百科狗-知识改变命运!
--

unserialize() - php 变量处理函数

是丫丫呀1年前 (2023-11-21)阅读数 50#技术干货
文章标签的是

unserialize()

unserialize() - php 变量处理函数

(PHP 4, PHP 5, PHP 7)

从已存储的表示中创建 PHP 的值

说明

unserialize(string $str): mixed

unserialize()对单一的已序列化的变量进行操作,将其转换回 PHP 的值。

参数

$str

序列化后的字符串。

若被解序列化的变量是一个对象,在成功地重新构造对象之后,PHP 会自动地试图去调用__wakeup()成员函数(如果存在的话)。

Note:unserialize_callback_func 指令

如果在解序列化的时候需要实例化一个未定义类,则可以设置回调函数以供调用(以免得到的是不完整的object“__PHP_Incomplete_Class”)。可通过php.ini、ini_set()或.htaccess定义‘unserialize_callback_func’。每次实例化一个未定义类时它都会被调用。若要禁止这个特性,只需置空此设定。

返回值

返回的是转换之后的值,可为integer、float、string、array或object。

如果传递的字符串不可解序列化,则返回FALSE,并产生一个E_NOTICE

更新日志

版本说明
4.2.0添加了 unserialize_callback_func 指令。

范例

Example #1unserialize()例子

unserialize_callback_func 例子

注释

Warning

如果反序列化了FALSE的值,或者在过程中发生了错误,都会返回FALSE。可以通过$str和serialize(false)进行比较,或者捕捉E_NOTICE错误来判断这种特殊情况。

参见

  • serialize() 产生一个可存储的值的表示
  • 自动加载对象
  • unserialize_callback_func
  • __wakeup()
Just some reminder which may save somebody some time regarding the `$options` array: 
Say you want to be on the safe side and not allow any objects to be unserialized... My first thought was doing the following:

The correct way of doing this is the following:

Hope it helps somebody!
Just a note - if the serialized string contains a reference to a class that cannot be instantiated (e.g. being abstract) PHP will immediately die with a fatal error. If the unserialize() statement is preceded with a '@' to avoid cluttering the logs with warns or notices there will be absolutely no clue as to why the script stopped working. Cost me a couple of hours...
Here's a simple function to get the class of a serialized string (that is, the type of object that will be returned if it's unserialized):


 
  Child One
 
';
// MAKE AN OBJECT (GIVES SimpleXMLElement)
$obj = SimpleXML_Load_String($xml);
// STORE THE OBJECT IN THE SESSION
$_SESSION['obj'] = $obj;
__PHP_Incomplete_Class Object Demystified
1. First take note of the output. A simple example:
__PHP_Incomplete_Class Object (
[__PHP_Incomplete_Class_Name] => SomeObject1
[obj1property1] => somevalue1 [obj1property2] => __PHP_Incomplete_Class Object ( [__PHP_Incomplete_Class_Name] => SomeObject2 [obj2property1] => somevalue1 [obj2property2] => Array (
['key1'] => somevalue3, ['key2'] => somevalue4 ) ) )
2. We analyze this and break it down. 
__PHP_Incomplete_Class Object tells you there is an object that needs to be declared somehow. 
__PHP_Incomplete_Class_Name simply tells you the expected class name. It is just one of the properties for now.
So we have:
a) an unknown object that has a class name SomeObject1 (first class)
b) it has 2 properties, namely obj1property1 and obj2property2
c) obj2property2 is itself an object whose class name is SomeObject2 (the second class)
d) SomeObject2 has two properties, obj2property1 and obj2property2
e) obj2property2 is an array that contains two elements
3. Now that we have an idea of the structure, we shall create class definitions based from it. We will just create properties for now, methods are not required as a minimum.

