Comments on: A reliable way to serialize/unserialize objects in PHP

By: kate

kate — Thu, 06 Mar 2008 11:40:41 +0000

good post man thx

By: Веб-обзор #10 - бизнес, бизнес, немного РНР, совсем немного PostgreSQL и архитектуры Flickr и Google на русском. | Alpha-Beta-Release Blog

Sun, 10 Feb 2008 10:49:34 +0000

[…] A reliable way to serialize/unserialize objects in PHP - ещё один материал, более основательный, для РНР разработчиков, который расскажет о таком, казалось бы тривиальном процессе, как сериализация и десериализация объектов. На самом деле это совсем не так просто и чревато разными подводными камнями, особенно для начинающих программистов, так что очень рекомендуется для изучения. […]

By: Adam

Adam — Wed, 09 Jan 2008 13:55:40 +0000

Serialize for the win!

By: developercast.com » Pavel Shevaev’s Blog: A reliable way to serialize/unserialize objects in PHP

Tue, 11 Dec 2007 18:45:04 +0000

[…] Shevaev has posted his method (a reliable way) for serializing and unserializing objects in your […]

By: PHPDeveloper.org

PHPDeveloper.org — Tue, 11 Dec 2007 13:57:29 +0000

Pavel Shevaev’s Blog: A reliable way to serialize/unserialize objects in PHP…

Pavel Shevaev has posted his method (a reliable way) for serializing ……

By: Alexey Zakhlestin

Alexey Zakhlestin — Mon, 10 Dec 2007 11:14:17 +0000

At some point I thought you would go the “java way” and put the code of the class into serialized stream

Solution is an interesting one. Though, I doubt I will have a use-case for that. My projects usually have “ezc-style” autoload maps (and I patch external libs which I use to do the same)

By: pachanga

pachanga — Mon, 10 Dec 2007 10:35:16 +0000

>Although I’m not in favour of this approach.
>I think that a well structured application layout is very important…
>If you have that then you know where class structures are located
>and can find them easily at runtime by use of __autoload

Unfortunately, this is often not the case when dealing with misc. external libraries which have different file system layout, naming conventions or simply don’t use __autoload at all.

By: pachanga

pachanga — Mon, 10 Dec 2007 10:31:21 +0000

sorccu, I believe this should be a concern of the code using SerializableContainer. SerializableContainer is a pretty generic solution and it simply can’t predict all possible misuses. The same security concerns are valid for serialize/unserialize calls too. Anyway thanks for raising this issue.

By: sorccu

sorccu — Mon, 10 Dec 2007 10:05:21 +0000

var_dump(preg_match(’~([||;]O|^O):\d+:”([^”]+)”:\d+:{~’, serialize(’user;O:3:”Foo”:0:{}input’)));

So, depending on what you are serializing, some evil madman could be able to force you to load a class file that isn’t necessarily needed. Given the need for the class to already exist at the time of serializing, this is hardly a serious risk but it is nevertheless quite scary.

By: pachanga

pachanga — Mon, 10 Dec 2007 08:07:57 +0000

James, you are right about possible problems due to files relocation, I’ll update the drawbacks list, thanks. Fortunately, this happens not that often to be a real issue(at least in my practice). However if this approach is used in a cluster, all servers _must_ have all PHP code stored using identical file system layout for obvious reasons.