Friday, December 25, 2009

Recipe 5.7. Encapsulating Complex Data Types in a String










Recipe 5.7. Encapsulating Complex Data Types in a String



5.7.1. Problem


You


want a string representation of an array or object for storage in a file or database. This string should be easily reconstitutable into the original array or object.




5.7.2. Solution


Use
serialize( ) to encode variables and their values into a textual form:


$pantry = array('sugar' => '2 lbs.','butter' => '3 sticks');
$fp = fopen('/tmp/pantry','w') or die ("Can't open pantry");
fputs($fp,serialize($pantry));
fclose($fp);



To recreate the variables, use
unserialize( ):


$new_pantry = unserialize(file_get_contents('/tmp/pantry'));





5.7.3. Discussion


The serialized string that is reconstituted into $pantry looks like:


a:2:{s:5:"sugar";s:6:"2 lbs.";s:6:"butter";s:8:"3 sticks";}



This stores enough information to bring back all the values in the array, but the variable name itself isn't stored in the serialized representation.


When passing serialized data from page to page in a URL, call
urlencode( ) on the data to make sure URL metacharacters are escaped in it:


$shopping_cart = array('Poppy Seed Bagel' => 2,
'Plain Bagel' => 1,
'Lox' => 4);
print '<a href="next.php?cart='.urlencode(serialize($shopping_cart)).'">Next</a>';



The
magic_quotes_gpc and magic_quotes_runtime configuration settings affect data being passed to unserialize( ). If magic_quotes_gpc is on, data passed in URLs, POST variables, or cookies must be processed with stripslashes( ) before it's unserialized:


$new_cart = unserialize(stripslashes($cart)); // if magic_quotes_gpc is on
$new_cart = unserialize($cart); // if magic_quotes_gpc is off



If magic_quotes_runtime is on, serialized data stored in a file must be processed with addslashes( ) when writing and
stripslashes( ) when reading:


$fp = fopen('/tmp/cart,'w');
fputs($fp,addslashes(serialize($a)));
fclose($fp);

// if magic_quotes_runtime is on
$new_cart = unserialize(stripslashes(file_get_contents('/tmp/cart')));
// if magic_quotes_runtime is off
$new_cart = unserialize(file_get_contents('/tmp/cart'));



Serialized data read from a database must also be processed with stripslashes( ) when magic_quotes_runtime is on:


mysql_query(
"INSERT INTO cart (id,data) VALUES (1,'".addslashes(serialize($cart))."')");

$r = mysql_query('SELECT data FROM cart WHERE id = 1');
$ob = mysql_fetch_object($r);
// if magic_quotes_runtime is on
$new_cart = unserialize(stripslashes($ob->data));
// if magic_quotes_runtime is off
$new_cart = unserialize($ob->data);



Serialized data going into a database always needs to have addslashes( ) called on it (or, better yet, the database-appropriate escaping method) to ensure it's saved properly.


When you unserialize an object, PHP automatically invokes its
__wakeUp( ) method. This allows the object to reestablish any state that's not preserved across serialization, such as database connection. This can alter your environment, so be sure you know what you're unserializing. See Recipe 7.18 for more details.




5.7.4. See Also


Recipe 10.9 for information on escaping data for a database.













No comments: