0

I store my sessions into MySQL database. The session data is serialized and stored to the DB cell.

The problem is following: the serialized object gets into database just partially. if I echo the query string, copy it and paste into phpMyAdmin->database query it gets into database full, as it should. "echo mysql_error" shows no errors. the encoding is not the reason, i have declared it strictly. here's the piece of the code i use.

$sql = "UPDATE sessions
SET SESSION_ID='$id', ACCESS='$access', DATA='".stripslashes($data)."', USER_ID='$username' WHERE SESSION_ID = '$id'";
echo("<br>".$sql."<br>");
return mysql_query($sql, $_sess_db);
echo mysql_error($_sess_db);

how can i fix it? and why does the same query work fine when i copy-paste into phpmyadmin but doesn't work as it should when executed via mysql_query function?

user1010936
  • 1
  • I assume the serialized data is the problem. Are you sure all data is serialized? And unserialized successfully? I don't think the problem comes from MySQL. Have you tried to save your session in a plain file? Do you get the same issue? – William R Mar 20 '12 at 12:21
  • 1. Can you post the echo'd string? That is probably causing this... 2. Mysql_error is never used because you return before – Hans Wassink Mar 20 '12 at 12:26
  • when i echo the query all data is serialized. i don't unserialize it, i look into database via phpMyAdmin and see whether the object is complete or not. The sessions in plain files with the same object work fine – user1010936 Mar 20 '12 at 12:40
  • i can't post the string over message size limit. but the query is correct because it works fine when i copy-paste and submit it manually. – user1010936 Mar 20 '12 at 12:58

2 Answers2

1

Don't do that - dont dynamically create the update statement. Use parametrized queries instead (see question and answers on sqlinjection). I assume that it has something to do with the datta that is not correctly escaped (which can be prevented by using parametrized queries). Also I assume that mysql_error() gets not called because of the previous

return statement

Community
  • 1
  • 1
Bernhard Kircher
  • 4,132
  • 3
  • 32
  • 38
0
$sql= 'UPDATE `sessions` 
SET `SESSION_ID`= "'.$id.'", 
`ACCESS`= "'.$access.'", 
`DATA`= \''.str_replace("'", "\'", $data).'\', 
`USER_ID`= "'.$username.'" 
WHERE `SESSION_ID`= "'.$id.'"';
HanhNghien
  • 225
  • 1
  • 6