Recipe 5.7. Encapsulating Complex Data Types in a String
5.7.1. Problem
You want a string representation of an array or object for storage in a file or database. This string should be easily reconstitutable into the original array or object.
5.7.2. Solution
Use serialize( ) to encode variables and their values into a textual form:
$pantry = array('sugar' => '2 lbs.','butter' => '3 sticks'); $fp = fopen('/tmp/pantry','w') or die ("Can't open pantry"); fputs($fp,serialize($pantry)); fclose($fp);
To recreate the variables, use unserialize( ):
$new_pantry = unserialize(file_get_contents('/tmp/pantry'));
5.7.3. Discussion
The serialized string that is reconstituted into $pantry looks like:
a:2:{s:5:"sugar";s:6:"2 lbs.";s:6:"butter";s:8:"3 sticks";}
This stores enough information to bring back all the values in the array, but the variable name itself isn't stored in the serialized representation.
When passing serialized data from page to page in a URL, call urlencode( ) on the data to make sure URL metacharacters are escaped in it:
$shopping_cart = array('Poppy Seed Bagel' => 2, 'Plain Bagel' => 1, 'Lox' => 4); print '<a href="next.php?cart='.urlencode(serialize($shopping_cart)).'">Next</a>';
The magic_quotes_gpc and magic_quotes_runtime configuration settings affect data being passed to unserialize( ). If magic_quotes_gpc is on, data passed in URLs, POST variables, or cookies must be processed with stripslashes( ) before it's unserialized:
$new_cart = unserialize(stripslashes($cart)); // if magic_quotes_gpc is on $new_cart = unserialize($cart); // if magic_quotes_gpc is off
If magic_quotes_runtime is on, serialized data stored in a file must be processed with addslashes( ) when writing and stripslashes( ) when reading:
$fp = fopen('/tmp/cart,'w'); fputs($fp,addslashes(serialize($a))); fclose($fp);
// if magic_quotes_runtime is on $new_cart = unserialize(stripslashes(file_get_contents('/tmp/cart'))); // if magic_quotes_runtime is off $new_cart = unserialize(file_get_contents('/tmp/cart'));
Serialized data read from a database must also be processed with stripslashes( ) when magic_quotes_runtime is on:
mysql_query( "INSERT INTO cart (id,data) VALUES (1,'".addslashes(serialize($cart))."')");
$r = mysql_query('SELECT data FROM cart WHERE id = 1'); $ob = mysql_fetch_object($r); // if magic_quotes_runtime is on $new_cart = unserialize(stripslashes($ob->data)); // if magic_quotes_runtime is off $new_cart = unserialize($ob->data);
Serialized data going into a database always needs to have addslashes( ) called on it (or, better yet, the database-appropriate escaping method) to ensure it's saved properly.
When you unserialize an object, PHP automatically invokes its __wakeUp( ) method. This allows the object to reestablish any state that's not preserved across serialization, such as database connection. This can alter your environment, so be sure you know what you're unserializing. See Recipe 7.18 for more details.
5.7.4. See Also
Recipe 10.9 for information on escaping data for a database.
|
No comments:
Post a Comment