Detailed explanation of PHP serialization and deserialization principles

This article mainly shares with you the relevant knowledge of PHP serialization and deserialization principles in the PHP deserialization vulnerability series. Friends who need this can refer to it. Hope it helps everyone.

Preface

The serialization and deserialization functions of objects will not be described in detail. The result of serialization in PHP is a PHP-customized string. The format is somewhat similar to json.

We need to solve several problems when designing the serialization and deserialization of objects in any language

After serializing an object, the serialization result It has a self-describing function (knowing the specific type of this object from the serialization result.

Knowing the type is not enough, of course you also need to know the specific value corresponding to this type).

Permission control during serialization, you can customize serialization fields, etc., for example, it is very convenient to do it in golang.

Time performance issues: In some performance-sensitive scenarios Under this circumstance, object serialization cannot be a hindrance, for example: high-performance services (I often use protobuf to serialize).

Space performance issues: The result after serialization cannot be too long, such as a Int object, after serialization, the data length becomes 10 times the length of int, then there is a problem with this serialization algorithm.

This article only explains the serialization and reverse in PHP from the perspective of PHP code. The process of serialization. Remember that serialization and deserialization only operate on object data. Anyone with experience in object-oriented development should easily understand this.

1. Serialize And the deserialization method unserialize

php natively provides object serialization function, unlike c++...^_^. It is also very simple to use, just two interfaces.

class fobnn
{
 public $hack_id;
 private $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  echo $this->hack_name.PHP_EOL;
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj); //通过serialize接口序列化
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);//通过unserialize反序列化
$toobj->print();

fobnn
O:5:"fobnn":2:{s:7:"hack_id";i:1;s:16:"fobnnhack_name";s:5:"fobnn";}
fobnn

See the second line of output. This string is the result of serialization. This structure is actually very easy to understand. You can find It is mapped by object name/member name. Of course, the label names after serialization of members with different access rights are slightly different.

According to the three questions I mentioned above, then we can take a look

1. Self-describing function

O:5:"fobnn":2 where o represents the object type, and the type name is fobnn. In this format, the following 2 represents the 2 member objects.

Regarding member objects, it is actually the same set of sub-descriptions. This is a recursive definition.

The self-describing function mainly records the names of objects and members through strings. Implementation.

2. Performance issues

The time performance of PHP serialization will not be analyzed in this article. See the details later, but the serialization result is actually similar to the protocol defined by json/bson, with protocol headers. , the protocol header describes the type, and the protocol body describes the value corresponding to the type, and the serialization result will not be compressed.

2. Magic method in deserialization

Corresponding to the second problem mentioned above, there are actually solutions in PHP. One is through magic method, and the second is through custom serialization function. Let’s first introduce the magic method __sleep and __wakeup

##

class fobnn
{
 public $hack_id;
 private $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  echo $this->hack_name.PHP_EOL;
 }
 public function __sleep()
 {
  return array("hack_name");
 }
 public function __wakeup()
 {
  $this->hack_name = 'haha';
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj);
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);
$toobj->print();

fobnn
O:5:"fobnn":1:{s:16:"fobnnhack_name";s:5:"fobnn";}
haha

will call __sleep first before serialization and return an array of member names that need to be serialized. In this way, we can control the data that needs to be serialized. In the case, I only returned hack_name. You can see that only the hack_name member is serialized in the result.

After the serialization is completed, __wakeup will be used. Here we can do some follow-up work, such as reconnecting to the database.

3. Customize the Serializable interface

interface Serializable {
abstract public string serialize ( void )
abstract public void unserialize ( string $serialized )
}

Through this interface we can customize the behavior of serialization and deserialization. This function can mainly be used to customize our serialization format.

class fobnn implements Serializable
{
 public $hack_id;
 private $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  echo $this->hack_name.PHP_EOL;
 }

 public function __sleep()
 {
  return array('hack_name');
 }

 public function __wakeup()
 {
  $this->hack_name = 'haha';
 }

 public function serialize()
 {
  return json_encode(array('id' => $this->hack_id ,'name'=>$this->hack_name ));
 }

 public function unserialize($var)
 {
  $array = json_decode($var,true);
  $this->hack_name = $array['name'];
  $this->hack_id = $array['id'];
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj);
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);
$toobj->print();

fobnn
C:5:"fobnn":23:{{"id":1,"name":"fobnn"}}
fobnn

After using the custom serialization interface, our magic method is useless.

4.PHP dynamic type and PHP deserialization

Since the self-describing function mentioned above, the object type is saved in the serialization result, and PHP is a dynamic type language, then we can do a simple experiment.

class fobnn
{
 public $hack_id;
 public $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  var_dump($this->hack_name);
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj);
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);
$toobj->print();
$toobj2 = unserialize("O:5:\"fobnn\":2:{s:7:\"hack_id\";i:1;s:9:\"hack_name\";i:12345;}");
$toobj2->print();

We modify the deserialization result of hack_name to int type, i:12345

##

string(5) "fobnn"
O:5:"fobnn":2:{s:7:"hack_id";i:1;s:9:"hack_name";s:5:"fobnn";}
string(5) "fobnn"
int(12345)

It can be found that the object is successfully serialized back !And it can work normally!. Of course, this mechanism of PHP provides flexible and changeable syntax, but it also introduces security risks. We will continue to analyze the security issues caused by PHP serialization and deserialization features.

Related recommendations:

jQuery form serialization example code example sharing

jQuery serialized form value conversion into Json example explanation

Detailed explanation of PHP’s session deserialization vulnerability

The above is the detailed content of Detailed explanation of PHP serialization and deserialization principles. For more information, please follow other related articles on the PHP Chinese website!