NotionCommotion Posted December 27, 2020 Share Posted December 27, 2020 I had been escaping my arguments before passing to exec(), and then type casting back on the other end. Recently needed to pass an array, and at first planned on json_encode(), but gave serialize/unserialize a try and discovered that it automatically took care of the type casting. The data is coming from me thus I am not (hopefully!) worried about malicious data. Any need to also use escapeshellarg() either before or after serializing? Thanks Quote Link to comment https://forums.phpfreaks.com/topic/311932-is-escapeshellarg-needed-if-passing-serialized-data/ Share on other sites More sharing options...
NotionCommotion Posted December 27, 2020 Author Share Posted December 27, 2020 Actually, looks like I need to use escapeshellarg(serialize($myArrayData)); Quote Link to comment https://forums.phpfreaks.com/topic/311932-is-escapeshellarg-needed-if-passing-serialized-data/#findComment-1583460 Share on other sites More sharing options...
requinix Posted December 27, 2020 Share Posted December 27, 2020 Yeah, you definitely still need to use escapeshellarg. Escaping values isn't always about malicious data - sometimes it's simply about making sure that stuff doesn't get screwed up. But serialize? Ew. I'd rather have the other process read JSON through stdin. Quote Link to comment https://forums.phpfreaks.com/topic/311932-is-escapeshellarg-needed-if-passing-serialized-data/#findComment-1583474 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.