Home/ Questions/Q 3807008
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T14:55:24+00:00

I might sound a bit weird but, is there a way? For example, I

  • 0

I might sound a bit weird but, is there a way? For example, I have a PHP object $foo.

Is there a way to store this object in an HTML form (hidden input) by some object encrypting function and later retrieved with decryption function.

Similarly, can I pass these objects through GET method?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Like pointed out elsewhere already, you can use serialize to turn the object into a string.

    $foo = (object) array(
    'foo' => 'foo & bär',
    'bar' => new StdClass
);

$serialized = serialize($foo);

    This gives:

    O:8:"stdClass":2:{s:3:"foo";s:10:"foo & bär";s:3:"bar";O:8:"stdClass":0:{}}

    As you can see there is quotes in that string, so you cannot insert that into a link without risking breaking your markup:

    <a href="http://example.com?s=O:8:" <-- quote closes href

    So at the very least you’d have to htmlspecialchars or urlencode that output. However, that would still leave the content easily readable. You could make use of PHP’s MCrypt library to put some strong encryption on the string. But if the data really is that sensitive, you should probably find another means of transferal, away from the public facing portion of your site.

    If the data is less sensitive, then you can probably safe some CPU cycles by just obfuscating the string. The easiest way to do that is to run it through gzdeflate:

    echo gzdeflate(serialize($foo));

    gives something like

    R*.Iq�I,.V�2��.�2�RJ��W�.�24 …

    Using gzdeflate will also shorten large serialized strings. The drawback is, it produces output unfit for transferal via HTTP, so you also have to base64_encode that:

    echo base64_encode(gzdeflate(serialize($foo)));

    which will then give

    87eysFIqLklxzkksLlayMrKqLrYytlJKy89Xsi62MjQAMxXUFJIOLykCiQDlkhKBLH9UfQZW1bW1AA==

    And that’s safe for transferal and also pretty obfuscated from the original serialized string. Because we have compressed the string before we base64’ed it, anyone smart enough to figure out it’s base64 will still have to make sense of the compressed string when trying to reverse it.

    To turn the string back into an object, you then do

    unserialize(
    gzinflate(
        base64_decode(
            $obfuscatedString
        )
    )
)

    and get your object back. Demo

    A note on Security

    The above is still insecure. You should not rely on obfuscation for security. If you transfer an object or an entire object graph via HTTP, you have to consider them as user input on the receiving end. User input cannot be trusted. Malicious users figuring out how the string was obfuscated can provide an altered input. Because you are unserializing objects back into the program flow, you have to be absolutely paranoid about the resulting object.

    See http://www.sektioneins.com/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/ for a related example.

    • 0