PHP filter unserialize ()
PHP 7 increases may unserialize () provides filtering features, it can prevent illegal data code injection, provides a more secure deserialize data.
Examples
Examples
<? php
class MyClass1 {
public $ obj1prop;
}
class MyClass2 {
public $ obj2prop;
}
$ obj1 = new MyClass1 ();
$ obj1 -> obj1prop = 1;
$ obj2 = new MyClass2 ();
$ obj2 -> obj2prop = 2;
$ serializedObj1 = serialize ($ obj1) ;
$ serializedObj2 = serialize ($ obj2) ;
// Default behavior is to receive all classes
// The second parameter can be ignored
// If allowed_classes set to false, unserialize all objects will be converted to an object __PHP_Incomplete_Class
$ data = unserialize ($ serializedObj1, [ "allowed_classes" => true]);
// Convert all objects to __PHP_Incomplete_Class objects, in addition to MyClass1 and MyClass2
$ data2 = unserialize ($ serializedObj2, [ "allowed_classes" => [ "MyClass1", "MyClass2"]]);
print ($ data -> obj1prop) ;
print (PHP_EOL);
print ($ data2 -> obj2prop) ;
?>
class MyClass1 {
public $ obj1prop;
}
class MyClass2 {
public $ obj2prop;
}
$ obj1 = new MyClass1 ();
$ obj1 -> obj1prop = 1;
$ obj2 = new MyClass2 ();
$ obj2 -> obj2prop = 2;
$ serializedObj1 = serialize ($ obj1) ;
$ serializedObj2 = serialize ($ obj2) ;
// Default behavior is to receive all classes
// The second parameter can be ignored
// If allowed_classes set to false, unserialize all objects will be converted to an object __PHP_Incomplete_Class
$ data = unserialize ($ serializedObj1, [ "allowed_classes" => true]);
// Convert all objects to __PHP_Incomplete_Class objects, in addition to MyClass1 and MyClass2
$ data2 = unserialize ($ serializedObj2, [ "allowed_classes" => [ "MyClass1", "MyClass2"]]);
print ($ data -> obj1prop) ;
print (PHP_EOL);
print ($ data2 -> obj2prop) ;
?>
The above program execution output is:
1 2