I can't seem to unserialize an array I had previously serialized, that had 's in it... It doesn't do anything, just makes the variable I assign it to blank....
The string:

a:6:{s:4:"name";s:14:"asd'f'asdf'";s:5:"alias";s:14:"'asdf'asdf'";s:5:"hours";s:14:"'asdf'asdf'";s:10:"experience";s:12:"as'dfas'df";s:8:"why_hire";s:14:"'asdf'asdf'";s:9:"positions";a:1:{i:0;s:1:"3";}}

I've tried walking through the array prior to serialization, but that doesn't help...

    What do you do when you walk through it? The values for the string lengths are wrong.

    With this:

    $arr = array('why_hire', "asd'f'asdf'");
$ser = serialize($arr);
echo $ser . '<br />';
$unser = unserialize($ser);
print_r($unser);

    I get:

    a:2:{i:0;s:8:"why_hire";i:1;s:11:"asd'f'asdf'";}
Array ( [0] => why_hire [1] => asd'f'asdf' )

      What would be messing this up? mysql_real_escape_string or magic_quote_gpc? How would I fix this...?

        Try using stripslashes() before serializing (the manual has a example for using it on an array).

          stripslashes doesn't work on magical_quotes_gpc 🙁

            Any ideas other than stripslashes? I've been playing with str_replace, but thats not working out so well...

              I hate bumping after such a short amount of time but I really need an answer today... I would rather not have to resort to using ini_set("magical_quote_gpc",0) as that wouldn't work on all servers, could possibly break other portions of my code, etc.

                stripslashes doesn't work on magical_quotes_gpc

                Sure it does. Try this test script:

                if (!isset($_GET['test1'])) {
    echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="get">'
       . '<input type="text" name="test1" /><br />'
       . '<input type="text" name="test2" /><br />'
       . '<input type="submit" />'
       . '</form>';
} else {
    if (ini_get('magic_quotes_gpc')) {
        foreach ($_GET as $key => $val) {
            echo $key . ':' . $val . '<br />';
            $_GET[$key] = stripslashes($val);
        }
    }
    $ser = serialize($_GET);
    echo $ser . '<br />';
    $unser = unserialize($ser);
    print_r($unser);
}

                  Just tried it... Nope 🙁
                  Heres the code I'm passing my $POST through (Just the $POST that users have control of / that enter mysql)

                      function strip_array($data, $filter_type = 2) {
		print "<br>";
		if (is_array($data)) {
			array_map(array($this,"strip_array"), $data);
			print "Itsa an array!<br>";
		} else {
			if (get_magic_quotes_gpc()) {
				 $data = stripslashes($data);
				 $data = str_replace("\\", "", $data);
				 print $data."<br>Pesky slashes<Br>";
			}
				$data = mysql_real_escape_string(strip_tags(trim($data))); 
				$data = htmlentities($data);
        }
        return $data;
    }

                  Readout:

                  apply
Pesky slashes

asdf'asd'fas'df
Pesky slashes

asdf'asdf'
Pesky slashes

asdf'asdf'
Pesky slashes

asdf'asd'fa'sdf'asdf'
Pesky slashes

asdf'as'dfas'df
Pesky slashes


1
Pesky slashes
Itsa an array!


Pesky slashes

1
Pesky slashes

Submit
Pesky slashes

                  Now heres the reason why I'm pulling my hair out:
                  (What happens when I serialize it)

                  a:6:{s:4:"name";s:18:"asdf'asd'fas'df";s:5:"alias";s:12:"asdf'asdf'";s:5:"hours";s:12:"asdf'asdf'";s:10:"experience";s:26:"asdf'asd'fa'sdf'asdf'";s:8:"why_hire";s:18:"asdf'as'dfas'df";s:9:"positions";a:1:{i:0;s:1:"1";}}

                  Notice how serialize seems to think theres \'s in front of '... But it doesn't actually save them...

