PHP手册中从5.5升级到5.6 unserialize的变更是这样写的:
unserialize() will now fail if passed serialised data that has been manipulated to attempt to instantiate an object without calling its constructor.
英文比较差想知道是什么意思,传入的数据是序列化过的没有调用过constructor的对象?
我度过这样的代码,但没报错:
class A{}$reClass = new ReflectionClass('A');$b = $reClass->newInstanceWithoutConstructor();echo '<pre>';print_r(unserialize(serialize($reClass)));die;解决方案
这个问题其实是和序列化接口相关的一个修改。
5.6的更新日志里有写
5.6.0 Manipulating the serialised data by replacing C: with O: to force object instantiation without calling the constructor will now fail.
大意就是说,5.6不允许将修改已经序列化数据中的C:改为O:来避免调用类中生成器。
我们写一个类来了解这是什么意思,首先我们在PHP5.3中实现一个继承序列化接口的类
class obj implements Serializable { public $data; public function __construct() { $this->data = "My private data"; } public function serialize() { return serialize($this->data); } public function unserialize($data) { echo 'test'; }} $test = new obj();echo serialize($test);//输出C:3:"obj":23:{s:15:"My private data";}var_dump(unserialize('C:3:"obj":23:{s:15:"My private data";}'));//调用unserialize方法,输出testvar_dump(unserialize('O:3:"obj":1:{s:4:"data";s:15:"My private data";}'));//没有调用unserialize方法,没有输出接下来我们在5.6中实验相同的代码
class obj implements Serializable { public $data; public function __construct() { $this->data = "My private data"; } public function serialize() { return serialize($this->data); } public function unserialize($data) { echo 'test'; }}$test = new obj();echo serialize($test);//输出C:3:"obj":23:{s:15:"My private data";}var_dump(unserialize('C:3:"obj":23:{s:15:"My private data";}'));//调用unserialize方法,输出testvar_dump(unserialize('O:3:"obj":1:{s:4:"data";s:15:"My private data";}'));//抛出了一个Warning,PHP Warning: Erroneous data format for unserializing 'obj' 所以其实这个更新的意思就是说,不能靠修改序列化的数据,在不调用对象构造器的情况下实例化对象