unserialize()

(PHP 4, PHP 5, PHP 7)

从已存储的表示中创建 PHP 的值

说明

unserialize()对单一的已序列化的变量进行操作，将其转换回 PHP 的值。

参数

序列化后的字符串。

若被解序列化的变量是一个对象，在成功地重新构造对象之后，PHP 会自动地试图去调用__wakeup()成员函数（如果存在的话）。

Note:unserialize_callback_func 指令

如果在解序列化的时候需要实例化一个未定义类，则可以设置回调函数以供调用（以免得到的是不完整的object“__PHP_Incomplete_Class”）。可通过php.ini、ini_set()或.htaccess定义‘unserialize_callback_func’。每次实例化一个未定义类时它都会被调用。若要禁止这个特性，只需置空此设定。

返回值

返回的是转换之后的值，可为integer、float、string、array或object。

如果传递的字符串不可解序列化，则返回FALSE，并产生一个E_NOTICE。

更新日志

范例

Example #1unserialize()例子

unserialize_callback_func 例子

注释

如果反序列化了FALSE的值，或者在过程中发生了错误，都会返回FALSE。可以通过$str和serialize(false)进行比较，或者捕捉E_NOTICE错误来判断这种特殊情况。

参见

• serialize() 产生一个可存储的值的表示
• 自动加载对象
• unserialize_callback_func
• __wakeup()

Just some reminder which may save somebody some time regarding the `$options` array: 
Say you want to be on the safe side and not allow any objects to be unserialized... My first thought was doing the following:

The correct way of doing this is the following:

Hope it helps somebody!

Just a note - if the serialized string contains a reference to a class that cannot be instantiated (e.g. being abstract) PHP will immediately die with a fatal error. If the unserialize() statement is preceded with a '@' to avoid cluttering the logs with warns or notices there will be absolutely no clue as to why the script stopped working. Cost me a couple of hours...

Here's a simple function to get the class of a serialized string (that is, the type of object that will be returned if it's unserialized):


 
  Child One
 
';
// MAKE AN OBJECT (GIVES SimpleXMLElement)
$obj = SimpleXML_Load_String($xml);
// STORE THE OBJECT IN THE SESSION
$_SESSION['obj'] = $obj;

__PHP_Incomplete_Class Object Demystified
1. First take note of the output. A simple example:
__PHP_Incomplete_Class Object (
[__PHP_Incomplete_Class_Name] => SomeObject1
[obj1property1] => somevalue1 [obj1property2] => __PHP_Incomplete_Class Object ( [__PHP_Incomplete_Class_Name] => SomeObject2 [obj2property1] => somevalue1 [obj2property2] => Array (
['key1'] => somevalue3, ['key2'] => somevalue4 ) ) )
2. We analyze this and break it down. 
__PHP_Incomplete_Class Object tells you there is an object that needs to be declared somehow. 
__PHP_Incomplete_Class_Name simply tells you the expected class name. It is just one of the properties for now.
So we have:
a) an unknown object that has a class name SomeObject1 (first class)
b) it has 2 properties, namely obj1property1 and obj2property2
c) obj2property2 is itself an object whose class name is SomeObject2 (the second class)
d) SomeObject2 has two properties, obj2property1 and obj2property2
e) obj2property2 is an array that contains two elements
3. Now that we have an idea of the structure, we shall create class definitions based from it. We will just create properties for now, methods are not required as a minimum.

4. Have that accessible to your script and it will solve the __PHP_Incomplete_Class Object problem as far as the output is concerned. Now you will have:
SomeObject1 ( [obj1property1] => somevalue1 [obj1property2] => SomeObject2 ( [obj2property1] => somevalue1 [obj2property2] => Array ( ['key1'] => somevalue3, ['key2'] => somevalue4 ) ) )
As you will notice, __PHP_Incomplete_Class Object is gone and replaced by the class name. The property __PHP_Incomplete_Class_Name is also removed.
5. As for the array property obj2property2, we can directly access that and just assume that it is an array and loop through it:

Outputs:
key1 : somevalue3
key2 : somevalue4
That's it. You can add more methods on the class declarations for the given properties, provided you keep your original output as basis for the data types.

Talk on Exploiting PHP7 Unserialize here: https://media.ccc.de/v/33c3-7858-exploiting_php7_unserialize

When you serialize an object of a class from a particular namespace, the namespace is recorded as part of the serialization. If you decide to change this namespace's name, it can be hard to read in old serialized objects. I.e., suppose you had serialized an object of type foo\A, you change the namespace of your project to goo but otherwise leave the class definition of A unchanged. You would like to be able to unserialize the object as goo\A, instead unserialization will only create a partial object. To fix this in the case where you don't have nested objects in your class definition, you can use the following simple rename function:
/**
 * Used to change the namespace of a serialized php object (assumes doesn't
 * have nested subobjects)
 *
 * @param string $class_name new fully qualified name with namespace
 * @param string $object_string serialized object
 *
 * @return string serialized object with new name
 */
function renameSerializedObject($class_name, $object_string)
{
  /* number of digits in the length of name of the object needs to be 
    less than 12 digits (probably more like 4) for this to work.
  */
  $name_length = intval(substr($object_string, 2, 14));
  $name_space_info_length = strlen("O:".$name_length.":") +
    $name_length + 2; // 2 for quotes;
  $object_string = 'O:' .
    strlen($class_name) . ':"'. $class_name.'"' .
    substr($object_string, $name_space_info_length);
  return $object_string;
}

Anyone having trouble serializing data with SimpleXMLElement objects stored within it, check this out:
This will traverse $data looking for any children which are instances of SimpleXMLElement, and will run ->asXML() on them, turning them into a string and making them serializable. Other data will be left alone.

 array(4) {
  ["foo"]=>
  object(stdClass)#3 (0) {
  }
  ["int"]=>
  int(123)
  ["str"]=>
  string(4) "asdf"
  ["bar"]=>
  object(SimpleXMLElement)#4 (1) {
   [0]=>
   string(3) "bar"
  }
 }
}*/
var_dump(exportNestedSimpleXML($data));
/*array(1) {
 ["baz"]=>
 array(4) {
  ["foo"]=>
  object(stdClass)#3 (0) {
  }
  ["int"]=>
  int(123)
  ["str"]=>
  string(4) "asdf"
  ["bar"]=>
  string(54) "
bar
"
 }
}
*/
?>

As mentioned in the notes, unserialize returns false in the event of an error and for boolean false. Here is the first solution mentioned, without using error handling:

鹏仔微信 15129739599 鹏仔QQ344225443 鹏仔前端 pjxi.com 共享博客 sharedbk.com