Serialize and deserialize
Drupal apparently relies heavily on object serialization and deserialization. Once upon a long ago, I used to be a big fan of this tactic, only later did I realize that it may be more processor intensive than creating a new object and assigning it values.
More recently this subject has been the topic of debate in various mailing lists and message boards. Particularly in view of the fact that possibilities of exploits exists. When an object is serialized it becomes a textual string, which can be modified with out two much difficulty if you can gain access to it. Having said that such a possibility may arise only in a shared hosting enviorenment and shared hosting enviorenments are never safe.
Other Content Management Systems, blogs and message boards are also in the habit of using this technique an the wisdom of doing so needs to be questioned.