At 04:25 AM 1/21/2006, Jared Williams wrote:
What are the security implications of doing this?
Creating objects based on a string from a untrusted source seems not
good idea, unless can prevent tampering (with an HMAC or
something).
Well I think the right thing to do is pass an array of "allowed"
classes into json_decode() and raise an error/exception if it's not
in the list.
I think it wasn't clear to some people why this is needed.
I think enabling the seamless mapping of objects in between the
client and server is extremely useful. It'll save PHP developers from
having to unpack/pack their PHP objects into the right structures. So
basically I think there should be a way for an object to say what
it's key/value pairs are (__json_serialize_elements()?) and during
decode() allow to map directly to classes. In both cases I think if
neither a serializing interface is implemented, nor are valid
"classes" provided to decode() it should work like today via StdClass.
I hope this is a bit more clear.
Andi
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
