Unserialize and Autoload in php

$string = 'O:6:"Foobar":2:{s:3:"foo";s:1:"1";s:3: "bar";s:1:"2";}';
$result = unserialize($string);
var_dump($result);
/*
object(__PHP_Incomplete_Class)[ 1]
public '__PHP_Incomplete_Class_Name' => string 'Foobar' (length=6)
public 'foo' => string '1' (length=1)
public 'bar' => string '2' (length =1)
*/
?>

When deserializing an object, if the object’s class definition does not exist, then PHP will introduce an unfinished class Concept, namely: __PHP_Incomplete_Class. Although we have successfully deserialized at this time, we still cannot access the data in the object, otherwise the following error message will appear: The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition.

This is not difficult, just do a forced type conversion and turn it into an array:

$string = 'O:6:"Foobar":2:{s:3:"foo";s:1:"1";s:3 :"bar";s:1:"2";}';
$result = (array)unserialize($string);
var_dump($result);
/*
array
'__PHP_Incomplete_Class_Name' => string 'Foobar' (length=6)
'foo' => string '1' (length=1)
'bar' => string '2' (length=1)
* /
?>

But if the system has Autoload activated, the situation will become more complicated. By the way: PHP actually provides a configuration option called unserialize_callback_func, but its meaning is similar to autoload. I won’t introduce it here. Let’s just talk about autoload. The example is as follows:

spl_autoload_register(function($name) {
var_dump($name);
});
$string = 'O:6:"Foobar":2:{s:3: "foo"; s: 1: "1"; s: 3: "bar"; s: 1: "2"; }';
$result = (array)unserialize($string);
var_dump($result) ;
?>

Execute the above code and you will find that spl_autoload_register is triggered. Most of the time this makes sense, but if you encounter an improperly defined spl_autoload_register, it will be tragic, such as the following This code:

spl_autoload_register(function($name) {
include "/path/to/{$name}.php";
});
$string = 'O:6:"Foobar ": 2: {s: 3: "foo"; s: 1: "1"; s: 3: "bar"; s: 1: "2"; }';
$result = (array)unserialize($ string);
var_dump($result);
?>

No doubt, because the class definition file cannot be found, an error is reported! It is definitely possible to change spl_autoload_register, but the premise is that you can change it. If third-party code is involved, we cannot make the decision without authorization. At this time, we need a way to allow unserialize to bypass autoload. The simplest way is to add the class we need FAKE out:

spl_autoload_register(function($name) {
include “/path/to/{$name}.php”;
});
class Foobar {} // Oh, Shit!
$string = 'O:6:"Foobar":2:{s:3:"foo";s:1:"1";s:3:"bar";s:1:"2";}' ;
$result = (array)unserialize($string);
var_dump($result);
?>

I have to say that the above code is really rubbish. To provide you with one person I wrote:

spl_autoload_register(function($name) {
include “/path/to/{$name}.php”;
});
 $string = 'O:6:"Foobar":2:{s:3:"foo";s:1:"1";s:3:"bar";s:1:"2" ;}';
$functions = spl_autoload_functions();
foreach ($functions as $function) {
 spl_autoload_unregister($function);
}
$result = (array)unserialize($ string);
foreach ($functions as $function) {
 spl_autoload_register($function);
}
var_dump($result);
?>

Although there is a bit more code, at least there is no FAKE class, which makes it look more comfortable.