Since a lot of the notes on unserialize() are to do with handling user input,

or people telling other people they're wrong for trusting user input at all, add a warning to clarify that unserialize() should not be used with untrusted data. git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@328244 c90b9560-bf6c-de11-be94-00142212c4b1
2025-03-16 08:58:56 +00:00 · 2012-11-06 01:29:54 +00:00 · 2012-11-06 01:29:54 +00:00 · 9a8e96e853
commit 9a8e96e853
parent 63ccfe404c
1 changed files with 10 additions and 0 deletions
--- a/reference/var/functions/unserialize.xml
+++ b/reference/var/functions/unserialize.xml
@ -158,6 +158,16 @@ function mycallback($classname)
    <constant>E_NOTICE</constant>.
   </para>
  </warning>
+  <warning>
+   <para>
+    Do not pass untrusted user input to <function>unserialize</function>.
+    Unserialization can result in code being loaded and executed due to object
+    instantiation and autoloading, and a malicious user may be able to exploit
+    this. Use a safe, standard data interchange format such as JSON (via
+    <function>json_decode</function> and <function>json_encode</function>) if
+    you need to pass serialized data to the user.
+   </para>
+  </warning>
 </refsect1>

 <refsect1 role="seealso">