                  Edit:
                  I looked into it more and its not the $_POST portion, its the serialization portion... It doesn't see slashes when it tries to serialize, possibly because of magical_quotes.... I can clearly see the slashes when I print, but when I serialize it, it doesn't save them... It just counts them when it serializes, so the count is always 1 higher for every escapable character, then the actual value.

                  So basically... A string like:
                  I'm annoyed

                  Would be counted as 12 instead of 11, since theres a '... Serialize's count sees ' as \', but saves it as '

                  So... Er, how do I fix this?

                    Run this; maybe it will convince you:

                    $dbh = mysql_connect('localhost', 'xxxxxx', 'xxxxxx');
mysql_select_db('test');
echo '<pre>';

$post_data = $_POST;
var_dump($post_data);

$obj = new Slashes();

$post_data = $obj->undo_magic_quotes_gpc($post_data);
var_dump($post_data);

$post_data = serialize($post_data);
echo $post_data;
$post_data = unserialize($post_data);

$post_data = $obj->add_mysql_slashes($post_data);
var_dump($post_data);

$post_data = serialize($post_data);
echo $post_data;

echo '</pre>';
mysql_close($dbh);

class Slashes
{
    function strip_slashes($data)
    {
        if (is_array($data)) { 
            return array_map(array($this, 'strip_slashes'), $data);
        } else { 
            return stripslashes($data);
        }
    }

function add_mysql_slashes($data)
{
    if (is_array($data)) { 
        return array_map(array($this, 'add_mysql_slashes'), $data);
    } else { 
        return mysql_real_escape_string($data);
    }
}

function undo_magic_quotes_gpc($data)
{
    if (ini_get('magic_quotes_gpc')) {
        $data = $this->strip_slashes($data);
    }
    return $data;
}
}

                      Don't know what to say... I know the results I'm getting, and it looks like stripslashes isn't removing magical_quotes_gpc slashes, since serialize is seeing them even after they've been stripped, when it gets the count.

                        Well, would you post the output from the last script I posted, so I can try to figure out why you're getting different results from it than me?

                          Took some modification but:

                          array(12) {
  ["title"]=>
  string(4) "asdf"
  ["content"]=>
  string(4) "asdf"
  ["youtube"]=>
  string(11) "fasdfasdf\'"
  ["mirrors"]=>
  array(5) {
    [0]=>
    string(0) ""
    [1]=>
    string(5) "123\'"
    [2]=>
    string(6) "1234\'"
    [3]=>
    string(5) "12345"
    [4]=>
    string(0) ""
  }
  ["category"]=>
  string(1) "1"
  ["allow_comments"]=>
  string(1) "1"
  ["move_on"]=>
  string(0) ""
  ["move_to"]=>
  string(0) ""
  ["file_size"]=>
  string(1) "2"
  ["size_type"]=>
  string(1) "b"
  ["post"]=>
  string(1) "1"
  ["submit"]=>
  string(6) "Submit"
}
array(12) {
  ["title"]=>
  string(4) "asdf"
  ["content"]=>
  string(4) "asdf"
  ["youtube"]=>
  string(10) "fasdfasdf'"
  ["mirrors"]=>
  array(5) {
    [0]=>
    string(0) ""
    [1]=>
    string(4) "123'"
    [2]=>
    string(5) "1234'"
    [3]=>
    string(5) "12345"
    [4]=>
    string(0) ""
  }
  ["category"]=>
  string(1) "1"
  ["allow_comments"]=>
  string(1) "1"
  ["move_on"]=>
  string(0) ""
  ["move_to"]=>
  string(0) ""
  ["file_size"]=>
  string(1) "2"
  ["size_type"]=>
  string(1) "b"
  ["post"]=>
  string(1) "1"
  ["submit"]=>
  string(6) "Submit"
}
a:12:{s:5:"title";s:4:"asdf";s:7:"content";s:4:"asdf";s:7:"youtube";s:10:"fasdfasdf'";s:7:"mirrors";a:5:{i:0;s:0:"";i:1;s:4:"123'";i:2;s:5:"1234'";i:3;s:5:"12345";i:4;s:0:"";}s:8:"category";s:1:"1";s:14:"allow_comments";s:1:"1";s:7:"move_on";s:0:"";s:7:"move_to";s:0:"";s:9:"file_size";s:1:"2";s:9:"size_type";s:1:"b";s:4:"post";s:1:"1";s:6:"submit";s:6:"Submit";}array(12) {
  ["title"]=>
  string(4) "asdf"
  ["content"]=>
  string(4) "asdf"
  ["youtube"]=>
  string(11) "fasdfasdf\'"
  ["mirrors"]=>
  array(5) {
    [0]=>
    string(0) ""
    [1]=>
    string(5) "123\'"
    [2]=>
    string(6) "1234\'"
    [3]=>
    string(5) "12345"
    [4]=>
    string(0) ""
  }
  ["category"]=>
  string(1) "1"
  ["allow_comments"]=>
  string(1) "1"
  ["move_on"]=>
  string(0) ""
  ["move_to"]=>
  string(0) ""
  ["file_size"]=>
  string(1) "2"
  ["size_type"]=>
  string(1) "b"
  ["post"]=>
  string(1) "1"
  ["submit"]=>
  string(6) "Submit"
}
a:12:{s:5:"title";s:4:"asdf";s:7:"content";s:4:"asdf";s:7:"youtube";s:11:"fasdfasdf\'";s:7:"mirrors";a:5:{i:0;s:0:"";i:1;s:5:"123\'";i:2;s:6:"1234\'";i:3;s:5:"12345";i:4;s:0:"";}s:8:"category";s:1:"1";s:14:"allow_comments";s:1:"1";s:7:"move_on";s:0:"";s:7:"move_to";s:0:"";s:9:"file_size";s:1:"2";s:9:"size_type";s:1:"b";s:4:"post";s:1:"1";s:6:"submit";s:6:"Submit";}

