0
I was taking a look at owasp’s articles on safety and would like to understand what is the PHP Object Injection my English is not very good so in my search I found that topic in Brazilian stackoverflow. But even then it wasn’t clear to me how a user could inject PHP code into my projects, I didn’t know that using unserialiaze and serialize in data that the user sends is not a good idea.
My project is in the following situation, the user selects some fields and sends them I validated if in fact is a url ( because this will be serialized ) and after validated turn into Base64 to insert in the database.
Thus:
foreach ($Screen as $key => $value) {
if (filter_var($value, FILTER_VALIDATE_URL)) {
$Options["screen_".($key+1)] = stringMysql($value);
} else {
$Erro = "Url inválida!";
break;
}
The stringMysql function escapes the characters, before inserting them into the database. I then unserialize them on a page to display the urls.
My project is vulnerable?
Dude, to not complicate and have security uses the PDO
– Marcos Vinicius
Can you explain to me how this Object Injection works? The issue of sanitizing mysql values is all right, all querys are sanitized. I know having a query prepared is right, but I’m not insecure about that.
– reigelado