Simon, You really should run at least the mysql_real_escape_string function as one part of a defense against SQL injection attacks. "Serialize"-ing really only converts your array into a format the database can store and retrieve; it doesn't do anything to protect you from intentional or unintentional SQL injection attacks (to the best of my knowledge, at least). The amount of validation and checking you ultimately need is dependent upon your individual security concerns/needs, but it's a good rule to avoid inserting user data without running some sort of minimal (mysql_real_escape_string) safeguard first. Hope this helps, Rich -----Original Message----- From: phplist@xxxxxxx [mailto:phplist@xxxxxxx] Sent: Wednesday, May 24, 2006 5:39 AM To: php-db@xxxxxxxxxxxxx Subject: Serialize Hi, Is a serialized array a "safe" string to enter into a mysql text field? Or is a function such as mysql_real_escape_string needed to ensure it is inserted correctly? regards Simon. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