4. Have that accessible to your script and it will solve the __PHP_Incomplete_Class Object problem as far as the output is concerned. Now you will have:
SomeObject1 ( [obj1property1] => somevalue1 [obj1property2] => SomeObject2 ( [obj2property1] => somevalue1 [obj2property2] => Array ( ['key1'] => somevalue3, ['key2'] => somevalue4 ) ) )
As you will notice, __PHP_Incomplete_Class Object is gone and replaced by the class name. The property __PHP_Incomplete_Class_Name is also removed.
5. As for the array property obj2property2, we can directly access that and just assume that it is an array and loop through it:

Outputs:
key1 : somevalue3
key2 : somevalue4
That's it. You can add more methods on the class declarations for the given properties, provided you keep your original output as basis for the data types.
Talk on Exploiting PHP7 Unserialize here: https://media.ccc.de/v/33c3-7858-exploiting_php7_unserialize
When you serialize an object of a class from a particular namespace, the namespace is recorded as part of the serialization. If you decide to change this namespace's name, it can be hard to read in old serialized objects. I.e., suppose you had serialized an object of type foo\A, you change the namespace of your project to goo but otherwise leave the class definition of A unchanged. You would like to be able to unserialize the object as goo\A, instead unserialization will only create a partial object. To fix this in the case where you don't have nested objects in your class definition, you can use the following simple rename function:
/**
 * Used to change the namespace of a serialized php object (assumes doesn't
 * have nested subobjects)
 *
 * @param string $class_name new fully qualified name with namespace
 * @param string $object_string serialized object
 *
 * @return string serialized object with new name
 */
function renameSerializedObject($class_name, $object_string)
{
  /* number of digits in the length of name of the object needs to be 
    less than 12 digits (probably more like 4) for this to work.
  */
  $name_length = intval(substr($object_string, 2, 14));
  $name_space_info_length = strlen("O:".$name_length.":") +
    $name_length + 2; // 2 for quotes;
  $object_string = 'O:' .
    strlen($class_name) . ':"'. $class_name.'"' .
    substr($object_string, $name_space_info_length);
  return $object_string;
}
Anyone having trouble serializing data with SimpleXMLElement objects stored within it, check this out:
This will traverse $data looking for any children which are instances of SimpleXMLElement, and will run ->asXML() on them, turning them into a string and making them serializable. Other data will be left alone.

 array(4) {
  ["foo"]=>
  object(stdClass)#3 (0) {
  }
  ["int"]=>
  int(123)
  ["str"]=>
  string(4) "asdf"
  ["bar"]=>
  object(SimpleXMLElement)#4 (1) {
   [0]=>
   string(3) "bar"
  }
 }
}*/
var_dump(exportNestedSimpleXML($data));
/*array(1) {
 ["baz"]=>
 array(4) {
  ["foo"]=>
  object(stdClass)#3 (0) {
  }
  ["int"]=>
  int(123)
  ["str"]=>
  string(4) "asdf"
  ["bar"]=>
  string(54) "
bar
"
 }
}
*/
?>
As mentioned in the notes, unserialize returns false in the event of an error and for boolean false. Here is the first solution mentioned, without using error handling:

鹏仔微信 15129739599 鹏仔QQ344225443 鹏仔前端 pjxi.com 共享博客 sharedbk.com

免责声明:我们致力于保护作者版权,注重分享,当前被刊用文章因无法核实真实出处,未能及时与作者取得联系,或有版权异议的,请联系管理员,我们会立即处理! 部分文章是来自自研大数据AI进行生成,内容摘自(百度百科,百度知道,头条百科,中国民法典,刑法,牛津词典,新华词典,汉语词典,国家院校,科普平台)等数据,内容仅供学习参考,不准确地方联系删除处理!邮箱:344225443@qq.com)

图片声明:本站部分配图来自网络。本站只作为美观性配图使用,无任何非法侵犯第三方意图,一切解释权归图片著作权方,本站不承担任何责任。如有恶意碰瓷者,必当奉陪到底严惩不贷!

内容声明:本文中引用的各种信息及资料(包括但不限于文字、数据、图表及超链接等)均来源于该信息及资料的相关主体(包括但不限于公司、媒体、协会等机构)的官方网站或公开发表的信息。部分内容参考包括:(百度百科,百度知道,头条百科,中国民法典,刑法,牛津词典,新华词典,汉语词典,国家院校,科普平台)等数据,内容仅供参考使用,不准确地方联系删除处理!本站为非盈利性质站点,本着为中国教育事业出一份力,发布内容不收取任何费用也不接任何广告!)