[solved] serializing and escaping

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Skittlewidth
Forum Contributor
Posts: 389
Joined: Wed Nov 06, 2002 9:18 am
Location: Kent, UK

[solved] serializing and escaping

Post by Skittlewidth »

I've finally got some time to revisit a project I started a few months ago that I'm doing my best to make 100% OOP, not just because I feel like it, but because it suits the nature of it.

The user creates a survey, adding questions, answer types/ multiple choices etc, and the whole thing is neatly packaged into an object, which is serialized and stored in a database where it can then be called and run.

Basic testing went fine way back whenever, but then yesterday when I returned to it I created a questionnaire that saved correctly but then could not be unserialized. I figure it was because of apostrophies, and speech marks in some of the questions.

I'm a little confused whether to use mysql_real_escape_string() on the questions before they get added to the object, or whether to escape the entire object after serializing(- sounds like a bad idea). I've tried both and now I've messed my code up real nice!

Running stripslashes() on the serialized object before unserializing did nothing to solve the original problem.

What's the proper procedure?
Last edited by Skittlewidth on Wed Feb 15, 2006 5:14 am, edited 1 time in total.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

using mysql_real_escape_string() on a serilaized() object should not create any issues, as the escaping character ('\' in this case) is not inserted by the RDBMS.

If you are still finding escaping char's in your inserts, you may have the usual problem of magic_quotes, but we'll come back to that if that is the problem.

So, (in pseudo-ish code) the below should not present any problems, as far as escaping goes:

Code: Select all

<?php

$obj = new ClassObject();

$serialObj = serialize($obj);

$query = "INSERT INTO `table` (`column`) VALUES ('" . mysql_real_escape_string($serialObj) . "')";

mysql_query($query);

?>
User avatar
Skittlewidth
Forum Contributor
Posts: 389
Joined: Wed Nov 06, 2002 9:18 am
Location: Kent, UK

Post by Skittlewidth »

I've heard about the magic_quotes problem, but on my local machine they've always been off, although I know suspect that they will be set to on on our hosting servers, so that probably will be an issue later.

Escaping the entire object has worked as far as inserting the object into the db, but again unserialize is failing with this error:

Code: Select all

Notice: unserialize() [function.unserialize]: Error at offset 155 of 305 bytes in c:\****\***\***.php on line 47
This is roughly where the string

Code: Select all

"I can't "take" anym(o)re?"
occurs, which has been escaped and looks like

Code: Select all

"I can\'t \"take\" anym(o)re?"
in the database.
I've run stripslashes before calling unserialize().
User avatar
Skittlewidth
Forum Contributor
Posts: 389
Joined: Wed Nov 06, 2002 9:18 am
Location: Kent, UK

Post by Skittlewidth »

I've just realised I was being daft. I don't need to run stripslashes, running them beforehand was actually causing the problem, which is completely logical now that I've thought about it.
Post Reply