My PHP code serializes, but doesn’t unserialize, what could be the problem?
$serializedColumns = serialize($columnNames);
I have the following resulting html, where i stored the serialized string into a hidden field:
<input id="columns_hidden" name="columns" type="hidden" value="a:3:{i:0;s:8:"Username";i:1;s:8:"Password";i:2;s:11:"AccessLevel";}">
The request is sent to ‘AddData.php’, i where i have my unserialize code like this:
$columns = unserialize($_REQUEST['columns']);
when i call print_r on $columns, it returns a blank string.
when i call print_r on $_REQUEST['columns'], it returns:
a:3:{i:0;s:8:\"Username\";i:1;s:8:\"Password\";i:2;s:11:\"AccessLevel\";}
This is actually a comment, but I put it here for more attention: Don’t do that.
Why? – Whenever you
unserializedata provided by a request blindly, PHP does more than you think. This can create objects which are dangerous for your application and you can not do a thing against that.The hidden input can be easily edited and manipulated with a DOM editor or JavaScript to include harmful code or malicious requests can be fired against your site bringing it down quickly.
Alternatives – Instead use some form of data that you can process more easily, for example, use
json_encode/json_decodeor a classicimplode/explode:and
this is much more failsafe and sane because it’s static data processing.