Unserialize and Autoload in php

Unserialize and Autoload in php

$ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}'; $ Result = unserialize ($ string ); Var_dump ($ result ); /* Object (_ PHP_Incomplete_Class) [1] Public '_ PHP_Incomplete_Class_Name' => string 'foobar' (length = 6) Public 'foo' => string '1' (length = 1) Public 'bar' => string '2' (length = 1) */ ?> When deserializing an object, if the class definition of the object does not exist, PHP will introduce an unfinished class concept, that is, __php_incomplete_class. although deserialization is successful, however, you still cannot access The data in The object. Otherwise, The following error message is displayed: The script tried to execute a method or access a property of an incomplete object. please ensure that the class definition of the object you are trying to operate on was loaded _ before _ unserialize () gets called or provide a _ autoload () function to load the class definition. This is not difficult. you only need to make a forced type conversion and change it to an array: $ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}'; $ Result = (array) unserialize ($ string ); Var_dump ($ result ); /* Array '_ PHP_Incomplete_Class_Name' => string 'foobar' (length = 6) 'Foo' => string '1' (length = 1) 'Bar' => string '2' (length = 1) */ ?> However, if the system activates Autoload, the situation will become more complex. By the way, PHP actually provides a configuration option named unserialize_callback_func, which means similar to autoload. we will not introduce it here. let's talk about autoload, for example: Spl_autoload_register (function ($ name ){ Var_dump ($ name ); }); $ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}'; $ Result = (array) unserialize ($ string ); Var_dump ($ result ); ?> Execute the above code and you will find that spl_autoload_register is triggered, which makes sense most of the time. However, if spl_autoload_register is improperly defined, it will be miserable. for example, the following code: Spl_autoload_register (function ($ name ){ Include "/path/to/{$ name}. php "; }); $ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}'; $ Result = (array) unserialize ($ string ); Var_dump ($ result ); ?> Undoubtedly, an error is reported because the class definition file cannot be found! Modify the spl_autoload_register command, but the premise is that you can modify it. if it involves third-party code, we cannot make the decisions without authorization. in this case, we need a way to allow unserialize to bypass autoload, the simplest method is to extract the FAKE class we need: Spl_autoload_register (function ($ name ){ Include "/path/to/{$ name}. php "; }); Class Foobar {} // Oh, Shit! $ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}'; $ Result = (array) unserialize ($ string ); Var_dump ($ result ); ?> I have to say that the above code is really spam. I will provide you with the following information: Spl_autoload_register (function ($ name ){ Include "/path/to/{$ name}. php "; }); $ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}'; $ Functions = spl_autoload_functions (); Foreach ($ functions as $ function ){ Spl_autoload_unregister ($ function ); } $ Result = (array) unserialize ($ string ); Foreach ($ functions as $ function ){ Spl_autoload_register ($ function ); } Var_dump ($ result ); ?> Although the code is a little more, but at least there is no FAKE class, it seems more comfortable.