I want to store twitter raw tweet data that I get when accessing the API in a mysql database. How do I do so? should I just store the data in json format (as it is already)? Should I first json_decode the data and then call serialize? If so, what are the pro/cons? My goal is to protect the integrity and accuracy of the data and to make it fast for me to decode and encode. thanks!
I'm using PHP/Mysql.
Storing the data in the database in the format you intend to use it later is best, that way you only manipulate it once. In terms of integrity, the mysql_real_escape_string and serialize / unserialize functions will ensure what you store is what you get back.
To store the data for retrieval and assuming you have your data (whatever format) in a PHP variable $data, you may do something like.
<?php mysql_query("INSERT INTO tablename(fieldname) VALUES('".mysql_real_escape_string(serialize($data))."')"); ?>
Related
I need to store structured data in a cookie.
favorites of some catalog page. the data is { {id,type} , {id,type} , ... }
In my code i need to put it back to a an array. so i am using the unserialize() function to recover the data.
Is there a way to prevent object injection? any alternative for the unserialize function?
Is there a way to prevent object injection
When you unserialize an object, PHP will call the __wakeup method in the class' definition (this is not stored in the cookie but in your PHP class file on the server).
Would it be possible for someone to change the serialized object's class and guess correctly causing a __wakeup function to perform some task? Yes. Usually __wakeup functions will simply reconnect to a resource so this may or may not be a big deal but why risk it? Just store the array as JSON with json_encode($yourdata) and get it back with json_decode($cookiedata, true)
As long as the data being stored client-side does not pose a security risk (i.e., reveals sensitive information) it's fine. Storing a user's favorites can be appropriate for this, especially if it's a high traffic site and you don't want to have to perform a database fetch or long sessions for this type of data.
Well, if you have a defined structure of how your array should look, then just make sure that the string you're unserializing is really an array when you're iterating over it just check the value type (id -> int, type -> string).
Plus, I think json_encode will be better in your case of data, it is smaller in size and faster in decoding (and you can work with it on the client-side).
The way I'm thinking about would be to encrypt the cookie information, to prevent the user from knowing what the hell is he/she editing
If you don't want the user to potentially modify the data, then don't give the data to the user in the first place. Use $_SESSION, a database, or write the info to a file on your server.
I have 8 input type text. name=favour_01
I make those 8 input into an array and serialize it
i use PDO to save it into DB.
Than unserialize it for output
$favour[]='apple'; $favour[]='banana';
$favours = serialize($favours);
prepare(...
$food->bindValue(':favours', $favours, PDO::PARAM_STR);
is this secure? I have read serialize input is vulnerable.
I didn't use any class for this, here is one post i have read https://www.owasp.org/index.php/PHP_Object_Injection
Serializing data is only a security risk when the data you serialize contains sensitive information. The risk is that you serialize data that contains passwords for example and then you store the serialized form somewhere insecure.
Unserializing data is a security risk if you try to unserialize data that you got from an untrusted source. The unserialization process can instantiate objects and the data input may therefore do things you don't anticipate.
What you're doing for serializing a simple array of values to bind it to a SQL parameter is okay from a security point of view, but keep in mind you won't be able to search the database efficiently for specific values within that serialized array. Basically your database becomes a black box: you can stuff a whole array into it, and fetch the whole array out to deserialize it, but you can't easily read or write individual elements of the array with SQL.
It's better practice to create a child table and store one element per row in that table.
yes it is safe if you use prepared statement, then validate data after retrieving it from the database to before output to browser.
I would like to generate encrypt data and send it from http://localhost:8888/A/B to http://localhost:8888/C/D in json format.
What is the best way possible?
Users will be using only http://localhost:8888/A/B, so when ever a request comes in for a http://localhost:8888/A/B a hash key will be generated and sent to http://localhost:8888/C/D where the database query will happen before doing that it has to decrypt the data and check if the user is a valid one.
Use cURL to send any data anywhere. It is very flexible and configurable for any case. You can use either POST or GET methods to send data.
you're referencing two different things.. hashing != encrytping. Hashing is one way, whereas encrytpion is two directional. use an ajax call to a codeigniter controller.
I save data in my DB (mysql) with "serialize($array);". This data came from a form with an input field. I want to know what happen if i insert something like "a:4:{i:1;s:7:"fdsfdsf";i" in the form field. could break my data stored in the DB?
Thanks!!
I tested your example on my system, and after serialization, the following value is returned:
string(42) "a:1:{i:0;s:24:"a:4:{i:1;s:7:"fdsfdsf";i";}"
This is what will be added to the database. But, storing user input plain in database is highly discouraged. You should first format the plain user input with mysql_real_escape_string() as it will escape critical characters.
Apart from that, if unserialize() is called on the serialized text read back from database, the array is properly returned. It should be safe, but can produce unexpected results.
Be extremely careful with storing serialized arrays in a database. Serialization returns a string, so the field you store the data in is usually VARCHAR or TEXT. If you simply overwrite the stored array with a new one, the old data will be completely lost. To update the database, make sure you first read the data from the database into an array, and update it, and only then write it back to the database.
While it is not forbidden, using and storing stuff serialized in database usually creates a lot of issues. The database has a lot of datatypes known by default, and big serialized arrays create overhead and complicates execution, and is just simply a pain in the ass if the system later needs to be modified. And you cannot use relation queries on serialized fields.
The old way
When you're still using mysql_ you could write queries like this:
$sql = sprintf("INSERT INTO mytable (a) VALUES ('%s')",
mysql_real_escape_string(serialize($myvar))
);
mysql_query($sql) or die("oh no!");
The recommended way
For PDO and mysqli you get the option to use prepared statements, which comes highly recommended for exactly the purpose of preventing SQL injection attack vectors. An example in PDO:
$stmt = $db->prepare('INSERT INTO mytable (a) VALUES (:myvar)');
$stmt->execute(array(
':myvar' => serialize($myvar),
));
Field lengths
Also, make sure the length of your serialized data doesn't exceed the column size of the table field; a truncated serialized variable is pretty much useless.
A way to block this is escaping quotes before inserting data into the database.
You could do this with mysqli_real_escape_string() http://www.php.net/manual/en/mysqli.real-escape-string.php
I am trying store temporary data (such as cart products, session_data) in DB. And I choosed YAML for this instead of serialize() function. Because YAML data is easily readable by human and portable between programming languages.
Am I in trouble with YAML if I store my temprory data in database?
Personally I would use serialize for two reasons:
Its included in PHP by default.
What you put in is what you get out.
In regards to the second point. Serialize doesn't just convert to a string it records the type as well and PHP calls functions on objects so you can choose what to serialise and what do do with the data when you unserialise it.
See: __sleep and __wake
It may not be easy to read directly from the database but it wouldn't take two minutes to write a script that could pull it out, unserialise it and do a print_r on the data to view what's stored.
Personally, I wouldn't use YAML. It's too format-dependent (Requiring new lines, whitespace, etc) and there's no native parser in PHP. Instead, I'd use JSON for this. It's trivial to handle natively, and is quite human readable (no as much as YAML, but much more so than serialized). It's the best of both worlds.
But, with that said, you really should ask yourself the question as to why you want to store a serialized representation of a complex data structure in a field in the DB... For most cases, it might be better to store a normalized representation of the data (so it's searchable easily, etc). It's not "bad" to store serialized data, but it might not be optimal or the right choice depending on what you're trying to do. It's generally far better than using an Entity-Attribute-Value store, but you need to really think about what you're doing to decide if it's the right thing.
Just make sure you are escaping everything potentially dangerous i.e. user input and you are fine.