[thelist] passing object vars - php
Matt Warden
mwarden at gmail.com
Sat May 13 15:42:23 CDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Simon Watkins wrote:
> At the moment I am doing something like:
>
> <?php
>
> $my_inst = new my_obj;
> $my_inst -> method1("a", "b", "c");
> $my_inst -> method2(1,2,3)
> $str = base64_encode(serialize($my_inst));
> echo "img src=\"image.php?v=$str\" alt=\"php generated image\"";
>
> ?>
>
> and then in the image file:
>
> <?php
>
> $object = unserialize(base64_decode($_GET['v']));
>
> ?>
>
> This is working ok but I am new to this sort of stuff and have the
> feeling that this is not a particularly effective way of achieving
> what I want -
> (1) it generates a very long url as the object potentially contains
> quite a lot of data.
Hopefully the object does not contain any sensitive data.
> (2) The image file doesn't really know what sort of object it has.
Indeed. I've not seen a proof of concept, but my instinct says that this
could be a horrible security problem, depending on what you're doing
with $object. It's not much better than doing this:
eval($_GET['v']);
Do you have sessions available? If so:
page1:
$_SESSION['myobject'] = $my_inst;
page2:
$object = $_SESSION['myobject'];
Behind the scenes, it's probably doing exactly what you're doing now,
but without involving the client at all, and keeping things completely
server-side.
If that doesn't work for you, you could roll your own system by
serializing to a file named $id and then doing <img
src="image.php?id=$id"> which would allow your image.php script to
locate the local file and unserialize it.
Otherwise:
http://www.google.com/search?q=php%20object%20persistence
But, I would definitely stay away from using the client to persist this
object.
- --
Matt Warden
Oxford, OH, USA
http://mattwarden.com
This email proudly and graciously contributes to entropy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEZkSvrI3LObhzHRMRAj6KAKDp2sriPeAgSiIXZL6zr9A/KPed2ACeOwe0
6eobY1PzPUR29Z9ynn2cY4I=
=Q0OE
-----END PGP SIGNATURE-----
More information about the thelist
mailing list