Am I to understand that in this case, the filter input is not needed?

Good morning.
In config, in database, in serialized form (a feature of the platform) is stored value that can be entered by the user. SQL injections are excluded here, because the serialization happens before the query to the database (plus there are placeholders). After extraction from the DB and after deserialization, we will always be dealing with a string or with an array - mainly in comparison. This data never will be displayed, and will not be executed as code (as string or array of strings).

Am I to understand that in this case it is possible not to bother with any filtering and checks? After all, if the string is never displayed and is not handled, the attack becomes impossible - a maximum comparison will not work.

Thanks in advance.
July 2nd 19 at 17:25
4 answers
July 2nd 19 at 17:27
wrong
July 2nd 19 at 17:29
SQL injections are excluded here, because the serialization happens before the query to the database

Misinterpret, filter, still need. Serialization does not give you protection
Serialization rule in this case injection. SQL is simply broken. - Grant_Bechtelar commented on July 2nd 19 at 17:32
July 2nd 19 at 17:31
serialization does not escapes quotes so how does this mysql. Ie if you roll a sql injections it will go through serialization
July 2nd 19 at 17:33
what kind of placeholders? what is the wrapper? pdo?
SQL injections are excluded here, because the serialization happens before the query to the database
however, the observation of sintaxis SQL has not been canceled - the string in quotes and escaping special characters

Find more questions by tags PHPWeb Development