1
0
mirror of https://github.com/danog/psalm.git synced 2024-12-05 13:10:49 +01:00
psalm/docs/running_psalm/issues/TaintedUnserialize.md

20 lines
793 B
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# TaintedUnserialize
Tainted input detected to an `unserialize` call.
Passing untrusted user input to `unserialize` calls is dangerous from the [PHP documentation on unserialize](https://www.php.net/manual/en/function.unserialize.php):
> Do not pass untrusted user input to unserialize() regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Use a safe, standard data interchange format such as JSON (via json_decode() and json_encode()) if you need to pass serialized data to the user.
```php
<?php
$command = $_GET["data"];
getObject($command);
function getObject(string $data) : object {
return unserialize($data);
}
```