At 10:50 AM +0100 5/24/06, phplist@xxxxxxx wrote:
Hi,
Is a serialized array a "safe" string to insert into a mysql text
field? Or is a
function such as mysql_real_escape_string always needed?
regards
Simon.
Simon:
If you want to store a serialized array in mysql, then you must use
mysql_real_escape_string to cover the possibility that your array
values may have quotes and other such stuff that a mysql query would
stumble on.
Also, the following is what I discovered from my own investigation.
Please note that normally when you place data into mysql using
mysql_real_escape_string -- you also use htmlentities to pull it out
-- if -- your going to show it to a browser. But, if you do that,
then you can't subsequently also unserialized the string into an
array.
You must unserialized the array directly from mysql and not after htmlentities.
It's interesting that an inspection of a "serialized array string"
before and after htmlentities may "look" the same, but they aren't.
hth's
tedd
--
------------------------------------------------------------------------------------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
