|
 |
unserialize (PHP 3 >= 3.0.5, PHP 4, PHP 5) unserialize --
Creates a PHP value from a stored representation
Descriptionmixed unserialize ( string str )
unserialize() takes a single serialized
variable (see serialize()) and converts it
back into a PHP value. The converted value is returned, and can
be a boolean, integer, float,
string, array or object.
In case the passed string is not unserializeable, FALSE is returned and
E_NOTICE is issued.
Warning |
FALSE is returned both in the case of an error and if unserializing
the serialized FALSE value. This special case can be catched by
comparing str with
serialize(false) or by catching the issued
E_NOTICE.
|
unserialize_callback_func directive:
It's possible to set a callback-function which will be called,
if an undefined class should be instantiated during unserializing.
(to prevent getting an incomplete object "__PHP_Incomplete_Class".)
Use your php.ini, ini_set() or .htaccess
to define 'unserialize_callback_func'. Everytime an undefined class
should be instantiated, it'll be called. To disable this feature just
empty this setting. Also note that the directive
unserialize_callback_func directive became
available in PHP 4.2.0.
If the variable being unserialized is an object, after successfully
reconstructing the object PHP will automatically attempt to call the
__wakeup() member function (if it exists).
Example 1. unserialize_callback_func example
<?php
$serialized_object='O:1:"a":1:{s:5:"value";s:3:"100";}';
ini_set('unserialize_callback_func', 'mycallback'); function mycallback($classname)
{
}
?>
|
|
Note:
In PHP 3, methods are not preserved when unserializing a
serialized object. That limitation was removed in PHP 4 as both
properties and methods are now restored. Please see the Serializing Objects
section of Classes and
Objects or more information.
Example 2. unserialize() example
<?php
$conn = odbc_connect("webdb", "php", "chicken");
$stmt = odbc_prepare($conn, "SELECT data FROM sessions WHERE id = ?");
$sqldata = array ($PHP_AUTH_USER);
if (!odbc_execute($stmt, &$sqldata) || !odbc_fetch_into($stmt, &$tmp)) {
$session_data = array();
} else {
$session_data = unserialize($tmp[0]);
if (!is_array($session_data)) {
$session_data = array();
}
}
?>
|
|
See also serialize().
martin dot goldinger at netserver dot ch
15-Aug-2005 07:48
When you use sessions, its very important to keep the sessiondata small, due to low performance with unserialize. Every class shoud extend from this class. The result will be, that no null Values are written to the sessiondata. It will increase performance.
<?
class BaseObject
{
function __sleep()
{
$vars = (array)$this;
foreach ($vars as $key => $val)
{
if (is_null($val))
{
unset($vars[$key]);
}
}
return array_keys($vars);
}
};
?>
ungu at terong dot com
05-Feb-2005 01:20
I got the same case as yabba at the dot hut with his post
>> caveat: stripslashes!!!
In my server configutation the magic_quotes_gpc is on therefore it will automatically escape ' (single-quote), " (double quote), \ (backslash) and NUL's with a backslash.
And the stripslashes is the workaround for my case as well.
Erwin
Chris Hayes (chris at hypersites dot com)
23-Oct-2004 12:27
In reply to the earlier post about having to include object definitions *before* using unserialize. There is a workaround for this.
When an object is serialized, the first bit of the string is actually the name of the class. When an unknown object is unserialized, this is maintained as a property. So if you serialize it again, you get back the exact same string as if you'd serialized the original object. Basically, to cut to the point...
If you use
$_SESSION['my_object'] = unserialize(serialize($_SESSION['my_object']))
then you get back an object of the correct type, even if the session had originally loaded it as an object of type stdClass.
hfuecks at phppatterns dot com
09-Sep-2004 07:14
If you are accepting a serialized string from an untrusted source (e.g. generated in Javascript), you need to be careful to check that it doesn't result in "unexpected" objects being created when you unserialize it.
The following function pulls out the class names of all objects in a _valid_ serialized string. It works by first removing an serialized string values (which might contain serialized object syntax) then pulling out the class names from the remaining string. The returned value is a unique list of class names which the serialized string contains.
Note it assumes the serialized string is valid (that it will be accepted by unserialize()). There may be invalid serialized strings that could trick this function but these should fail when unserialized.
