[solved] serializing and escaping
Posted: Wed Feb 15, 2006 4:19 am
I've finally got some time to revisit a project I started a few months ago that I'm doing my best to make 100% OOP, not just because I feel like it, but because it suits the nature of it.
The user creates a survey, adding questions, answer types/ multiple choices etc, and the whole thing is neatly packaged into an object, which is serialized and stored in a database where it can then be called and run.
Basic testing went fine way back whenever, but then yesterday when I returned to it I created a questionnaire that saved correctly but then could not be unserialized. I figure it was because of apostrophies, and speech marks in some of the questions.
I'm a little confused whether to use mysql_real_escape_string() on the questions before they get added to the object, or whether to escape the entire object after serializing(- sounds like a bad idea). I've tried both and now I've messed my code up real nice!
Running stripslashes() on the serialized object before unserializing did nothing to solve the original problem.
What's the proper procedure?
The user creates a survey, adding questions, answer types/ multiple choices etc, and the whole thing is neatly packaged into an object, which is serialized and stored in a database where it can then be called and run.
Basic testing went fine way back whenever, but then yesterday when I returned to it I created a questionnaire that saved correctly but then could not be unserialized. I figure it was because of apostrophies, and speech marks in some of the questions.
I'm a little confused whether to use mysql_real_escape_string() on the questions before they get added to the object, or whether to escape the entire object after serializing(- sounds like a bad idea). I've tried both and now I've messed my code up real nice!
Running stripslashes() on the serialized object before unserializing did nothing to solve the original problem.
What's the proper procedure?