douxuexiao1748
douxuexiao1748
2010-03-03 21:42
浏览 47
已采纳

当序列化其他不相关的对象时,为什么对象会变成字符串?

The server at my old employer was rooted this past weekend and apparently the server provider made changes to the server which is affecting the PHP code.

The issue that has arisen is related to serializing objects. The objects being serialized, and other objects not being serialized, are being converted to strings thus breaking the code. This code worked before the server was hacked.

Here is what is happening:

$plate = new Plate();
$plate2 = clone $plate;
gettype($plate); // Prints "object"
gettype($plate2); // Prints "object"

$_SESSION['plate'] = serialize($plate);

gettype($plate); // Prints "string"
gettype($plate2); // Prints "string"


$plate = new Plate();
$plate2 = new Plate();
gettype($plate); // Prints "object"
gettype($plate2); // Prints "object"

$_SESSION['plate'] = serialize($plate);

gettype($plate); // Prints "string"
gettype($plate2); // Prints "string"

As you can see the objects, even those not being serialized, are being converted to strings. Any insights?

EDIT: They are running PHP 5.2.12 with register globals on.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dtye7921
    dtye7921 2010-03-03 21:57
    已采纳

    Update: I can reproduce half of your test case on PHP 5.3.1 but only if I have register_globals set to On:

    session_start(); // obviously
    
    class Plate  // to have something on my plate
     {
    
        var $Member1;
        var $Member2;
    
     }
    
    $plate = new Plate();
    $plate2 = clone $plate;
    echo gettype($plate); // Prints "object"
    echo gettype($plate2); // Prints "object"
    
    $_SESSION['plate'] = serialize($plate);
    
    echo gettype($plate); // Prints "string"
    echo gettype($plate2); // Prints "object", unlike in your example
    
    $plate = new Plate();
    $plate2 = new Plate();
    echo gettype($plate); // Prints "object"
    echo gettype($plate2); // Prints "object"
    $_SESSION['plate'] = serialize($plate);
    
    echo gettype($plate); // Prints "string"
    echo gettype($plate2); // Prints "object", unlike in your example
    

    $plate2 always remains untouched for me. Maybe you have a funny $plate2 = &something reference somewhere? Is this actual code? What does my code snippet do on your system?

    I think the buggy part has to do with that $_SESSION bug (or side-effect) that treats unitialized variables in $_SESSION as global variables. See this SO question. Changing the name of the session variable to something else will remedy this.

    $_SESSION['session_plate'] = serialize($plate);  // $plate will remain unharmed
    

    If setting register_globals to On was the change the provider made, then you should also go beat up your provider.

    点赞 评论

相关推荐