php升级 - PHP手册中从5.5升级到5.6 unserialize函数怎么解释
本文介绍了php升级 - PHP手册中从5.5升级到5.6 unserialize函数怎么解释的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
问 题
PHP手册中从5.5升级到5.6 unserialize的变更是这样写的:
unserialize() will now fail if passed serialised data that has been manipulated to attempt to instantiate an object without calling its constructor.
英文比较差想知道是什么意思,传入的数据是序列化过的没有调用过constructor的对象?
我度过这样的代码,但没报错:
class A{
}
$reClass = new ReflectionClass('A');
$b = $reClass->newInstanceWithoutConstructor();
echo '<pre>';
print_r(unserialize(serialize($reClass)));
die;
解决方案
这个问题其实是和序列化接口相关的一个修改。
5.6的更新日志里有写
5.6.0 Manipulating the serialised data by replacing C: with O: to force object instantiation without calling the constructor will now fail.
大意就是说,5.6不允许将修改已经序列化数据中的C:改为O:来避免调用类中生成器。
我们写一个类来了解这是什么意思,首先我们在PHP5.3中实现一个继承序列化接口的类
class obj implements Serializable {
public $data;
public function __construct() {
$this->data = "My private data";
}
public function serialize() {
return serialize($this->data);
}
public function unserialize($data) {
echo 'test';
}
}
$test = new obj();
echo serialize($test);//输出C:3:"obj":23:{s:15:"My private data";}
var_dump(unserialize('C:3:"obj":23:{s:15:"My private data";}'));//调用unserialize方法,输出test
var_dump(unserialize('O:3:"obj":1:{s:4:"data";s:15:"My private data";}'));//没有调用unserialize方法,没有输出
接下来我们在5.6中实验相同的代码
class obj implements Serializable {
public $data;
public function __construct() {
$this->data = "My private data";
}
public function serialize() {
return serialize($this->data);
}
public function unserialize($data) {
echo 'test';
}
}
$test = new obj();
echo serialize($test);//输出C:3:"obj":23:{s:15:"My private data";}
var_dump(unserialize('C:3:"obj":23:{s:15:"My private data";}'));//调用unserialize方法,输出test
var_dump(unserialize('O:3:"obj":1:{s:4:"data";s:15:"My private data";}'));//抛出了一个Warning,PHP Warning: Erroneous data format for unserializing 'obj'
所以其实这个更新的意思就是说,不能靠修改序列化的数据,在不调用对象构造器的情况下实例化对象
这篇关于php升级 - PHP手册中从5.5升级到5.6 unserialize函数怎么解释的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文