StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>Like pointed out elsewhere already, you can use serialize to turn the object into a string.</p> <pre><code>$foo = (object) array( 'foo' => 'foo & bär', 'bar' => new StdClass ); $serialized = serialize($foo); </code></pre> <p>This gives:</p> <pre><code>O:8:"stdClass":2:{s:3:"foo";s:10:"foo & bär";s:3:"bar";O:8:"stdClass":0:{}} </code></pre> <p>As you can see there is quotes in that string, so you cannot insert that into a link without risking breaking your markup:</p> <pre><code><a href="http://example.com?s=O:8:" <-- quote closes href </code></pre> <p>So at the very least you'd have to <a href="http://de2.php.net/manual/en/function.htmlspecialchars.php" rel="noreferrer">htmlspecialchars</a> or <a href="http://de2.php.net/manual/en/function.urlencode.php" rel="noreferrer">urlencode</a> that output. However, that would still leave the content easily readable. You could make use of <a href="http://de2.php.net/manual/en/book.mcrypt.php" rel="noreferrer">PHP's MCrypt library</a> to put some strong encryption on the string. But if the data really is <em>that</em> sensitive, you should probably find another means of transferal, away from the public facing portion of your site.</p> <p>If the data is less sensitive, then you can probably safe some CPU cycles by just obfuscating the string. The easiest way to do that is to run it through <a href="http://de2.php.net/manual/en/function.gzdeflate.php" rel="noreferrer"><code>gzdeflate</code></a>:</p> <pre><code>echo gzdeflate(serialize($foo)); </code></pre> <p>gives something like </p> <pre><code>R*.Iq�I,.V�2��.�2�RJ��W�.�24 … </code></pre> <p>Using <code>gzdeflate</code> will also shorten large serialized strings. The drawback is, it produces output unfit for transferal via HTTP, so you also have to <a href="http://de2.php.net/manual/en/function.base64-encode.php" rel="noreferrer"><code>base64_encode</code></a> that:</p> <pre><code>echo base64_encode(gzdeflate(serialize($foo))); </code></pre> <p>which will then give</p> <pre><code>87eysFIqLklxzkksLlayMrKqLrYytlJKy89Xsi62MjQAMxXUFJIOLykCiQDlkhKBLH9UfQZW1bW1AA== </code></pre> <p>And that's safe for transferal and also pretty obfuscated from the original serialized string. Because we have compressed the string before we base64'ed it, anyone smart enough to figure out it's base64 will still have to make sense of the compressed string when trying to reverse it.</p> <p>To turn the string back into an object, you then do</p> <pre><code>unserialize( gzinflate( base64_decode( $obfuscatedString ) ) ) </code></pre> <p>and get your object back. <a href="http://codepad.viper-7.com/ouK8Lu" rel="noreferrer">Demo</a></p> <hr> <p><strong>A note on Security</strong></p> <p>The above is still insecure. You should not rely on obfuscation for security. If you transfer an object or an entire object graph via HTTP, you have to consider them as user input on the receiving end. <strong>User input cannot be trusted</strong>. Malicious users figuring out how the string was obfuscated can provide an altered input. Because you are unserializing objects back into the program flow, you have to be absolutely paranoid about the resulting object.</p> <p>See <a href="http://www.sektioneins.com/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/" rel="noreferrer">http://www.sektioneins.com/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/</a> for a related example.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload