Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:12601 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37053 invoked by uid 1010); 6 Sep 2004 05:28:17 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 37017 invoked from network); 6 Sep 2004 05:28:17 -0000 Received: from unknown (HELO tsign-srv.t-sign.com) (62.99.200.227) by pb1.pair.com with SMTP; 6 Sep 2004 05:28:17 -0000 Received: from [192.168.100.138] ([192.168.100.138]) by tsign-srv.t-sign.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 6 Sep 2004 07:28:15 +0200 Message-ID: <413BF576.70104@fischer.name> Date: Mon, 06 Sep 2004 07:28:22 +0200 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707 MultiZilla/1.6.4.0b X-Accept-Language: en-us, en MIME-Version: 1.0 To: internals@lists.php.net References: <1379406779.20040905153328@ionzoft.com> In-Reply-To: <1379406779.20040905153328@ionzoft.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 06 Sep 2004 05:28:15.0957 (UTC) FILETIME=[4F824850:01C493D2] Subject: Re: [PHP-DEV] unserialize() data from untrusted source From: markus@fischer.name (Markus Fischer) Jason Garber wrote: > This is an interesting point you bring up. When we have large > registration processes or similar multi-page forms, we write our > data array to a hidden field using. > > base64_encode(serialize($aData)) > > and read it in with > > unserialize(base64_decode($_POST['aData'])) > > passing it from page to page with POST. I fail to understand, in your scenario, why you don't simply save the data in a session? You're effectively generated some data server and send it to the client only to get it back on the next request; typical session scenario, if you ask me. cheers, - Markus