[Phpmyadmin-devel] unserialize in user preferences

Piotr Przybylski piotr.prz at gmail.com
Wed Feb 9 19:25:47 CET 2011

2011/2/9 Michal Čihař <michal at cihar.com>:
> Hi
> Dne Wed, 09 Feb 2011 05:31:19 -0500
> Marc Delisle <marc at infomarc.info> napsal(a):
>> Le 2011-02-09 05:28, Michal Čihař a écrit :
>> > Hi all
>> >
>> > while looking at user preferences I've noticed that it uses
>> > serialize/unserialize for storing the data in database. As this
>> > functions is quite famous in terms of security, I think we
>> > should avoid this.
>> >
>> > Any reason for not using json encoding there instead? It encodes just
>> > the data and would not possibly call PHP code as unserialize could do
>> > because of objects with __wakeup() methods.
>> It's also used in PHPExcel, TCPDF and tracking feature.
> I don't think we use that code in PHPExcel and TCPDF, however
> basically same what I wrote applies to tracking. Anyway now we have
> chance to make preferences use something safer, without hurting backward
> compatibility, with tracking it would be harder and some backward
> compatibility probably would have to be maintained.
> To exploit this, somebody would have to write custom data to pmadb...

I think we can safely change user preferences to use
json_encode/decode. It's a simpler and faster solution.

Piotr Przybylski

More information about the Developers mailing list