[Phpmyadmin-devel] unserialize in user preferences

Michal Čihař michal at cihar.com
Wed Feb 9 11:28:11 CET 2011


Hi all

while looking at user preferences I've noticed that it uses
serialize/unserialize for storing the data in database. As this
functions is quite famous in terms of security, I think we
should avoid this.

Any reason for not using json encoding there instead? It encodes just
the data and would not possibly call PHP code as unserialize could do
because of objects with __wakeup() methods.

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20110209/499cd141/attachment.sig>


More information about the Developers mailing list