Earlier today, I had a "free heart attack" when a new thread showed up on the PHP Internals list:
[RFC] more secure unserialize()
I love serialize()/unserialize() because it is nice and easy to use. Unfortunately, with ease-of-use comes greater responsibility. In this case, it is important that users can't submit their own serialized data structures to the server. When the server calls unserialize(), it expands out any data type, including objects. Upon destruction of an object, __destruct() is called by PHP automagically, which then executes whatever code is in there. The "free heart attack" I mentioned earlier came from the fact I send serialized data to the SSO client in the encrypted cookie. Fortunately, a look at the encrypted cookie code revealed I had been using json_encode() and json_decode(), which allowed me to breathe a sigh of relief. For now.
This just goes to show that security is a moving target. Or, if you are a cow, it is a mooooooving target. Failure to stay on top of the latest changes on the security front makes systems less secure.