Earlier today, I had a "free heart attack" when a new thread showed up on the PHP Internals list: [RFC] more secure unserialize() I love serialize()/unserialize() because it is nice and easy to use. Unfortunately, with ease-of-use comes greater responsibility. In this case, it is important that users can't submit their own serialized data structures to the server. When the server calls unserialize(), it expands out any data type, including objects. Upon destruction of an object, __destruct() is called by PHP automagically, which then executes whatever code is in there. The "free heart attack" I mentioned earlier came from the fact I send serialized data to the SSO client in the encrypted cookie. Fortunately, a look at the encrypted cookie code revealed I had been using json_encode() and json_decode(), which allowed me to breathe a sigh of relief. For now. This just goes to show that security is a moving target. Or, if you are a cow, it is a moooooo
Here you will find all sorts of great information or rants, whichever, about the software industry, products I use, and tips.
If you find a nifty piece of software you think I should be using, forward it to me in the comment of the latest post.