I've finally got some time to revisit a project I started a few months ago that I'm doing my best to make 100% OOP, not just because I feel like it, but because it suits the nature of it.
The user creates a survey, adding questions, answer types/ multiple choices etc, and the whole thing is neatly packaged into an object, which is serialized and stored in a database where it can then be called and run.
Basic testing went fine way back whenever, but then yesterday when I returned to it I created a questionnaire that saved correctly but then could not be unserialized. I figure it was because of apostrophies, and speech marks in some of the questions.
I'm a little confused whether to use mysql_real_escape_string() on the questions before they get added to the object, or whether to escape the entire object after serializing(- sounds like a bad idea). I've tried both and now I've messed my code up real nice!
Running stripslashes() on the serialized object before unserializing did nothing to solve the original problem.
What's the proper procedure?
[solved] serializing and escaping
Moderator: General Moderators
- Skittlewidth
- Forum Contributor
- Posts: 389
- Joined: Wed Nov 06, 2002 9:18 am
- Location: Kent, UK
[solved] serializing and escaping
Last edited by Skittlewidth on Wed Feb 15, 2006 5:14 am, edited 1 time in total.
using mysql_real_escape_string() on a serilaized() object should not create any issues, as the escaping character ('\' in this case) is not inserted by the RDBMS.
If you are still finding escaping char's in your inserts, you may have the usual problem of magic_quotes, but we'll come back to that if that is the problem.
So, (in pseudo-ish code) the below should not present any problems, as far as escaping goes:
If you are still finding escaping char's in your inserts, you may have the usual problem of magic_quotes, but we'll come back to that if that is the problem.
So, (in pseudo-ish code) the below should not present any problems, as far as escaping goes:
Code: Select all
<?php
$obj = new ClassObject();
$serialObj = serialize($obj);
$query = "INSERT INTO `table` (`column`) VALUES ('" . mysql_real_escape_string($serialObj) . "')";
mysql_query($query);
?>- Skittlewidth
- Forum Contributor
- Posts: 389
- Joined: Wed Nov 06, 2002 9:18 am
- Location: Kent, UK
I've heard about the magic_quotes problem, but on my local machine they've always been off, although I know suspect that they will be set to on on our hosting servers, so that probably will be an issue later.
Escaping the entire object has worked as far as inserting the object into the db, but again unserialize is failing with this error:
This is roughly where the string occurs, which has been escaped and looks like
in the database.
I've run stripslashes before calling unserialize().
Escaping the entire object has worked as far as inserting the object into the db, but again unserialize is failing with this error:
Code: Select all
Notice: unserialize() [function.unserialize]: Error at offset 155 of 305 bytes in c:\****\***\***.php on line 47Code: Select all
"I can't "take" anym(o)re?"Code: Select all
"I can\'t \"take\" anym(o)re?"I've run stripslashes before calling unserialize().
- Skittlewidth
- Forum Contributor
- Posts: 389
- Joined: Wed Nov 06, 2002 9:18 am
- Location: Kent, UK