unserialize() function does not work on a variable from the MySQL table on new server

Question

We just switched our website over to a new server. There is a part of my PHP software that pulls out a serialized data value from the MySQL table, and puts it into a variable, and then it's supposed to unserialize().

I never had this issue on any other servers (and this exact code is used on many different servers..), but I'm getting an issue where the value fails to unserialize - it returns false (blank).

HOWEVER, if I copy the exact value, put it into another $var, and then unserialize($var) it, it works perfectly fine into an array... they are the exact same values. One works, the other doesn't.

Check out the following link to visualize what I mean..

http://paulmasoumi.com/admin/test.php

And the PHP code on this page is:

<?
include 'start.php';

$var = 'a:8:{i:0;s:0:"";i:1;s:11:"New Listing";i:2;s:11:"Just Listed";i:3;s:9:"New Price";i:4;s:17:"Exclusive Listing";i:5;s:12:"Just Reduced";i:6;s:31:"Great Price!;Showroom Condition";i:7;s:42:"Featured In;Dream Homes of Canada Magazine";}';


echo 'Echoing $var:<br />';
echo $var;
echo '<br />';


echo 'Echoing $settings[\'remarksdisplay\'] retrieved from mysql database field:<br />';
echo $settings['remarksdisplay'];
echo '<br />';

echo '<br />';

echo 'When you run print_r(unserialize($var)):<br />';
print_r(unserialize($var));
echo '<br />';

echo 'When you run print_r(unserialize($settings[\'remarksdisplay\'])):<br />';
print_r(unserialize($settings['remarksdisplay']));

echo '<br />';
echo '<br />';

echo 'When you run IF statement to see if $settings[\'remarksdisplay\']==$var:<br />';
if($settings['remarksdisplay']==$var) {echo "EQUAL";} else {echo 'not equal';}
?>

I've also checked the server settings regarding the serialize() and unserialize() functions...

Check out these two settings: http://www.paulmasoumi.com/admin/phpinfo.php http://demo.brixwork.com/admin/phpinfo.php

Settings involving serialization of strings, magic quotes etc. are all identical.

What am I missing???

Answer 1

The strings are not identical. Viewing the source of your page the one coming out of the database has a linebreak:

a:8:{i:0;s:0:"";i:1;s:11:"New Listing";i:2;s:11:"Just Listed";i:3;s:9:"New Price";i:4;s:17:"Exclusive Listing";i:5;s:12:"Just Reduced";i:6;s:31:"Great 
Price!;Showroom Condition";i:7;s:42:"Featured In;Dream Homes of Canada Magazine";

As you can see after Great. But, it should handle the new line characters just fine. When I copied the database serialized string and tried to unserialize it I received a:

PHP Notice: unserialize(): Error at offset 176 of 234 bytes in php shell code on line 1

Which means something funky is happening, not sure what. I am going to keep digging, but just posting what I found out. If you want a true test, however, add a newline after Great.

UPDATE

<?php
$var = 'a:8:{i:0;s:0:"";i:1;s:11:"New Listing";i:2;s:11:"Just Listed";i:3;s:9:"New Price";i:4;s:17:"Exclusive Listing";i:5;s:12:"Just Reduced";i:6;s:31:"Great' . "\n" .  
'Price!;Showroom Condition";i:7;s:42:"Featured In;Dream Homes of Canada Magazine";}';

$settings['remarksdisplay'] = 'a:8:{i:0;s:0:"";i:1;s:11:"New Listing";i:2;s:11:"Just Listed";i:3;s:9:"New Price";i:4;s:17:"Exclusive Listing";i:5;s:12:"Just Reduced";i:6;s:31:"Great
Price!;Showroom Condition";i:7;s:42:"Featured In;Dream Homes of Canada Magazine";}';

echo 'Echoing $var:' . PHP_EOL;
echo $var;
echo "\n\n";


echo 'Echoing $settings[\'remarksdisplay\'] retrieved from mysql database field:' . PHP_EOL;
echo $settings['remarksdisplay'];

echo "\n\n";

echo 'When you run print_r(unserialize($var)):' . PHP_EOL;
print_r(unserialize($var));
echo "\n";

echo 'When you run print_r(unserialize($settings[\'remarksdisplay\'])):' . PHP_EOL;
print_r(unserialize($settings['remarksdisplay']));

echo "\n\n";

echo 'When you run IF statement to see if $settings[\'remarksdisplay\']==$var:' . PHP_EOL;
if($settings['remarksdisplay']==$var) {echo "EQUAL";} else {echo 'not equal';}
echo PHP_EOL;

?>

Sorry, I changed the Linebreaks to NewLine characters cause I tested it in CLI. The above code has the extra space after Great removed and it works just fine.

So what was happening was basically that extra space threw off the count, as you can see the s:XX the number indicates how long the string is, that extra space made it 32 instead of 31 for the "Great Price" statement, since serialize needs to be accurate, it was throwing a Notice error, which most people do not show and why there were no errors coming through.

Answer 2

Use substr to remove quotes like

$str = substr( $data['str'], 1, -1 );

and then unserialize your data.

reason is mysql return quoted string