News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Josh Adell:
Serializing Data Like a PHP Session
May 02, 2013 @ 09:11:33

In this new post Josh Adell looks at working with PHP sessions and how you can manually encode data to look as if it came from the normal session handling.

If you have ever popped open a PHP session file, or stored session data in a database, you may have noticed that this serialization looks very similar to the serialize function's output, but it is not the same. Recently, I needed to serialize data so that it looked like PHP session data (don't ask why; I highly suggest not doing this if it can be avoided.) It turns out, PHP has a function that encodes data in this format: session_encode.

Unfortunately, this method doesn't take arguments - it just outputs the encoded version of the current session data. So, he came up with his own encode/decode methods that use the PHP session, extract the serialized string and return it.

0 comments voice your opinion now!
serialize data session string unserialize

Link: http://blog.everymansoftware.com/2013/05/serializing-data-like-php-session.html

Pavel Shevaev's Blog:
A reliable way to serialize/unserialize objects in PHP
December 11, 2007 @ 12:09:00

Pavel Shevaev has posted his method (a reliable way) for serializing and unserializing objects in your applications:

An experienced PHP developer might be wondering why posting this topic in a blog if PHP already has universal and almost transparent tools for this job [...] The key statement here is "almost transparent" which means you have to include all class definitions before invoking unserialize or use some __autoload schema.

The whole problem is due to the fact a serialized object has no idea about its class definition except the class name(the reason behind that is absolutely valid). [...] That's why I decided to hack up, hopefully, a more universal solution to this problem

His method contains things inside of a "serialization container" that automagically includes everything needed before it gets serialized. His code for the method is included as well as some examples of its use.

0 comments voice your opinion now!
serialize unserialize object container method serialize unserialize object container method


Make Me Pulse Blog:
Serialize and Unserialize SimpleXML in php
September 28, 2007 @ 09:30:00

From the "Make Me Pulse" blog (of Nicolas Rajabaly & Antoine Ughetto) there's a quick example of how to use serialized values with SimpleXML:

Serialize is useful for storing or passing PHP values around without losing type and structure. But if you want to serialize a SimpleXml object, you will have some problem on unserialize with the error. [...] Replacing SimpleXMLObject with stdClass is a good idea but in this solution we loose all of attributes, and how can we make simplexml->xpath after?

The solution? Serializing the XML content and then outputting it from the SimpleXML object as an XML string (to be stored). This process is reversed when the data is needed back out.

0 comments voice your opinion now!
serialize unserialize simplexml object xml store serialize unserialize simplexml object xml store


Hardened-PHP Project:
Advisory - PHP unserialize() Array Creation Integer Overflow
October 09, 2006 @ 13:41:22

The Hardened-PHP project has just released another advisory about core PHP functionality, specifically in the unserialize function when dealing with arrays.

The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc() that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch.

It was discovered that such an integer overflow can be triggered when user input is passed to the unserialize() function.

You can get the full details from this advisory release including a recommendation to patch the installation until it is corrected in the current distribution.

0 comments voice your opinion now!
advisory unserialize core array creation integer overflow advisory unserialize core array creation integer overflow


Lukas Smith's Blog:
To serialize or to not serialize?
June 12, 2006 @ 06:01:46

In his latest post, Lukas Smith talks about serializing data - some of the pros and cons about it, as well as his experiences with it in the development of his own framework.

In my own framework I have decided that there is plenty of structured data that I will never query on that I will just stick into the database as a serialized array. Now the other day I modified the auto type handling in MDB2's quote() method to automatically serialize array's if no type is explicitly passed to the quote() method.

I send out a question to pear-dev@ and it was not unanimously well received. So I sat down and pondered a more elegant approach. Actually there is already one approach implemented in MDB2 since ages.

This implementation uses a seperate module that abuses PHP5's overloading functionality to integrate it easily. He also looked into another solution, however - creating a "datatype map" to help with the custom automatic serialization of datatypes (not just dependant on the variable type like before). Be sure to check out the comments for more thoughts on the subject, including validation of the custom datatypes.

0 comments voice your opinion now!
serialize unserialize custom datatypes overloading modle mdb2 serialize unserialize custom datatypes overloading modle mdb2


Ilia Alshanetsky's Blog:
Another unserialize() abuse
March 23, 2006 @ 06:59:23

With yet another reason not to trust the users of your application (mainly the data they send you), Ilia Alshanetsky has details on an issue that could be caused by the unserialize() function in PHP.

While talking with PHP developers this morning I thought of another way unverified serialized strings could be abused. This exploit can only affect PHP 5 installs though, but given the growing market share of PHP 5 it is certainly something worth noting.

As you may know classes in PHP are allowed to implement a magic method called __wakeup() that contains operation that are to be performed when a class is deserialized. Some native classes like PDO implement this function with a goal of preventing database serialization and throw an error when it is used.

He uses an example with PDO and a string of a serialized "supposed PDO object" to illustrate how, without the proper handling, it could lead to a fatal error in the script. The end result of the fatal error, if displaying errors is still on, could be that somewhat sensitive information could be displayed to the viewer.

0 comments voice your opinion now!
unserialize abuse __wakeup fatal error display unserialize abuse __wakeup fatal error display


SitePoint PHP Blog:
Unserialize Yahoo! search results
February 23, 2006 @ 07:17:43

With the announcement of the new Yahoo! PHP Development Center, there's been a lot of buzz around the PHP community, including this new post from Harry Fuecks over on the SitePoint PHP Blog today.

Via John Cox, Yahoo! have opened up a PHP Development Center for their search APIs and, more interestingly, have started exposing their search data as serialized PHP strings. That's "serialized" as in the serialize function.

This is very cool but think a little caution is needed when using it, given that it wasn't designed to be a wire format but rather for local storage of PHP data, within a trusted environment.

In the rest of the post he looks at a few different topics - whether it's inherently safe to use, a quick look at chatacter encoding, and an example of how to use the service with the PEAR::HTTP_Request package.

0 comments voice your opinion now!
yahoo developer center unserialize search results yahoo developer center unserialize search results



Community Events





Don't see your event here?
Let us know!


language code developer community introduction unittest series podcast release opinion install wordpress interview api framework refactor list testing laravel threedevsandamaybe

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework