PHP Serialize() & Unserialize() Issues
I've been working on some very large forms lately and I've come to the conclusion that creating a database scheme around them wouldn't be the best option because:
- My customers don't need to analyze all form submissions as a whole -- form information is simply used on a per-submission basis (like a job application, for example).
- Making updates to these forms would be very costly since it would take quite a bit of time to add and remove DB fields as well as update the HTML form.
- I'd like to revert the information into an array format just like it came in easily.
For that reason, I've been using the serialize() and unserialize() functions often. Serializing an array keeps the information in an array format, so to speak, but in one long string. Anyways, I ran into the following error when testing unserialize on some information that I had serialized:
Notice: unserialize(): Error at offset 2 of 52 bytes in file.php on line 130
It turns out that if there's a ", ', :, or ; in any of the array values the serialization gets corrupted. I've found the following fix for this issue on PHP.net:
//to safely serialize $safe_string_to_store = base64_encode(serialize($multidimensional_array)); //to unserialize... $array_restored_from_db = unserialize(base64_decode($encoded_serialized_string));
It's a great fix to simple problem!
Discussion
Be Heard!
Share your thoughts with fellow developers of all skill levels! I want to hear from you!
Great fix indeed!!! Smart thinking!
Works like a charm. I haven’t found any issue with this work-around. You’re one smart duck.
Great “fix”. :-) You also may want to look into a document oriented store (e.g. CouchDB) vs. serializing data into a RDBMS. This would allow you to stay flexible when storing data, but also for later querying/analyzation.
Thanks for this tip! I almost deleted all my new code related to serialization when I decided to search for solutions and found this trick.
It’s not very clear for me how it works if it encodes string after it’s serialized and decodes before it’s unserialized, but for as long as it works I’m happy!
Thanks again!
@Shimon, it’s not actually encoding the string, it’s encoding the serialization. If you encode the serialized array, you’ll have to decode the array before you unserialize it.
Great fix!
@Shaddi
My accent was made on why it does encoding after all, when serialization is done already. I understand that if you encode string after serialization you’d have to decode before unserialization :)
Thank you, I was having an issue with serialize() and unserialize() and this post solved it :)
Thanks for this solution.
Serialize and unserialize is a godsend in lieu of sessions and forms, but could be better constructed.
Excellent advice.
Great blog you’re writing! I think the easiest way to prevent these issues is not to use serialize() function. Why not use the implode() function, it can do the same as far as i know!
When storing very long strings in MySQL, make sure you check the length.
MySQL will silently truncate data longer than the allotted field.
Also, using this technique instead of storing in a database means ‘schema’ changes must be done with a php script vs using a db script to migrate data.
It works for me, but you must make sure your table field has enough varchar space eg: varchar(100) as the string is too long, and you must know how to display arrays.
Thanks mate that was Gr8 Help
thank you so much – i am not sure why this worked and my other code didnt, but FABULOUS!
thanks
Thanks a lot different servers work differently, the same code wouldnt work on our new server until i implemented this
kudos to putting this up
The real question is why PHP doesn’t incorporate this into serialize() to begin with.
@Peter:
serialise can handle objects too. This isn’t true of implode().
I understand what Shimon is saying and i agree.
I see that if you are moving the serialized value in and out of a database it should be encoded as base64, but the issue is unserializing a serialized array that contains a ‘ (in my case) – encoding and then decoding does not solve that issue as you get the same string back!
Thanks Mr. David Walsh this solved my big time problem.
@Devdutt: This solution not solved my problem, i am serializing large data and storing into database, when unserialized not working. Using php 5.0.1. it is giving offset error. “Notice: unserialize() [function.unserialize]: Error at offset 45393 of 65533 bytes “.
Thanks in advance
@Praveen.. It could be your database field has few character space, and it store only some few serialized information. This must bring some problem during unserialize(). Try to make enough space in your field, let say varchar(2000) and see..
Ita a great fix. But there is a problem when you save a field having space in its naming.
@Gregory Mlay:
best way to store this would be BLOB column, ex. if you run into character set problem your serialization will remain intact, else your data can get corrupted.
Thanks for the fix. This is what I am looking for. Good to serialize data when storing into cookies.
You need to escape a serialized string in a manner appropriate for your DB, just as you do for any string. For example, mysql_real_escape_string() or prepared statements in the case of MySQL.
If you base64_encode() the serialized string then you will probably obviate escaping regardless of database it since the base64 code table uses only ASCII’s alpha, numeric, + and / characters. But that doesn’t mean it’s a good solution.
I think base64_encode() not a good replacement for using your DB’s correct escape procedures for efficiency reasons. Sometimes code fragments found on the web will work as drop-in but are a poor substitute for understanding.