Page 1 of 1
should objects be escaped before stored into DB??
Posted: Tue Mar 07, 2006 3:59 am
by raghavan20
We have a session management class which actually stores session variables/objects into mysql. we are recently having some problem while storing....we are in a doubt whether objects have to escaped before they are stored into the database. we suspect some objects can have special characters in it.
my question is
1. do objects need to escaped
2. if yes, how do I escape it?
Thanks...
Posted: Tue Mar 07, 2006 4:03 am
by feyd
the objects themselves don't need to be escaped, but the session data you are given by php (a big string) should.
Posted: Tue Mar 07, 2006 4:14 am
by raghavan20
we have to tried to escape a session object by serializing it and running it on mysqli_real_escape_string, it yields this..
Code: Select all
INSERT INTO session_variable (session_id,variable_name,value) VALUES ('$rb94Za}%tA?_OsGu7_9~R}X3C5LN%OsAukiwxL?^V[K6bO$QTp19xK?^U$qm6bc0.23333000 1141726915','UserObj','O:10:\"OnlineUser\":9:{s:18:\"\0OnlineUser\0obj_id\";s:1:\"1\";s:16:\"\0OnlineUser\0name\";s:4:\"Test\";s:17:\"\0OnlineUser\0email\";s:15:\"test@test.co.uk\";s:26:\"\0OnlineUser\0receive_offers\";s:1:\"1\";s:35:\"\0OnlineUser\0receive_recommendations\";s:1:\"0\";s:18:\"\0OnlineUser\0status\";s:1:\"1\";s:21:\"\0OnlineUser\0more_info\";s:0:\"\";s:24:\"\0OnlineUser\0privelege_id\";s:1:\"2\";s:20:\"\0OnlineUser\0password\";N;}')
I do not know where this \0 comes from instead of \
feyd, my doubt is ...let us assume an object,
object(
name =>o'reilly,
city=>gloucester
)
when you try to store an object like that into DB, do you expect it not to give problems
when you tried to run that query from the PHP script, part of the value is stored in the DB
Posted: Tue Mar 07, 2006 10:28 am
by feyd
php gives your session handler a serialized string of the session data, it's not exactly run through serialize, but close. You should only need to pass that string through the real_escape_string() function.. that's all I've ever required (if simply storing the data without parsing it)