PHP Serialize Function - Adding serialized data to mysql and then fetch and display

Question

I want to know whether the PHP serialize function is 100% secure, also if we store serialized data into a database and want to do something after fetching it, will it be a nice way.

For example:- I have a website with different user privileges, now i want to store the permissions settings for a particular privilege to my database (This data i want to store is to be done through php serialize function), now when a user logs in i want to fetch this data and set the privilege for the customer.

Now i am ok to do this thing, what i want to know is, whether it is the best way to do or something more efficient can be done.

Also, i was going through php manual and found this code, can anybody explain me a bit what's happening in this code:- [Specially why base64_encode is used?]

<?php 
mySerialize( $obj ) { 
return base64_encode(gzcompress(serialize($obj))); 
} 

myUnserialize( $txt ) { 
return unserialize(gzuncompress(base64_decode($txt))); 
} 
?>

Also if somebody can provide me their own code to show me to do this thing in the most efficient manner.

I have a problem, i have so many fields to take as privileges, now for say i have 45 modules for administrators and 30 modules for users to take under permissions/privileges. In future (as i am constantly working on this project) i will be adding more and more modules, lets say around 100 more, so how will i be able to define the privileges. And even i am adding a module to create customized groups having custom privileges. How will i achieve it, keeping efficiency in mind? Please help :|

I AM NOT GOING TO USE SERIALIZED DATA FOR SEARCHING

My Database:-

Note:- Users privileges will be granted through : privileges_level

Note:- In privileges_permissions i want to add all the privileges in a serialized form.

Thanks.

Answer 1

I want to know whether the PHP serialize function is 100% secure

this function has nothing to do with security at all. It's just a way to represent complex data structure as a string. that's all.
Database security is another matter, completely indifferent to the source of the form of the data.

if we store serialized data into a database and want to do something after fetching it, will it be a nice way.

Definitely NOT
This way you are spoiling the whole neat idea of the relational databases, which you are supposedly using.
A data should be present in the database in the Normal form, means atomic - each entity occupying distinct cell. Not a whole bunch of unstructured unaccessible data with no possibility of establishing any relation with other data.

what's happening in this code

nothing sensible.

To answer the question from the title

• Do not store serialized data in mysql
• Create a table/structure of tables that represents the data structure of your application, keeping all the data bits separated and accessible.

I AM NOT GOING TO USE SERIALIZED DATA FOR SEARCHING

This is but a delusion, from the lack of experience.

Welcome back in couple months, with a question "help me to redone my setup! it is going out of control!"

Answer 2

Serialization can be attempted or can be a good approach to store user settings 
or preferences – you only really need to store the settings that differ from the
default values.

Serialization is good approach for just storing and getting back data
not for 
searching on the serialized column or update individual value in the column. 

If you want to just store and update user settings as on change and just
deserialize      nothing from php and nothing to do with the values in the column
much specifically. Go for Serialization.

It can in no ways help you maintain 
relationship   with serialized data. The moment you require to make the data
serialized   meaningful or relational. You need to 
normalize.

If the application really is schema-less and has a lot of optional parameters that do not appear in every record, serializing the data in one column can be a better idea than having many extra columns that are NULL.

This will answer your question

You need to take care:

1) If you are constantly making small updates to one piece of data in a very large blob, the effort MySQL has to go to is greatly increased.

2) loss in functionality: I think you dont need it for user settings.

Answer 3

Anything that's convertible back to its original form is never made for security purpose.

Serialize is one of the convenience methods to transfer php specific representation of object or array into a text so that you can save it in a native file or transfer it over TCP

base64_encoding has also similar purpose, useful if you need to transfer binary from a platform to another platform (for example if you are building an app that allows users to upload images to your server)

gz*compress is simply a string compressing function.

Bottom line is, if you would like to "secure" your data, use a one way hash such as sha or md5.

http://php.net/manual/en/function.hash.php

For storing privileges, it's better to just create a separate table to store privileges name and ID and if you want to enable multiple privileges for each user, create a bridging table to map between your users and their privileges. If one user has one privilege, then just add a privilege_id in each user in your users table.

-- EDIT

If you have a lot of customized rules for each privilege, just go ahead and do it anyway, 100 is a very manageable number by even the most basic setup of mysql installation, no issue.

One idea is to create another table that maps a set of privileges to a group and if you can have a user having access to one or more groups, then your mapping table would be from user to group.

Answer 4

I suggest you should try MongoDB

It's a document-oriented database. You can store and retrieve the object or array directly. No need to serialize.