single quote in screen name breaks unserialize of paypal_details

I have some custom variables being sent through paypal that are important for our marketing efforts. I’m using SCM to store the purchases as per usual, but have added in my the extra values on the paypal url string I send.

This all works great 99% of the time. What i’ve found is that any instance of a single quote [ ’ ] in any of the fields causes my unserialize php script to break.

The most recent instance was someone who’s screen name was like [ xxx O’Dine ].

The only way I could track down what was breaking my php code was a painstaking serializing search which led me to the culprit.

My question is, how can I avoid this in the future? I’ve had it happen in my custom fields (sent to paypal, returned in the serialized array), and this is the first in the screen name field.

Here’s my php code that fails. I’ve tried to add some error handling into this script, but it still breaks when there’s a single quote in the serialized array.

{exp:query sql="SELECT paypal_details FROM exp_simple_commerce_purchases as p WHERE p.purchase_id={embed:purchase_id}"} {embed:purchase_id}
 <?php   
 $unserialized = preg_replace('!s:(\d+):"(.*?)";!se', "'s:'.strlen('$2').':\"$2\";'", '{paypal_details}');      
 //echo $unserialized;
 $details = @unserialize($unserialized);
  if (!is_array($details) || !isset($details['option_selection1'])) {
         // something went wrong, initialize to empty array
         echo "</td><td colspan='1'>n/a</td>";
     }
     else{
       //echo var_dump($details);
       echo "<strong>".$details['option_selection1']."</strong></td><td>".$details['option_selection2']."</td>";
     }               
 ?>
{/exp:query}

Any help would be appreciated!

thanks Rowan