Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:12609
Return-Path: <jason@ionzoft.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97451 invoked by uid 1010); 6 Sep 2004 08:39:37 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 93368 invoked from network); 6 Sep 2004 08:37:58 -0000
Received: from unknown (HELO theta.altoona-pa.com) (209.161.72.28)
  by pb1.pair.com with SMTP; 6 Sep 2004 08:37:58 -0000
Received: from IONZOFT-JEG (dpvc-207-68-114-163.alt.east.verizon.net [207.68.114.163])
	by theta.altoona-pa.com (Postfix) with ESMTP
	id 3925E18603; Mon,  6 Sep 2004 04:37:56 -0400 (EDT)
Date: Mon, 6 Sep 2004 04:38:03 -0400
X-Mailer: The Bat! (v2.11.02) Business
Reply-To: Jason Garber <jason@ionzoft.com>
Organization: IonZoft, Inc.
X-Priority: 3 (Normal)
Message-ID: <1344526455.20040906043803@ionzoft.com>
To: Markus Fischer <markus@fischer.name>
Cc: internals@lists.php.net
In-Reply-To: <413BF576.70104@fischer.name>
References: <e2c74fee04090508296774e6e0@mail.gmail.com>
 <1379406779.20040905153328@ionzoft.com> <413BF576.70104@fischer.name>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] unserialize() data from untrusted source
From: jason@ionzoft.com (Jason Garber)

Hello Markus,

  I've done both many times.  There are many ways to do this type of
  thing, but the way I described it is very clean because the data is
  always in sync with the page (due to the fact that the data is on
  the page).

  If you save the data to a session, and then click back a couple
  times, it can really mess with things, creating a much more complex
  scenario to deal with.

  As I said, over the years I've done both, and this is what I've
  settled on as the most practical.

-- 
Best regards,
 Jason                            mailto:jason@ionzoft.com

Monday, September 6, 2004, 1:28:22 AM, you wrote:

MF> Jason Garber wrote:
>>   This is an interesting point you bring up.  When we have large
>>   registration processes or similar multi-page forms, we write our
>>   data array to a hidden field using.
>> 
>>     base64_encode(serialize($aData))
>> 
>>   and read it in with
>> 
>>     unserialize(base64_decode($_POST['aData']))
>> 
>>   passing it from page to page with POST.

MF> I fail to understand, in your scenario, why you don't simply save the
MF> data in a session?

MF> You're effectively generated some data server and send it to the client
MF> only to get it back on the next request; typical session scenario, if
MF> you ask me.

MF> cheers,
MF> - Markus