Unserialize and Autoload_PHP tutorial

Unserialize and Autoload. However, a qualified PHP programmer should know Unserialize and Autoload, but I am afraid there will not be many people who clearly know the relationship between them. For example, false, but any qualified PHPProgrammers should know UnserializeAnd AutoloadBut I'm afraid there are not many people who clearly know the relationship between the two.

For example, if we can get the serialized data of a third party, but there is no corresponding class definition, the code is as follows:

<? Php

$ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}';

$ Result = unserialize ($ string );

Var_dump ($ result );

/*

Object (_ PHP_Incomplete_Class) [1]

Public '_ PHP_Incomplete_Class_Name' => string 'foobar' (length = 6)

Public 'foo' => string '1' (length = 1)

Public 'bar' => string '2' (length = 1)

*/

?> When we deserialize an object, if the class definition of the object does not exist, PHP will introduce an unfinished class concept, that is, __php_incomplete_class. although we have succeeded in deserialization, however, you still cannot access the data in the object. Otherwise, the following error message is displayed:

The script tried to execute a method or access a property of an incomplete object. please ensure that the class definition of the object you are trying to operate on was loaded _ before _ unserialize () gets called or provide a _ autoload () function to load the class definition.

This is not difficult. you only need to perform a forced type conversion and change it to an array:

<? Php

$ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}';

$ Result = (array) unserialize ($ string );

Var_dump ($ result );

/*

Array

'_ PHP_Incomplete_Class_Name' => string 'foobar' (length = 6)

'Foo' => string '1' (length = 1)

'Bar' => string '2' (length = 1)

*/

?>

However, if the system activates Autoload, the situation will become more complex. By the way, PHP actually provides a configuration option named unserialize_callback_func, which means similar to autoload. we will not introduce it here. let's talk about autoload, for example:

<? Php

Spl_autoload_register (function ($ name ){

Var_dump ($ name );

});

$ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}';

$ Result = (array) unserialize ($ string );

Var_dump ($ result );

?> Execute the above code and you will find that spl_autoload_register is triggered, which makes sense most of the time. However, if spl_autoload_register is improperly defined, it will be miserable. for example, the following code:

<? Php

Spl_autoload_register (function ($ name ){

Include "/path/to/{$ name}. php ";

});

$ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}';

$ Result = (array) unserialize ($ string );

Var_dump ($ result );

?>

Undoubtedly, an error is reported because the class definition file cannot be found! Modify the spl_autoload_register command, but the premise is that you can modify it. if it involves third-party code, we cannot make the decisions without authorization. in this case, we need a way to allow unserialize to bypass autoload, the simplest method is to extract the FAKE class we need:

<? Php

Spl_autoload_register (function ($ name ){

Include "/path/to/{$ name}. php ";

});

Class Foobar {} // Oh, Shit!

$ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}';

$ Result = (array) unserialize ($ string );

Var_dump ($ result );

?> I have to say that the above code is really shit! How can this problem be solved? I roughly wrote an implementation:

<? Php

Spl_autoload_register (function ($ name ){

Include "/path/to/{$ name}. php ";

});

$ String = 'O: 6: "Foobar": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar "; s: 1: "2 ";}';

$ Functions = spl_autoload_functions ();

Foreach ($ functions as $ function ){

Spl_autoload_unregister ($ function );

}

$ Result = (array) unserialize ($ string );

Foreach ($ functions as $ function ){

Spl_autoload_register ($ function );

}

Var_dump ($ result );

?> Although the code is a little more, but at least there is no FAKE class, it looks much more comfortable.

When talking about the relationship between Unserialize and Autoload, programmers in PHP should know about Unserialize. For example, false...