into. Instead simply use the encryption functions provided by PHP. That way you can decide for yourself which kind of encryption you need.

For various encryption functions look at http://php.net/mcrypt and http://php.net/openssl.
 [2012-04-14 03:00 UTC] aharvey@php.net
-Status: Closed +Status: Wont fix -Assigned To: nikic +Assigned To:
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat May 04 14:01:32 2024 UTC