SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,178
    Mentioned
    63 Post(s)
    Tagged
    2 Thread(s)

    Serialize + htmlspecialchars problems

    So I need to run a serialization and then htmlspecialchars w/ ENT_QUOTES to make it safe for both a url as well as linking to that url in HTML / javascript.

    I'mmm having problems decoding when I add in the ENT_QUOTES portion...

    Code PHP:
    htmlspecialchars(serialize($my_array), ENT_QUOTES);
    unserialize(htmlspecialchars_decode($this->getRequest()->getParam("details"))); //first line is posted to new script

    I've trid the decode with the ENT_QUOTES argument, as well as messed with htmlentities with no avail. I don't think it'll be necessary to provide the data within the array, just know that it has apostrophes

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,069
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by K. Wolfe View Post
    So I need to run a serialization and then htmlspecialchars w/ ENT_QUOTES to make it safe for both a url as well as linking to that url in HTML / javascript.

    I'mmm having problems decoding when I add in the ENT_QUOTES portion...

    Code PHP:
    htmlspecialchars(serialize($my_array), ENT_QUOTES);
    unserialize(htmlspecialchars_decode($this->getRequest()->getParam("details"))); //first line is posted to new script

    I've trid the decode with the ENT_QUOTES argument, as well as messed with htmlentities with no avail. I don't think it'll be necessary to provide the data within the array, just know that it has apostrophes
    Why do you need either of those? I would assume urlencode would be sufficient enough.

    Edit:

    another alternative is using base64_encode and passing the encoded value
    Be sure to congratulate Patche on earning July's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  3. #3
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,178
    Mentioned
    63 Post(s)
    Tagged
    2 Thread(s)
    Hmm, I might have been testing with an extra ' at the end from my url . Either way I went with base64 + json_encode, thanks for the idea!

  4. #4
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    The thing is if you use ENT_QUOTES for htmlspecialchars() you have to use ENT_QUOTES for htmlspecialchars_decode():
    PHP Code:
    unserialize(htmlspecialchars_decode($this->getRequest()->getParam("details"), ENT_QUOTES)); 
    And I think cpradio is right that urlencode() is probably more suited for urls - if you add serialized data to a url then most probably you pass it in the query string, in which case htmlspecialchars is not enough and the data will become corrupt on certain characters (this also applies if you use mod_rewrite so as to make nicer urls). htmlspecialchars is just a general escaping function for any data you put into html attributes and it does not cover escaping for urls.

    Edit: even if you use base64_encode you need to escape the string with urlencode before putting it in the url, because base64-encoded data may contain special characters like +, / and = - you will then not be able to properly receive the data using $_GET. This eventually makes base64_encode not necessary for passing data via urls unless you want to add some visual obfuscation .

  5. #5
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,069
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Lemon Juice View Post
    Edit: even if you use base64_encode you need to escape the string with urlencode before putting it in the url, because base64-encoded data may contain special characters like +, / and = - you will then not be able to properly receive the data using $_GET. This eventually makes base64_encode not necessary for passing data via urls unless you want to add some visual obfuscation .
    +1 I've run into that exact issue before. You definitely still want to use urlencode and urldecode when passing the base64 string around.
    Be sure to congratulate Patche on earning July's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  6. #6
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,178
    Mentioned
    63 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by Lemon Juice View Post
    The thing is if you use ENT_QUOTES for htmlspecialchars() you have to use ENT_QUOTES for htmlspecialchars_decode():
    PHP Code:
    unserialize(htmlspecialchars_decode($this->getRequest()->getParam("details"), ENT_QUOTES)); 
    I said I tried that in the decode as well

    Quote Originally Posted by Lemon Juice View Post
    Edit: even if you use base64_encode you need to escape the string with urlencode before putting it in the url, because base64-encoded data may contain special characters like +, / and = - you will then not be able to properly receive the data using $_GET. This eventually makes base64_encode not necessary for passing data via urls unless you want to add some visual obfuscation .
    Those are acceptable in a URL, and my GET is handling them correctly due to Zends mod rewrite

  7. #7
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by K. Wolfe View Post
    I said I tried that in the decode as well
    Oh, I didn't notice... But can you post some sample data and code that illustrates this doesn't work? This is weird because I have tested this with data containing apostrophes and htmlspecialchars_decode works as expected.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •