Storing An Array Into A Database not including serialize

[Rigaudon 0]

Hi all,For what I'm doing, I need to store arrays into databases all the time. Up until now, I've been using the built-in serialize() function.However, this is a problem because even one number off the length, and the unserialize() function crashes. I know if I serialize it and preserve it, it should come out the same, but working with quotes is a bother with mysql and whatever. I know I could rewrite the offending parts, but just for future reference, I was wondering if there is any other way to store an array into a database.

[rvalkass 5]

However, this is a problem because even one number off the length, and the unserialize() function crashes.

What length? As I understand it, serialize creates a string you can store in a database, file, whatever that can be 'decoded' by PHP to recreate the original variable or object. At no point do you need to pass the length of the object or serialised string that you are reading.

 

I know if I serialize it and preserve it, it should come out the same, but working with quotes is a bother with mysql and whatever. I know I could rewrite the offending parts, but just for future reference, I was wondering if there is any other way to store an array into a database.

How does using functions like mysqli_real_escape_string() and stripslashes() work? As long as you undo whatever action you've done to insert the serialised string into the database, you should be able to unserialise it with PHP again.

[Rigaudon 0]

<?php$a = array();$a[0] = "ASDF";$a = serialize($a);echo $a?>

This returns :a:1:{i:0;s:4:"ASDF";}An array of 1 element with index of an integer (0), containing a string of 4 characters.If the 4 was changed to any other number, then unserialize() would crash because the string is not that long.Escaping the value and stripslashes are actually the problems of what I'm dealing with. If I don't add slashes, the quotes would cancel out in the middle of my INSERT mysql statement.If I do add slashes before I serialize it, then it counts the backslashes as characters and counts it part of the string. When I insert it, the slashes go away and the serialized array can't be unserialized.If I add slashes after I serialize it, it would add around 10 backslashes per quote, which not only looks extremely bad, but also takes 2 or 3 stripslashes() to get rid of all of them.Right now, I'm just doing 3 stripslashes(), but I think if there are escaped quotes within the string, it would add even more slashes and the cycle continues...I guess what I'm looking for is basically a serialize() function which isn't so picky about the exact length of everything.

[truefusion 3]

There are a lot of comments in the PHP manual that seem to work around your problem. But if quotes are mostly what you are having trouble with, why not encode them as HTML entities for when inserting into the database and then decode them after retrieving from the database?

[Rigaudon 0]

Heh, well I guess I need to explain my code now ;)I'm developing an RPG (AJAX based) and this is part of an NPC script. Each npc has things you can say to it, what it says back, and any code to be executed when a specific response is chosen.For example, a player can talk to an NPC and choose to pay gold to enter an area. I want it so that when they choose that option, it takes them in the area by evaluating the code. In this way, I can keep my game dynamic.It is the code section that I need to preserve quotes, but all of an NPC's code is an array.

[truefusion 3]

It is the code section that I need to preserve quotes, but all of an NPC's code is an array.

So what you are saying is that the serialized NPC code is too complex for htmlentities() and html_entity_decode() to be used on but addslashes() (or mysql_real_escape_string, or whatever method you are using to add slashes) and stripslashes() isn't?

[Rigaudon 0]

So what you are saying is that the serialized NPC code is too complex for htmlentities() and html_entity_decode() to be used on but addslashes() (or mysql_real_escape_string, or whatever method you are using to add slashes) and stripslashes() isn't?

No, not at all. I'm rather hesitant to use htmlentities() because, well, for one, I want to be able to eval() the code. If I had code that had quotes in quotes, it would show up as "" and decoded it would be "" (two double quotes), which would not parse correctly. For another, escaping the string can be eval()'d directly already; the only problem is with the serialization.

My last hesitation is extremely irrelevant, but I just feel slightly uncomfortable because html entities is usually something people see, and nobody is supposed to see the code (lol).

I see where you're going with this, and I have to say- it's actually a very good idea. I don't know if htmlentities() does something different for escaped quotes, though, but I will probably end up using this later. Thanks!

[truefusion 3]

If I had code that had quotes in quotes, it would show up as "" and decoded it would be "" (two double quotes), which would not parse correctly. For another, escaping the string can be eval()'d directly already; the only problem is with the serialization.

 

I see where you're going with this, and I have to say- it's actually a very good idea. I don't know if htmlentities() does something different for escaped quotes, though, but I will probably end up using this later. Thanks!

I would be more worried about calling stripslashes() too many times where it unescapes strings. htmlentities() doesn't convert slashes, and, by the sound of it, since this special code is generated by your script and does not contain any user input, there is less worry about other things, like MySQL comments (which htmlentities would not escape)?otherwise i would have to recommend something more complex than merely htmlentities() and html_entity_decode().

[Rigaudon 0]

Well, as of yet, this is not a problem that I have had to deal with, but I think probably will occur in the future.Right now, I'm actually thinking of making my own way of parsing things and therefore remove the need for more than one quote at a time.The method I'm using now isn't exactly the best one, which is why I asked in the first place. I think HTML encode/decode should work for the time being, though.