unserialize(), arrays, and newlines = error

Re: unserialize(), arrays, and newlines = error

Mark wrote:[color=blue]
>So, I've got a real problem in that PHP doesn't seem to be able to
>unserialize( ) an array that has an element containing a newline. Of
>course, I've used htmlentities() to protect the serialized data.
>
>Here's a simple example that demonstrates the problem:[/color]

two small changes, just to remove that newline

[...][color=blue]
>if (isset($_POST['blah'])) {[/color]
if (unserialize(st ripcslashes(htm l_entity_decode ($_POST['blah'])))
=== FALSE)[color=blue]
> echo '<p>Unserializ e failed.</p>';[/color]
[...][color=blue]
>echo ' value="';[/color]
echo htmlentities(ad dcslashes(seria lize($blah), "\n"));[color=blue]
>echo '"';[/color]
[...]


Depending on the contents of your "blah" field you may want to add
more characters to be added cslashes.


HTH

--
I have a spam filter working.
To mail me include "urkxvq" (with or without the quotes)
in the subject line, or your mail will be ruthlessly discarded.

Re: unserialize(), arrays, and newlines = error

Greetings:

Pedro <hexkid@hotpop. com> wrote in message news:<3b44nvcm0 9mf47jm69n5vhi1 d84sn42l34@4ax. com>...[color=blue]
> two small changes, just to remove that newline
> [...]
> Depending on the contents of your "blah" field you may want to add
> more characters to be added cslashes.[/color]

Thanks for the suggestion Pedro. PHP only seems to have problems when
the serialize()d data is coming from a form. If I just serialize()
and htmlentities() the array, and then do the reverse without going
through the form, everything is just fine.

So obviously this isn't a bug with PHP, rather it's something in how
the form data is handled, and not necessarily a bug. In any case, it
certainly caught me off guard.

Thanks again.

Mark A. Fox

Re: unserialize(), arrays, and newlines = error

Greetings:

Pedro led me to the final and general (I think) solution to this
problem: Use addcslashes() to slashify all non-ASCII characters.
This is important in my case (but not the example below), because I'm
dealing with what could be binary data.

Here's the final updated example:

-----
<?php

$blah = array("I like\nnewlines" );

echo '<html>';
echo '<body>';

if (isset($_POST['blah'])) {
if (unserialize(ht ml_entity_decod e(stripcslashes ($_POST['blah'])))
=== FALSE)
echo '<p>Unserializ e failed.</p>';
else
echo '<p>Unserializ e worked.</p>';
}

echo '<form method="POST" enctype="multip art/form-data"
action="test.ph p">';

echo '<input type="hidden"';
echo ' name="blah"';
echo ' value="';
echo htmlentities(ad dcslashes(seria lize($blah),
"\0..\37!@\@\17 7..\377"));
echo '"';
echo '/>';

echo '<input type="submit" name="doink" value="Submit" />';

echo '</form>';

echo '</body>';
echo '</html>';

?>