Storing PHP arrays in cookies
How is proper way to store an array in a cookie? in PHP Code example:
$number_ticket=2;
$info[7][5]=1;
$info[8][5]=1;
To store the array values in cookie, first you need to convert them to string, so here is some options.
Storing cookies as JSON
Storing code
setcookie('your_cookie_name', json_encode($info), time()+3600);
Reading code
$data = json_decode($_COOKIE['your_cookie_name'], true);
JSON can be good choose also if you need read cookie in front end with JavaScript.
Actually you can use any encrypt_array_to_string
/decrypt_array_from_string
methods group that will convert array to string and convert string back to same array.
For example you can also use explode
/implode
for array of integers.
Warning: Do not use serialize/unserialize
From PHP.net
Do not pass untrusted user input to unserialize().
- Anything that coming by HTTP including cookies is untrusted!
References related to security
- http://php.net/manual/en/function.unserialize.php#refsect1-function.unserialize-notes
- https://www.owasp.org/index.php/PHP_Object_Injection
- https://websec.files.wordpress.com/2010/11/rips_ccs.pdf
- https://www.notsosecure.com/remote-code-execution-via-php-unserialize/
- https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes-unserialize()/
- https://hakre.wordpress.com/2013/02/10/php-autoload-invalid-classname-injection/
- https://security.stackexchange.com/questions/77549/is-php-unserialize-exploitable-without-any-interesting-methods
As an alternative solution, you can do it also without converting array to string.
setcookie('my_array[0]', 'value1' , time()+3600);
setcookie('my_array[1]', 'value2' , time()+3600);
setcookie('my_array[2]', 'value3' , time()+3600);
And after if you will print $_COOKIE
variable, you will see the following
echo '<pre>';
print_r( $_COOKIE );
die();
Array ( [my_array] => Array ( [0] => value1 [1] => value2 [2] => value3 ) )
This is documented PHP feature.
From PHP.net
Cookies names can be set as array names and will be available to your PHP scripts as arrays but separate cookies are stored on the user's system.
Serialize data:
setcookie('cookie', serialize($info), time()+3600);
Then unserialize data:
$data = unserialize($_COOKIE['cookie'], ["allowed_classes" => false]);
After data, $info and $data will have the same content.
Using serialize and unserialize on cookies is a security risk. Users (or attackers) can alter cookie data, then when you unserialize it, it could run PHP code on your server. Cookie data should not be trusted. Use JSON instead!
From PHP's site:
Do not pass untrusted user input to
unserialize()
regardless of theoptions
value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Use a safe, standard data interchange format such as JSON (viajson_decode()
andjson_encode()
) if you need to pass serialized data to the user.
Try serialize()
. It converts an array into a string format, you can then use unserialize()
to convert it back to an array. Scripts like WordPress use this to save multiple values to a single database field.
You can also use json_encode()
as Rob said, which maybe useful if you want to read the cookie in javascript.