php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52371 Bug related to serialisation session and store in database postgresql 8.4
Submitted: 2010-07-18 20:49 UTC Modified: 2010-07-18 22:11 UTC
From: contact at albatros-info dot fr Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.3.2 OS: Ubuntu 10.04 LTS
Private report: No CVE-ID: None
 [2010-07-18 20:49 UTC] contact at albatros-info dot fr
Description:
------------
i ve a class test

<?php
class test{
protected $die = true;
}
?>

plus i ve many value for $_SESSION

i use session_set_save_handler to declare session store in database
and when php call write from my class session : 
	
public function write ($sid, $data){//écriture
		$debug = false;
		$expire = intval(time() + $this->session_life);
		$data = $this->db->dbh->quote($data); 
		$sql = "INSERT INTO session VALUES('$sid',$data,'$expire')";
NB: $data is not protected by ' because func quote realize it.

First i declare many value in $_SESSION and i serialize my object instance of test and i launch program when the program write session data in database
At this moment if i display $data parameters from write i can read : 
.....ivraison";s:6:"�*�die";b:0;s:18:................
and when php store in my database i obtain :
.....ivraison";s:6:" 
so pdo func quote truncate data if i commente line quote and change my sql by 
$sql = "INSERT INTO session VALUES('$sid','$data','$expire')"; //i add protected ' to field $data
i obtain an sql error
because postgres dont find the protected terminator ' cause char �
postgres work in utf8 and $data parameter write is in utf8 so.
sure because postgres will cause an other error type (encoding error)
if i change protected or private (because this 2 cases declare this error) by public, $data parameters from write is equal to data store in database and my program is ok.




Test script:
---------------
no code because it 's difficult to transcribe this case in 20 lines and i must post so database scheme.
Just create sheme in database to collect session data. create session_set_save_handler to write session in database.
Create a class like my test class, serialize it, and declare $_SESSION['test'] = serialize([instance of test])
and write session
I ve no test in mysql


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-18 22:11 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2010-07-18 22:11 UTC] johannes@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

The serialized data contains a 0-byte, you have to use binary-safe encoding and access methods.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jun 16 11:01:29 2024 UTC