PHP 過濾unserialize()
PHP 7 增加了可以為unserialize() 提供過濾的特性,可以防止非法數據進行代碼注入,提供了更安全的反序列化數據。
實例
實例
<?php
class MyClass1 {
public $obj1prop ;
}
class MyClass2 {
public $obj2prop ;
}
$obj1 = new MyClass1 ();
$obj1 -> obj1prop = 1 ;
$obj2 = new MyClass2 ();
$obj2 -> obj2prop = 2 ;
$serializedObj1 = serialize ( $obj1 );
$serializedObj2 = serialize ( $obj2 );
//默認行為是接收所有類
//第二個參數可以忽略
//如果allowed_classes設置為false, unserialize會將所有對象轉換為__PHP_Incomplete_Class對象
$data = unserialize ( $serializedObj1 , [ "allowed_classes" => true ]);
//轉換所有對像到__PHP_Incomplete_Class對象,除了MyClass1和MyClass2
$data2 = unserialize ( $serializedObj2 , [ "allowed_classes" => [ "MyClass1" , "MyClass2" ]]);
print( $data -> obj1prop );
print( PHP_EOL );
print( $data2 -> obj2prop );
?>
class MyClass1 {
public $obj1prop ;
}
class MyClass2 {
public $obj2prop ;
}
$obj1 = new MyClass1 ();
$obj1 -> obj1prop = 1 ;
$obj2 = new MyClass2 ();
$obj2 -> obj2prop = 2 ;
$serializedObj1 = serialize ( $obj1 );
$serializedObj2 = serialize ( $obj2 );
//默認行為是接收所有類
//第二個參數可以忽略
//如果allowed_classes設置為false, unserialize會將所有對象轉換為__PHP_Incomplete_Class對象
$data = unserialize ( $serializedObj1 , [ "allowed_classes" => true ]);
//轉換所有對像到__PHP_Incomplete_Class對象,除了MyClass1和MyClass2
$data2 = unserialize ( $serializedObj2 , [ "allowed_classes" => [ "MyClass1" , "MyClass2" ]]);
print( $data -> obj1prop );
print( PHP_EOL );
print( $data2 -> obj2prop );
?>
以上程序執行輸出結果為:
1 2