What is PHP object injection?

Asked

Viewed 31 times

0

I was taking a look at owasp’s articles on safety and would like to understand what is the PHP Object Injection my English is not very good so in my search I found that topic in Brazilian stackoverflow. But even then it wasn’t clear to me how a user could inject PHP code into my projects, I didn’t know that using unserialiaze and serialize in data that the user sends is not a good idea.

My project is in the following situation, the user selects some fields and sends them I validated if in fact is a url ( because this will be serialized ) and after validated turn into Base64 to insert in the database.

Thus:

foreach ($Screen as $key => $value) {
if (filter_var($value, FILTER_VALIDATE_URL)) {
    $Options["screen_".($key+1)] = stringMysql($value);
} else {
    $Erro = "Url inválida!";
    break;
}

The stringMysql function escapes the characters, before inserting them into the database. I then unserialize them on a page to display the urls.

My project is vulnerable?

  • Dude, to not complicate and have security uses the PDO

  • Can you explain to me how this Object Injection works? The issue of sanitizing mysql values is all right, all querys are sanitized. I know having a query prepared is right, but I’m not insecure about that.

No answers

Browser other questions tagged

You are not signed in. Login or sign up in order to post.