db_query and serialized arrays
Hi all - I have an sql query that needs to insert a serialized array as one of the columns. However, the serialized data never makes it properly into the DB, I think because db_query strips out the curly braces. Take the following serialized associative array: 'a:2:{s:10:"Cardiology";s:10:"Cardiology";s:11:"Dermatology";s:11:"Dermatology";}' This ends up being stored as 'a:2:s:10:"Cardiology";s:10:"Cardiology";s:11:Dermatology";s:11:Dermatology";' (no curly braces), and I am therefore unable to unserialize() it. What is the way around this, other than fudging it and taking my result as a string and manually pushing the curly braces into place before attempting to unserialize? Thanks, William
Are you using a '%s' placeholder in your query? That should run the serialized string through the proper escaping function. Drupal stores to the DB serialized arrays in many places, so this certainly works. -Peter On 9/3/07, William Smith <william.darren@gmail.com> wrote:
Hi all -
I have an sql query that needs to insert a serialized array as one of the columns. However, the serialized data never makes it properly into the DB, I think because db_query strips out the curly braces. Take the following serialized associative array:
'a:2:{s:10:"Cardiology";s:10:"Cardiology";s:11:"Dermatology";s:11:"Dermatology";}' This ends up being stored as 'a:2:s:10:"Cardiology";s:10:"Cardiology";s:11:Dermatology";s:11:Dermatology";' (no curly braces), and I am therefore unable to unserialize() it.
What is the way around this, other than fudging it and taking my result as a string and manually pushing the curly braces into place before attempting to unserialize?
Thanks, William
Hello, take a look at how variable_set does this: http://api.drupal.org/api/function/variable_set/5 Henrique 2007/9/3, William Smith <william.darren@gmail.com>:
Hi all -
I have an sql query that needs to insert a serialized array as one of the columns. However, the serialized data never makes it properly into the DB, I think because db_query strips out the curly braces. Take the following serialized associative array:
'a:2:{s:10:"Cardiology";s:10:"Cardiology";s:11:"Dermatology";s:11:"Dermatology";}' This ends up being stored as 'a:2:s:10:"Cardiology";s:10:"Cardiology";s:11:Dermatology";s:11:Dermatology";' (no curly braces), and I am therefore unable to unserialize() it.
What is the way around this, other than fudging it and taking my result as a string and manually pushing the curly braces into place before attempting to unserialize?
Thanks, William
I should've looked deeper into the code .. it's a very complex query that is dynamically generated, and it looks as though the constructed values string is plugged in directly rather than using %s substitution. That explains it, I guess. Thanks for the help On 9/3/07, Henrique Recidive <recidive@gmail.com> wrote:
Hello,
take a look at how variable_set does this:
http://api.drupal.org/api/function/variable_set/5
Henrique
2007/9/3, William Smith <william.darren@gmail.com>:
Hi all -
I have an sql query that needs to insert a serialized array as one of the columns. However, the serialized data never makes it properly into the DB, I think because db_query strips out the curly braces. Take the following serialized associative array:
'a:2:{s:10:"Cardiology";s:10:"Cardiology";s:11:"Dermatology";s:11:"Dermatology";}'
This ends up being stored as
'a:2:s:10:"Cardiology";s:10:"Cardiology";s:11:Dermatology";s:11:Dermatology";'
(no curly braces), and I am therefore unable to unserialize() it.
What is the way around this, other than fudging it and taking my result as a string and manually pushing the curly braces into place before attempting to unserialize?
Thanks, William
I should've looked deeper into the code .. it's a very complex query that is dynamically generated, and it looks as though the constructed values string is plugged in directly rather than using %s substitution. That explains it, I guess.
This is an extremely bad practice and you will be biten by it. Though core does similar at a few places wherever I have encountered such, I added a comment why it's safe -- usually because it's an integer retrieved from the database. Complex stuff should never go without a placeholder.
Completey agree, and in fact, I consider myself already bitten by it because of the time spent debugging why my arrays wouldn't unserialize. The query in question has been reworked so that it uses placeholders throughout. On 9/4/07, Karoly Negyesi <karoly@negyesi.net> wrote:
I should've looked deeper into the code .. it's a very complex query that is dynamically generated, and it looks as though the constructed values string is plugged in directly rather than using %s substitution. That explains it, I guess.
This is an extremely bad practice and you will be biten by it. Though core does similar at a few places wherever I have encountered such, I added a comment why it's safe -- usually because it's an integer retrieved from the database. Complex stuff should never go without a placeholder.
participants (4)
-
Henrique Recidive -
Karoly Negyesi -
Peter Wolanin -
William Smith