should objects be escaped before stored into DB??

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

should objects be escaped before stored into DB??

Post by raghavan20 »

We have a session management class which actually stores session variables/objects into mysql. we are recently having some problem while storing....we are in a doubt whether objects have to escaped before they are stored into the database. we suspect some objects can have special characters in it.

my question is
1. do objects need to escaped
2. if yes, how do I escape it?

Thanks...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the objects themselves don't need to be escaped, but the session data you are given by php (a big string) should.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

we have to tried to escape a session object by serializing it and running it on mysqli_real_escape_string, it yields this..

Code: Select all

INSERT INTO session_variable (session_id,variable_name,value) VALUES ('$rb94Za}%tA?_OsGu7_9~R}X3C5LN%OsAukiwxL?^V[K6bO$QTp19xK?^U$qm6bc0.23333000 1141726915','UserObj','O:10:\"OnlineUser\":9:{s:18:\"\0OnlineUser\0obj_id\";s:1:\"1\";s:16:\"\0OnlineUser\0name\";s:4:\"Test\";s:17:\"\0OnlineUser\0email\";s:15:\"test@test.co.uk\";s:26:\"\0OnlineUser\0receive_offers\";s:1:\"1\";s:35:\"\0OnlineUser\0receive_recommendations\";s:1:\"0\";s:18:\"\0OnlineUser\0status\";s:1:\"1\";s:21:\"\0OnlineUser\0more_info\";s:0:\"\";s:24:\"\0OnlineUser\0privelege_id\";s:1:\"2\";s:20:\"\0OnlineUser\0password\";N;}')
I do not know where this \0 comes from instead of \


feyd, my doubt is ...let us assume an object,
object(
name =>o'reilly,
city=>gloucester
)

when you try to store an object like that into DB, do you expect it not to give problems :?

when you tried to run that query from the PHP script, part of the value is stored in the DB
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

php gives your session handler a serialized string of the session data, it's not exactly run through serialize, but close. You should only need to pass that string through the real_escape_string() function.. that's all I've ever required (if simply storing the data without parsing it)
Post Reply