sigmasternchen/php-doc-en
1
0
Fork 0
mirror of https://github.com/sigmasternchen/php-doc-en synced 2025-03-27 06:18:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
php-doc-en/reference/var/functions/unserialize.xml
Christoph Michael Becker e1438a020b Document the __serialize/__unserialize magic in PHP 7.4 
git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@349590 c90b9560-bf6c-de11-be94-00142212c4b1
2020-04-01 23:15:30 +00:00

275 lines
8.7 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<refentry xml:id="function.unserialize" xmlns="http://docbook.org/ns/docbook">
<refnamediv>
<refname>unserialize</refname>
<refpurpose>
Creates a PHP value from a stored representation
</refpurpose>
</refnamediv>
<refsect1 role="description">
&reftitle.description;
<methodsynopsis>
<type>mixed</type><methodname>unserialize</methodname>
<methodparam><type>string</type><parameter>str</parameter></methodparam>
<methodparam choice="opt"><type>array</type><parameter>options</parameter></methodparam>
</methodsynopsis>
<simpara>
<function>unserialize</function> takes a single serialized variable and
converts it back into a PHP value.
</simpara>
<warning>
<para>
Do not pass untrusted user input to <function>unserialize</function> regardless
of the <parameter>options</parameter> value of <literal>allowed_classes</literal>.
Unserialization can result in code being loaded and executed due to object
instantiation and autoloading, and a malicious user may be able to exploit
this. Use a safe, standard data interchange format such as JSON (via
<function>json_decode</function> and <function>json_encode</function>) if
you need to pass serialized data to the user.
</para>
<para>
If you need to unserialize externally-stored serialized data, consider using
<function>hash_hmac</function> for data validation. Make sure data is
not modified by anyone but you.
</para>
</warning>
</refsect1>
<refsect1 role="parameters">
&reftitle.parameters;
<para>
<variablelist>
<varlistentry>
<term><parameter>str</parameter></term>
<listitem>
<para>
The serialized string.
</para>
<para>
If the variable being unserialized is an object, after successfully
reconstructing the object PHP will automatically attempt to call the
<link linkend="object.unserialize">__unserialize()</link> or <link linkend="object.wakeup">__wakeup()</link> methods (if one exists).
</para>
<para>
<note>
<title>unserialize_callback_func directive</title>
<para>
It's possible to set a callback-function which will be called,
if an undefined class should be instantiated during unserializing.
(to prevent getting an incomplete <type>object</type> "__PHP_Incomplete_Class".)
Use your &php.ini;, <function>ini_set</function> or &htaccess;
to define <link linkend="ini.unserialize-callback-func">unserialize_callback_func</link>.
Everytime an undefined class should be instantiated, it'll be called. To disable this feature just
empty this setting.
</para>
</note>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>options</parameter></term>
<listitem>
<para>
Any options to be provided to <function>unserialize</function>, as an
associative array.
</para>
<table>
<title>Valid options</title>
<tgroup cols="3">
<thead>
<row>
<entry>Name</entry>
<entry>Type</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><literal>allowed_classes</literal></entry>
<entry><type>mixed</type></entry>
<entry>
<simpara>
Either an <type>array</type> of class names which should be
accepted, &false; to accept no classes, or &true; to accept all
classes. If this option is defined and
<function>unserialize</function> encounters an object of a class
that isn't to be accepted, then the object will be instantiated as
<classname>__PHP_Incomplete_Class</classname> instead.
</simpara>
<simpara>
Omitting this option is the same as defining it as &true;: PHP
will attempt to instantiate objects of any class.
</simpara>
</entry>
</row>
</tbody>
</tgroup>
</table>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 role="returnvalues">
&reftitle.returnvalues;
<para>
The converted value is returned, and can be a <type>boolean</type>,
<type>integer</type>, <type>float</type>, <type>string</type>,
<type>array</type> or <type>object</type>.
</para>
<para>
In case the passed string is not unserializeable, &false; is returned and
<constant>E_NOTICE</constant> is issued.
</para>
</refsect1>
<refsect1 role="changelog">
&reftitle.changelog;
<para>
<informaltable>
<tgroup cols="2">
<thead>
<row>
<entry>&Version;</entry>
<entry>&Description;</entry>
</row>
</thead>
<tbody>
<row>
<entry>7.1.0</entry>
<entry>
The <literal>allowed_classes</literal> element of
<parameter>options</parameter>) is now strictly typed, i.e. if anything
other than an <type>array</type> or a <type>boolean</type> is given,
<function>unserialize</function> returns &false; and issues an
<constant>E_WARNING</constant>.
</entry>
</row>
<row>
<entry>7.0.0</entry>
<entry>
The <parameter>options</parameter> parameter has been added.
</entry>
</row>
<row>
<entry>5.6.0</entry>
<entry>
Manipulating the serialised data by replacing <literal>C:</literal>
with <literal>O:</literal> to force object instantiation without
calling the constructor will now fail.
</entry>
</row>
</tbody>
</tgroup>
</informaltable>
</para>
</refsect1>
<refsect1 role="examples">
&reftitle.examples;
<para>
<example>
<title><function>unserialize</function> example</title>
<programlisting role="php">
<![CDATA[
<?php
// Here, we use unserialize() to load session data to the
// $session_data array from the string selected from a database.
// This example complements the one described with serialize().
$conn = odbc_connect("webdb", "php", "chicken");
$stmt = odbc_prepare($conn, "SELECT data FROM sessions WHERE id = ?");
$sqldata = array($_SERVER['PHP_AUTH_USER']);
if (!odbc_execute($stmt, $sqldata) || !odbc_fetch_into($stmt, $tmp)) {
// if the execute or fetch fails, initialize to empty array
$session_data = array();
} else {
// we should now have the serialized data in $tmp[0].
$session_data = unserialize($tmp[0]);
if (!is_array($session_data)) {
// something went wrong, initialize to empty array
$session_data = array();
}
}
?>
]]>
</programlisting>
</example>
</para>
<para>
<example>
<title>unserialize_callback_func example</title>
<programlisting role="php">
<![CDATA[
<?php
$serialized_object='O:1:"a":1:{s:5:"value";s:3:"100";}';
ini_set('unserialize_callback_func', 'mycallback'); // set your callback_function
function mycallback($classname)
{
// just include a file containing your class definition
// you get $classname to figure out which class definition is required
}
?>
]]>
</programlisting>
</example>
</para>
</refsect1>
<refsect1 role="notes">
&reftitle.notes;
<warning>
<para>
&false; is returned both in the case of an error and if unserializing
the serialized &false; value. It is possible to catch this special case by
comparing <parameter>str</parameter> with
<literal>serialize(false)</literal> or by catching the issued
<constant>E_NOTICE</constant>.
</para>
</warning>
</refsect1>
<refsect1 role="seealso">
&reftitle.seealso;
<para>
<simplelist>
<member><function>json_encode</function></member>
<member><function>json_decode</function></member>
<member><function>hash_hmac</function></member>
<member><function>serialize</function></member>
<member><link linkend="language.oop5.autoload">Autoloading Classes</link></member>
<member><link linkend="ini.unserialize-callback-func">unserialize_callback_func</link></member>
<member><link linkend="object.wakeup">__wakeup()</link></member>
<member><link linkend="object.serialize">__serialize()</link></member>
<member><link linkend="object.unserialize">__unserialize()</link></member>
</simplelist>
</para>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->
Reference in a new issue View git blame Copy permalink