<?php
function getSerializedClassNames($string) {
$string = preg_replace('/s:[0-9]+:".*"/Us','',$string);
preg_match_all('/O:[0-9]+:"(.*)"/U', $string, $matches, PREG_PATTERN_ORDER);
return array_unique($matches[1]);
}
?>
Unit tests for a version of this function can be found at:
http://cvs.sourceforge.net/viewcvs.py/xmlrpccom
/scriptserver/tests/php/classparser.test.php?view=auto
See also the discussion here;
http://marc.theaimsgroup.com/?t=109439858700006&r=1&w=2
http://marc.theaimsgroup.com/?l=php-dev&m=109444959007776&w=2
pfister at avenir dot de
02-Sep-2004 05:25
Having had a problem with an mysql-stored serialized array which I had edited I found out that unserialize seems to have got a problem with "\r" within the string I wanted to unserialize.
It simply quits it's job with "false".
To work arround this problem I just replaced \r with "":
<?php
$serializedArray = 'a:1:{i:0;a:2:{s:4:"name";s:70:"Here comes the newline\r\nthis is the new line";s:5:"value";d:2.20;}}';
var_dump(unserialize($serializedArray)); $serializedArray = str_replace("\r", "", $serializedArray);
var_dump(unserialize($serializedArray)); ?>
eoin at joy dot ucc dot ie
17-Aug-2004 02:38
I recently found myself in need of unserializing PHP session data (stored in a database) that had expired but was not yet deleted i.e. I needed to get at the contents of the session but was unable to use the usual PHP interface. The following function takes a string of serialized session data and returns an array of PHP values. The structure of the returned array is the same as the $_SESSION array if you were using the normal interface. I haven't tested this extensively but it did the job for me.
<?php
function unserialize_session_data( $serialized_string ) {
$variables = array( );
$a = preg_split( "/(\w+)\|/", $serialized_string, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );
for( $i = 0; $i < count( $a ); $i = $i+2 ) {
$variables[$a[$i]] = unserialize( $a[$i+1] );
}
return( $variables );
}
?>
yonman at gamer dot co dot il
30-May-2004 12:29
yabba at the dot hut:
The cookie mechanism for the webserver adds the slashes automatically. instead of just dumping strings into the cookie, make sure you base64_encode them first - to protect the cookie's content from escape characters.
Of course, this means that when retrieving the cookie, you'll need to base64_decode the string.
13-Mar-2004 01:42
If a a string is unserializeable FALSE is returned as well as an E_NOTICE error. This is odd since you may want to know if a given string converts back to a PHP value and act accordingly. If you run your script with E_ALL reporting this will show up.
I noticed this debugging this line of code:
$b = unserialize(base64_decode($a));
Curiously, base64_decode() does not throw errors if the string can't be decoded. The only workaround is to prepend the @ operator to unserialize() or to change the error level.
yabba at the dot hut
28-Jan-2004 04:09
caveat: stripslashes!!!
if using
setcookie('hubba',serialize($data));
to set a cookie, you might want to check
$data(unserialize(stripslashes($_COOKIE['hubba']));
to retrieve them back!!!
this is, if unserialize fails. you can also print_r($_COOKIE) to look into what you've got back.
beats me how the slashes got there in the first place....
Terry Johnson
09-Dec-2003 08:27
It is possible to make a neat autoloader for class definitions using this, but there are some gotchas for the unwary programmer:
1) If you are setting the unserialize_callback_func directive in the ini or .htaccess file, use auto_prepend_file to load the definition of your callback function - otherwise objects that stay in the session may trigger errors on pages where you didn't expect the object to be used.
2) It helps if you define all your classes in files with lowercase file names from the beginning. The callback function is always call with the class name in lower case, and it is a lot quicker to use that directly than make a lookup table:
function callback_func($classname) {
@include_once("${classname}.class.php");
}
3) It does not appear to be possible to use a static member fuction of a class (for example, a your object persistence layer) as the unserialize callback function, so this will cause confusion:
php_value auto_prepend_file "Persist.php"
php_value unserialize_callback_func Persist::factory
The next best solution is to make it a function in the global scope and have your object factory call it as required:
Class Persist
{
function &factory($type) {
callback_func(strtolower($type));
$classname = "${type}";
if (!class_exists($classname)) {
return PEAR::raiseError('Class Not Found',PERSIST_ERROR_CLASS_NOT_FOUND,PEAR_ERROR_RETURN);
}
@$obj =& new $classname;
return $obj;
}
...
}
aderyn at nowhere dot tld
30-Oct-2003 01:02
A quick note:
If you store a serialized object in a session, you have to include the class _before_ you initialize (session_start()) the session.
| |