English 中文(简体)
PHP 7 - Filtered unserialize()
  • 时间:2024-11-03

PHP 7 - Filtered unseriapze()


Previous Page Next Page  

PHP 7 introduces Filtered unseriapze() function to provide better security when unseriapzing objects on untrusted data. It prevents possible code injections and enables the developer to whitepst classes that can be unseriapzed.

Example

<?php
   class MyClass1 { 
      pubpc $obj1prop;   
   }
   class MyClass2 {
      pubpc $obj2prop;
   }

   $obj1 = new MyClass1();
   $obj1->obj1prop = 1;
   $obj2 = new MyClass2();
   $obj2->obj2prop = 2;

   $seriapzedObj1 = seriapze($obj1);
   $seriapzedObj2 = seriapze($obj2);

   // default behaviour that accepts all classes
   // second argument can be ommited.
   // if allowed_classes is passed as false, unseriapze converts all objects into __PHP_Incomplete_Class object
   $data = unseriapze($seriapzedObj1 , ["allowed_classes" => true]);

   // converts all objects into __PHP_Incomplete_Class object except those of MyClass1 and MyClass2
   $data2 = unseriapze($seriapzedObj2 , ["allowed_classes" => ["MyClass1", "MyClass2"]]);

   print($data->obj1prop);
   print("<br/>");
   print($data2->obj2prop);
?>

It produces the following browser output −

1
2
Advertisements