PHP :: Bug #52371 :: Bug related to serialisation session and store in database postgresql 8.4

Bug #52371	Bug related to serialisation session and store in database postgresql 8.4
Submitted:	2010-07-18 20:49 UTC	Modified:	2010-07-18 22:11 UTC
From:	contact at albatros-info dot fr	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5.3.2	OS:	Ubuntu 10.04 LTS
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2010-07-18 20:49 UTC] contact at albatros-info dot fr

Description:
------------
i ve a class test

<?php
class test{
protected $die = true;
}
?>

plus i ve many value for $_SESSION

i use session_set_save_handler to declare session store in database
and when php call write from my class session : 
	
public function write ($sid, $data){//écriture
		$debug = false;
		$expire = intval(time() + $this->session_life);
		$data = $this->db->dbh->quote($data); 
		$sql = "INSERT INTO session VALUES('$sid',$data,'$expire')";
NB: $data is not protected by ' because func quote realize it.

First i declare many value in $_SESSION and i serialize my object instance of test and i launch program when the program write session data in database
At this moment if i display $data parameters from write i can read : 
.....ivraison";s:6:"�*�die";b:0;s:18:................
and when php store in my database i obtain :
.....ivraison";s:6:" 
so pdo func quote truncate data if i commente line quote and change my sql by 
$sql = "INSERT INTO session VALUES('$sid','$data','$expire')"; //i add protected ' to field $data
i obtain an sql error
because postgres dont find the protected terminator ' cause char �
postgres work in utf8 and $data parameter write is in utf8 so.
sure because postgres will cause an other error type (encoding error)
if i change protected or private (because this 2 cases declare this error) by public, $data parameters from write is equal to data store in database and my program is ok.




Test script:
---------------
no code because it 's difficult to transcribe this case in 20 lines and i must post so database scheme.
Just create sheme in database to collect session data. create session_set_save_handler to write session in database.
Create a class like my test class, serialize it, and declare $_SESSION['test'] = serialize([instance of test])
and write session
I ve no test in mysql

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-07-18 22:11 UTC] johannes@php.net

-Status: Open +Status: Bogus

[2010-07-18 22:11 UTC] johannes@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

The serialized data contains a 0-byte, you have to use binary-safe encoding and access methods.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Jun 25 22:01:29 2024 UTC