serialize（）和unserialize（）的问题-插入和选择数据PHP MySQL

Question

I am attempting to grab a date supplied via POST, then generate a list of dates over a 12 week period from the supplied start date. These dates would then go into the DB and a 12 week schedule would be output, which the user can interact with (add/edit/delete).

I am successfully taking the start date, generating the 12 week date list and adding this into the DB in serialized form, but when it comes to selecting the dates for display, I get the following error:

Notice: unserialize() [function.unserialize]: Error at offset 0 of xxx bytes in ...

Here is my code:

1st .php file here to take a form input (a date) and then get a list of each date over a 12 week period from the start date, and insert into the DB:

The array:

$start = strtotime($_POST['Start_Date']);
$dates=array();
for($i = 0; $i<=84; $i++)
{
    array_push($dates,date('Y-m-d', strtotime("+$i day", $start)));
}

$savetodb = serialize($dates);

The insert:

$sql = "INSERT INTO programme VALUES (NULL, '20', '".$_POST["Start_Date"]."' , ' ".$savetodb." ', '".$_POST["Programme_Notes"]."')"; 

2nd .php file here - SELECT and unserialize:

$result = mysql_query("SELECT Programme_Dates FROM programme");

while($row = mysql_fetch_array($result))
  {
  $dates = unserialize($row["Programme_Dates"]); 
  echo $dates;

  }

From what I've read the problem could be related to the DB column where the serialized array is inserted (ie being too small), but it is set to TEXT so that should be fine right? I also thought there may be certain characters within a date causing problems, but when testing with a "regular" array (ie just text), I get the same errors.

Any suggestions / hints much appreciated, thanks.

Answer 1

Why are you using stripslashes? My bet is that is the problem. Remove that from there and see if it works.

As a side note, stripslashes should be avoided as if data is probably inserted into the database they should be escaped properly meaning no extra slashes should be added. If you need to stripslashes from the data itself I would suggest using something like array_filter after you unserialized the array.

EDIT

You should also look into SQL Injection and how to prevent it, as your code is suseptible to be exploited.

UPDATE

Looking further at your code you insert the serialized array with 2 extra spaces: ' ".$savetodb." ', ' ".$savetodb." ', try using just '".$savetodb."', that and see if it fixes your issue.

Answer 2

i have found that the serialize value stored to database is converted to some other way format. Since the serialize data store quotes marks, semicolon, culry bracket, the mysql need to be save on its own, So it automatically putting "backslash()" that comes from gpc_magic_quotes (CMIIW). So if you store a serialize data and you wanted to used it, in the interface you should used html_entity_decode() to make sure you have the actual format read by PHP.

here was my sample:

$ser = $data->serialization; // assume it is the serialization data from database
$arr_ser = unserialize(html_entity_decode($ser));

nb : i've try it and it works and be sure avoid this type to be stored in tables (to risky). this way can solve the json format stored in table too.