Hi!
> I think Stas proposes a solution to the problem and I think Anthony > proposes a viable alternative. I would say that Anthony has found the > shortest distance between the two points (the problem and the solution), > however. The fact is that people do use serialize() for data that may be accessible by the user (or made accessible by unrelated security issues, which may be upgraded in severity by this - e.g. from SQL injection to persistent code backdoor on the server). There are many ways to do things differently, and they are known. However, as I said, the fact is people do use serialize() and may not even realize the data aren't as secure as they are. That's why many security tools flag any object with dtor in application using unserialize as insecure. This is not a good situation, and presently there are no way to avoid it except dropping serialize() completely - which may not be an option is some cases and in any case would require serious changes to the production code. This enhancement is to fix this problem. It is not to change best practices or give advice on how to write the most secure system - it is to make existing code more secure easily. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
