|
|
|
|
|
|
by ryanlol
3787 days ago
|
|
|
>PHP Object Injection in PHP 5: don't ever pass user input to unserialize(); use json_decode() instead. >PHP Object Injection in PHP 7: either disable object loading or whitelist the allowed types; i.e. unserialize($var, false); or unserialize($var, ['DateTime']); I'd stick to not unserializing user input in both cases, that's a can of worms you just don't want to open. Also, RNG bugs are common and exploitable enough to be worth noting: Never use mt_rand, stick to openssl_random_pseudo_bytes. |
|
|
Also, random_bytes() > openssl_random_pseudo_bytes() :P
Though if you use random_compat[1] it might be the same function ;)
[1]: https://github.com/paragonie/random_compat