English
English
The function of the serialize function is to convert a PHP data structure (such as arrays, objects) into a string. Through this function, we can convert complex data into a format that can be stored.
$data = array("username" => "admin", "password" => "123456");
$serialized_data = serialize($data);
echo $serialized_data;
The output string is as follows:
a:2:{s:8:"username";s:5:"admin";s:8:"password";s:6:"123456";}
This string can be safely stored in a file or database. But as mentioned earlier, serialize itself does not provide an encryption mechanism, so the stored data is plain text and is easily tampered with or stolen by criminals.
To ensure the security of stored data during transmission or storage, it is usually necessary to encrypt the serialize string. Common encryption methods include symmetric encryption and asymmetric encryption. In PHP, we can use encryption functions such as openssl_encrypt , sodium_crypto_secretbox , etc. to encrypt data.
Here is a sample code for how to encrypt storage based on serialize :
$data = array("username" => "admin", "password" => "123456");
$serialized_data = serialize($data);
// Generate a key(Generally, it should be stored confidentially)
$key = "secretkey123";
// use OpenSSL Encryption
$encrypted_data = openssl_encrypt($serialized_data, "AES-128-ECB", $key);
// Store encrypted data
echo "Encrypted: " . $encrypted_data;
In the above code, the data is first converted into a string using serialize , and then encrypted by the openssl_encrypt function. The symmetric encryption algorithm AES-128-ECB is used here (in actual applications, you can choose other encryption methods). After encryption, the data will become unreadable.
When we need to use stored encrypted data, we can use openssl_decrypt to decrypt:
$decrypted_data = openssl_decrypt($encrypted_data, "AES-128-ECB", $key);
$unserialized_data = unserialize($decrypted_data);
// Output decrypted data
print_r($unserialized_data);
After decrypting through openssl_decrypt , we can use the unserialize function to restore the encrypted data to the original PHP data structure.
Storing encrypted data is only part of ensuring data security. To further improve security, we need to take some additional measures:
When transferring sensitive data, be sure to use the HTTPS protocol, which ensures that the data is not intercepted during transmission.
The key used for encryption must be strong and confidential. Avoid using simple or easily guessed keys. You can use openssl_random_pseudo_bytes to generate a random key:
$key = bin2hex(openssl_random_pseudo_bytes(16)); // generate16Byte key
Regular key replacement is a best practice. Through key rotation, even if a key is leaked, the attacker cannot access all data using an expired key.
Ensure that only authorized users or programs have access to sensitive data. Use an access control list (ACL) or role management system to limit access to stored data.
If you are storing PHP objects, you must be careful to prevent PHP object injection (POI) attacks. When unserialize , avoid untrusted input. If possible, avoid using unserialize to process data from distrust sources.
You can restrict unserialize classes by using allowed_classes :
$data = unserialize($encrypted_data, ["allowed_classes" => ["YourClass"]]);
Ensure that sensitive data has a secure backup, and that the backup itself must be encrypted. Regularly check the effectiveness and security of backups to avoid data loss or tampering.
