Any qualified PHP programmer should know Unserialize and Autoload, but when it comes to the relationship between the two, I'm afraid not many people know it clearly.
For example, suppose we can get the third-party serialized data, but there is no corresponding class definition. The code is as follows:
php
$string = 'O:6:"Foobar":2:{s:3:"foo";s:1:"1";s:3:"bar";s:1:"2";}';
$result = unserialize($string);
var_dump($result);
/*
object(__PHP_Incomplete_Class)[1]
public '__PHP_Incomplete_Class_Name' => string 'Foobar' (length=6)
public 'foo' => string '1' (length=1)
public 'bar' => string '2' (length=1)
*/
? >When we deserialize an object, if the class definition of the object does not exist, then PHP will introduce the concept of an incomplete class, namely: __PHP_Incomplete_Class. At this time, although we deserialize successfully, we still cannot access the object. data, otherwise the following error message will appear:
The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition.
This is not a difficult task, just do a forced type conversion and it will be converted into an array:
php
$string = 'O:6:"Foobar":2:{s:3:"foo";s:1:"1";s:3:"bar";s:1:"2";}';
$result = (array)unserialize($string);
var_dump($result);
/*
array
'__PHP_Incomplete_Class_Name' => string 'Foobar' (length=6)
'foo' => string '1' (length=1)
'bar' => string '2' (length=1)
*/
? >
However, if the system activates Autoload, the situation will become more complicated. By the way: PHP actually provides a configuration option called unserialize_callback_func, but its meaning is similar to autoload. I won’t introduce it here. Let’s just talk about autoload. The example is as follows:
php
spl_autoload_register(function($name) {
var_dump($name);
});
$string = 'O:6:"Foobar":2:{s:3:"foo";s:1:"1";s:3:"bar";s:1:"2";}';
$result = (array)unserialize($string);
var_dump($result);
? >When you execute the above code, you will find that spl_autoload_register is triggered. Most of the time this makes sense, but if you encounter an improperly defined spl_autoload_register, it will be tragic. For example, the following code:
php
spl_autoload_register(function($name) {
include “/path/to/{$name}.php”;
});
$string = 'O:6:"Foobar":2:{s:3:"foo";s:1:"1";s:3:"bar";s:1:"2";}';
$result = (array)unserialize($string);
var_dump($result);
? >
There is no doubt that an error was reported because the class definition file could not be found! It is definitely possible to change spl_autoload_register, but the premise is that you can change it. If third-party code is involved, we cannot make the decision without authorization. At this time, we need a way to allow unserialize to bypass autoload. The simplest way is to add the class we need FAKE out:
php
spl_autoload_register(function($name) {
include “/path/to/{$name}.php”;
});
class Foobar {} // Oh, Shit!
$string = 'O:6:"Foobar":2:{s:3:"foo";s:1:"1";s:3:"bar";s:1:"2";}';
$result = (array)unserialize($string);
var_dump($result);
? >I have to say, the above code is really bullshit! So what should we do? I roughly wrote an implementation:
php
spl_autoload_register(function($name) {
include “/path/to/{$name}.php”;
});
$string = 'O:6:"Foobar":2:{s:3:"foo";s:1:"1";s:3:"bar";s:1:"2";}';
$functions = spl_autoload_functions();
foreach ($functions as $function) {
spl_autoload_unregister($function);
}
$result = (array)unserialize($string);
foreach ($functions as $function) {
spl_autoload_register($function);
}
var_dump($result);
? >Although there is a bit more code, at least there is no FAKE class and it looks much more comfortable.