Sending objects to another page by serialize, is it secure?

Bijan

I was wondering if it's anything wrong with using serialize to send my objects via hidden values to the action page. I use:

<input type="checkbox" name="chkbox" value="<?=urlencode( serialize( $myObj ) )?>">

So, it writes the name of my classes in the value part of the checkbox, and I was wondering if it can cause any security problem. I can simply put the id of what I like to be transfered in the value and then I find it in the action page by selecting its value from the database. But if it's nothing wrong with using serialize, it's really easier this way I think!

Thanks for your help

ednark

NO not secure at alll

any monkey could view source of your page, paste it into their text editor, change the values of the object serialized and presto youve been h4x0r3d

look into storing the objects in a $SESSION instead and simply passing the id of the object in the form... then the next page looks up
$SESSION['myobjects][$id] for the correct object

Bijan

Thank you! My instinct was telling me that it should be something wrong with it, I just couldn't figure out what!

PS: Is this correct: I think that I shall never see a poem as lovely as a binary tree ?!!

PSS: what does that h4x0r3d mean?!

ednark

RE😛S heheh yes that what it means... you have to traverse the poem (binary tree) with left handed depth first recursion and it reads correctly... its an algorithm joke

RE😛SS its a goofy hacker type thing. numbers stand for letters.. some numbers kinda look like capital letters

h4x0r3d
hAxOrEd
hacked