                            There you go. Glad to have helped.

                            I'll resist asking why it needed modification.

                              Need modification because I had no need for the mysql calls 😉
                              Anyways, I believe I have found a new problem... When getting the same string from mysql, it seems somewhere along the line it automatically strips out the \s and... Well that completely screws up the serialized array....
                              I've looked in the table and they're even removed there... I do nothing to the data after I get

                              string(133) "a:2:{s:7:"mirrors";a:5:{i:0;s:3:"1\'";i:1;s:4:"12\'";i:2;s:5:"123\'";i:3;s:6:"1234\'";i:4;s:7:"12345\'";}s:9:"file_size";s:4:"5120";}"

                              ... I just update the table/row, then call it again and get the same string back, and it sees it as:

                              string(128) "a:2:{s:7:"mirrors";a:5:{i:0;s:3:"1'";i:1;s:4:"12'";i:2;s:5:"123'";i:3;s:6:"1234'";i:4;s:7:"12345'";}s:9:"file_size";s:4:"5120";}"

                              What could be causing this?

                              I hate revealing my table structure, but:

                                      $sql = "UPDATE `". $article_db ."` SET 
		`title`='". $final_data[title] ."',
		`content`='". $final_data[content] ."',
		`content_prev`='". $final_data[content_prev] ."',
		`content_vars`='". $final_data[content_vars] ."',
		`category`='". $final_data[category] ."',
		`uploaded_files`='". $final_data[uploaded_files] ."',
		`allow_comments`='" .$final_data[allow_comments] ."',
		`edits`='" .$edits. "'
		 WHERE id='".$final_data[id]."'";
        $db->query($sql,'edit_article');
		unset($sql);


	$sql = "SELECT content_vars FROM `".$article_db."`WHERE id='".$final_data[id]."'";
	$db->query($sql, 'get_content_vars');
	$vars = $db->fetch_row('get_content_vars');
	$content_vars = unserialize($vars[content_vars]);
	print "<pre>". var_dump($vars[content_vars]) ."</pre>";

                              I printed the first $sql, and it shows that the \' is still there... But yet the var_dump at the end shows the slashes have been stripped... And my query function is incredibly simple, all it does is execute the query, then raise the query count and such... Thats it, no modification to the output in it or fetch_row

                                Write a Reply...