serialize problem, possible bug?

bike5

I am serializing the entire $_POST array into mysql after a form is submitted and redisplaying the information on the exact form for re-display after unserializing it. This was working all fine and dandy until I put a double or single quote it. At first I though they needed to be escaped but that didn't help. I boiled it down to the fact that the serialization code being stored is writing the wrong character lenghth number for any feild that has a double or single quote.

Example: in the database part of the serialized code would look like:

s:19:"This seems to work." which works fine because it has the correct number of the string but when I add a quote or double quote to the form field like

This seems to' work.

I get

s:21:"This seems to' work."

The length is wrong, it is adding an extra number in their and breaking the whole serialized chunk of data. It should read " s:20:"This seems to' work." ".

Please let me know if this is indeed a bug or if I am just not doing something right or what I need to do to fix this please. Any information would be greatly helpful. The server is using php 4.3.10

Thank you.
-Danny

Najjar

I found these 2 posts in php.net (http://us2.php.net/manual/en/function.serialize.php)

paul at moveNOtoSPAMiceland DOT com
18-Nov-2004 08:29
I was trying to submit a serialized array through a hidden form field using POST and was having a lot of trouble with the quotes. I couldn't figure out a way to escape the quotes in the string so that they'd show up right inside the form, so only the characters up to the first set of quotes were being sent.

My solution was to base64_encode() the string, put that in the hidden form field, and send that through the POST method. Then I decoded it (using base64_decode()) on the other end. This seemed to solve the problem.

17-Jul-2001 06:39
BEWARE: if you serialize to store values on a database, and the variables you are serializing already have the " (double-quote) char, you may have a problem. After serializing you will have var delimiters as " and content " (double-quotes) escaped, but your databse may just treat them like the same. You end up with a failed unserialize. You want something like:

a:5:{s:9:"this is a \"quote\"";a:1:{s:(ETC)

And not:

a:5:{s:9:"this is a "quote"";a:1:{s:(ETC)

So just make sure you double escape content quotes ...

It's simple, but i can't explain it any simpler =(