Serialize + htmlspecialchars problems

Printable View

Feb 14, 2013, 20:44
K. Wolfe

Serialize + htmlspecialchars problems
So I need to run a serialization and then htmlspecialchars w/ ENT_QUOTES to make it safe for both a url as well as linking to that url in HTML / javascript.

I'mmm having problems decoding when I add in the ENT_QUOTES portion...
Code PHP:

htmlspecialchars(serialize($my_array), ENT_QUOTES); unserialize(htmlspecialchars_decode($this->getRequest()->getParam("details"))); //first line is posted to new script
I've trid the decode with the ENT_QUOTES argument, as well as messed with htmlentities with no avail. I don't think it'll be necessary to provide the data within the array, just know that it has apostrophes :)
Feb 15, 2013, 04:50
cpradio
Quote:
Originally Posted by K. Wolfe

So I need to run a serialization and then htmlspecialchars w/ ENT_QUOTES to make it safe for both a url as well as linking to that url in HTML / javascript.

I'mmm having problems decoding when I add in the ENT_QUOTES portion...

Code PHP:

htmlspecialchars(serialize($my_array), ENT_QUOTES); unserialize(htmlspecialchars_decode($this->getRequest()->getParam("details"))); //first line is posted to new script

I've trid the decode with the ENT_QUOTES argument, as well as messed with htmlentities with no avail. I don't think it'll be necessary to provide the data within the array, just know that it has apostrophes :)
Why do you need either of those? I would assume urlencode would be sufficient enough.

Edit:

another alternative is using base64_encode and passing the encoded value
Feb 15, 2013, 08:41
K. Wolfe

Hmm, I might have been testing with an extra ' at the end from my url :D. Either way I went with base64 + json_encode, thanks for the idea!
Feb 15, 2013, 08:50
Lemon Juice

The thing is if you use ENT_QUOTES for htmlspecialchars() you have to use ENT_QUOTES for htmlspecialchars_decode():

PHP Code:

unserialize(htmlspecialchars_decode($this->getRequest()->getParam("details"), ENT_QUOTES));

And I think cpradio is right that urlencode() is probably more suited for urls - if you add serialized data to a url then most probably you pass it in the query string, in which case htmlspecialchars is not enough and the data will become corrupt on certain characters (this also applies if you use mod_rewrite so as to make nicer urls). htmlspecialchars is just a general escaping function for any data you put into html attributes and it does not cover escaping for urls.

Edit: even if you use base64_encode you need to escape the string with urlencode before putting it in the url, because base64-encoded data may contain special characters like +, / and = - you will then not be able to properly receive the data using $_GET. This eventually makes base64_encode not necessary for passing data via urls unless you want to add some visual obfuscation :).
Feb 15, 2013, 09:22
cpradio

Quote:

Originally Posted by Lemon Juice

Edit: even if you use base64_encode you need to escape the string with urlencode before putting it in the url, because base64-encoded data may contain special characters like +, / and = - you will then not be able to properly receive the data using $_GET. This eventually makes base64_encode not necessary for passing data via urls unless you want to add some visual obfuscation :).

+1 :tup: I've run into that exact issue before. You definitely still want to use urlencode and urldecode when passing the base64 string around.
Feb 15, 2013, 09:35
K. Wolfe

Quote:

Originally Posted by Lemon Juice

The thing is if you use ENT_QUOTES for htmlspecialchars() you have to use ENT_QUOTES for htmlspecialchars_decode():

PHP Code:

unserialize(htmlspecialchars_decode($this->getRequest()->getParam("details"), ENT_QUOTES));

I said I tried that in the decode as well :)

Quote:

Originally Posted by Lemon Juice

Edit: even if you use base64_encode you need to escape the string with urlencode before putting it in the url, because base64-encoded data may contain special characters like +, / and = - you will then not be able to properly receive the data using $_GET. This eventually makes base64_encode not necessary for passing data via urls unless you want to add some visual obfuscation :).

Those are acceptable in a URL, and my GET is handling them correctly due to Zends mod rewrite
Feb 15, 2013, 10:01
Lemon Juice

Quote:

Originally Posted by K. Wolfe

I said I tried that in the decode as well :)

Oh, I didn't notice... But can you post some sample data and code that illustrates this doesn't work? This is weird because I have tested this with data containing apostrophes and htmlspecialchars_decode works as expected.