Page 1 of 1

[solved] serializing and escaping

Posted: Wed Feb 15, 2006 4:19 am
by Skittlewidth
I've finally got some time to revisit a project I started a few months ago that I'm doing my best to make 100% OOP, not just because I feel like it, but because it suits the nature of it.

The user creates a survey, adding questions, answer types/ multiple choices etc, and the whole thing is neatly packaged into an object, which is serialized and stored in a database where it can then be called and run.

Basic testing went fine way back whenever, but then yesterday when I returned to it I created a questionnaire that saved correctly but then could not be unserialized. I figure it was because of apostrophies, and speech marks in some of the questions.

I'm a little confused whether to use mysql_real_escape_string() on the questions before they get added to the object, or whether to escape the entire object after serializing(- sounds like a bad idea). I've tried both and now I've messed my code up real nice!

Running stripslashes() on the serialized object before unserializing did nothing to solve the original problem.

What's the proper procedure?

Posted: Wed Feb 15, 2006 4:30 am
by Jenk
using mysql_real_escape_string() on a serilaized() object should not create any issues, as the escaping character ('\' in this case) is not inserted by the RDBMS.

If you are still finding escaping char's in your inserts, you may have the usual problem of magic_quotes, but we'll come back to that if that is the problem.

So, (in pseudo-ish code) the below should not present any problems, as far as escaping goes:

Code: Select all

<?php

$obj = new ClassObject();

$serialObj = serialize($obj);

$query = "INSERT INTO `table` (`column`) VALUES ('" . mysql_real_escape_string($serialObj) . "')";

mysql_query($query);

?>

Posted: Wed Feb 15, 2006 4:45 am
by Skittlewidth
I've heard about the magic_quotes problem, but on my local machine they've always been off, although I know suspect that they will be set to on on our hosting servers, so that probably will be an issue later.

Escaping the entire object has worked as far as inserting the object into the db, but again unserialize is failing with this error:

Code: Select all

Notice: unserialize() [function.unserialize]: Error at offset 155 of 305 bytes in c:\****\***\***.php on line 47
This is roughly where the string

Code: Select all

"I can't "take" anym(o)re?"
occurs, which has been escaped and looks like

Code: Select all

"I can\'t \"take\" anym(o)re?"
in the database.
I've run stripslashes before calling unserialize().

Posted: Wed Feb 15, 2006 5:14 am
by Skittlewidth
I've just realised I was being daft. I don't need to run stripslashes, running them beforehand was actually causing the problem, which is completely logical now that I've thought about it.