rspec/rules/S5135/php/how-to-fix-it/laminas.adoc

== How to fix it in Laminas

=== Code examples

The following code is vulnerable to deserialization attacks because it
deserializes HTTP data without validating it first.

==== Noncompliant code example

[source,php,diff-id=11,diff-type=noncompliant]
----
$serializer = new Adapter\PhpSerialize();
$session = $serializer->unserialize($_COOKIE['session']); // Noncompliant
return new ViewModel([
    "auth" => $session->auth
]);
----

==== Compliant solution

[source,php,diff-id=11,diff-type=compliant]
----
$serializer = new Adapter\Json();
$session = $serializer->unserialize($_COOKIE['session']);
return new ViewModel([
    "auth" => $session['auth']
]);
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/safer-serialization.adoc[]

The example compliant code uses the `Json` adapter to perform the
deserialization. This one will not carry out any automatic object instantiation
and is thus safer than its `PhpSerialize` counterpart.

include::../../common/fix/integrity-check.adoc[]

include::../../common/fix/pre-approved-list.adoc[]

=== Pitfalls

include::../../common/pitfalls/constant-time.adoc[]