php Php在Mysql中序列化数据
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10836450/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Php Serialize data in Mysql
提问by alejoabella
I save data in my DB (mysql) with "serialize($array);". This data came from a form with an input field. I want to know what happen if i insert something like "a:4:{i:1;s:7:"fdsfdsf";i" in the form field. could break my data stored in the DB?
Thanks!!
我用“ serialize($array);”将数据保存在我的数据库(mysql)中。此数据来自带有输入字段的表单。我想知道如果我a:4:{i:1;s:7:"fdsfdsf";i在表单字段中插入类似“ ”的内容会发生什么。会破坏我存储在数据库中的数据吗?谢谢!!
回答by Whisperity
I tested your example on my system, and after serialization, the following value is returned:
我在我的系统上测试了你的例子,序列化后,返回以下值:
string(42) "a:1:{i:0;s:24:"a:4:{i:1;s:7:"fdsfdsf";i";}"
This is what will be added to the database. But, storing user input plain in database is highly discouraged. You should first format the plain user input with mysql_real_escape_string()as it will escape critical characters.
这是将添加到数据库中的内容。但是,强烈建议不要在数据库中存储用户输入。您应该首先格式化普通用户输入,mysql_real_escape_string()因为它会转义关键字符。
Apart from that, if unserialize()is called on the serialized text read back from database, the array is properly returned. It should be safe, but can produce unexpected results.
除此之外,如果unserialize()在从数据库读回的序列化文本上调用,则正确返回数组。它应该是安全的,但会产生意想不到的结果。
Be extremely carefulwith storing serialized arrays in a database. Serialization returns a string, so the field you store the data in is usually VARCHARor TEXT. If you simply overwritethe stored array with a new one, the old data will be completely lost. To updatethe database, make sure you first read the data from the database into an array, and update it, and only then write it back to the database.
在数据库中存储序列化数组时要格外小心。序列化返回一个字符串,因此您存储数据的字段通常是VARCHARor TEXT。如果你简单地用一个新的数组覆盖存储的数组,旧的数据将完全丢失。要更新数据库,请确保首先将数据库中的数据读入数组,并更新它,然后才将其写回数据库。
While it is not forbidden, using and storing stuff serialized in database usually creates a lot of issues. The database has a lot of datatypes known by default, and big serialized arrays create overhead and complicates execution, and is just simply a pain in the ass if the system later needs to be modified. And you cannot use relation queries on serialized fields.
虽然不是禁止的,但使用和存储在数据库中序列化的东西通常会产生很多问题。默认情况下,数据库有很多已知的数据类型,大的序列化数组会产生开销并使执行复杂化,如果以后需要修改系统,这只是一个麻烦。并且您不能对序列化字段使用关系查询。
回答by Ja?ck
The old way
旧的方式
When you're still using mysql_you could write queries like this:
当您仍在使用时,mysql_您可以编写如下查询:
$sql = sprintf("INSERT INTO mytable (a) VALUES ('%s')",
mysql_real_escape_string(serialize($myvar))
);
mysql_query($sql) or die("oh no!");
The recommended way
推荐的方式
For PDOand mysqliyou get the option to use prepared statements, which comes highly recommended for exactly the purpose of preventing SQL injection attack vectors. An example in PDO:
对于PDO并且mysqli您可以选择使用准备好的语句,强烈建议您使用它来防止 SQL 注入攻击向量。PDO 中的一个例子:
$stmt = $db->prepare('INSERT INTO mytable (a) VALUES (:myvar)');
$stmt->execute(array(
':myvar' => serialize($myvar),
));
Field lengths
字段长度
Also, make sure the length of your serialized data doesn't exceed the column size of the table field; a truncated serialized variable is pretty much useless.
另外,请确保序列化数据的长度不超过表字段的列大小;截断的序列化变量几乎没用。
回答by Johannes Klau?
A way to block this is escaping quotes before inserting data into the database.
阻止这种情况的一种方法是在将数据插入数据库之前转义引号。
You could do this with mysqli_real_escape_string()http://www.php.net/manual/en/mysqli.real-escape-string.php
你可以用http://www.php.net/manual/en/mysqli.real-escape-string.php做到这一点mysqli_real_escape_string()
