Comments on: unserialize Yahoo! search results

By: Mindy Moore

Mindy Moore — Wed, 11 Oct 2006 22:35:07 +0000

How do you think. If I quit using internet… No, CAN I quit?

By: Junior Lee

Junior Lee — Tue, 26 Sep 2006 15:40:02 +0000

Thank you very very very much. Wish you luck and mercy from all the creatures around the world.

By: Kugel Margo

Kugel Margo — Thu, 21 Sep 2006 03:02:15 +0000

Very many thanks for a good work. Nice and useful. Like it!

By: Kleon Indig

Kleon Indig — Tue, 29 Aug 2006 00:17:41 +0000

I would like to wish you much luck. And a lot of money. Thank you.

By: Griph Knight

Griph Knight — Mon, 28 Aug 2006 05:09:15 +0000

Congratulations on a great web site. I am a new computer user and finding you was like coming home. Continued success.

By: Triphon Klevon

Triphon Klevon — Wed, 26 Jul 2006 19:34:09 +0000

Very many thanks for a good work. Nice and useful. Like it!

By: Anonymous

Anonymous — Mon, 27 Feb 2006 10:45:52 +0000

Has anyone already pointed out to those Yahoo guys, that “text/php” is a seldom dopey mime type for this type of more or less program-dependent and almost binary data?

By: MrGierer’s World » Blog Archive » Yahoo! PHP Developer Center

MrGierer’s World » Blog Archive » Yahoo! PHP Developer Center — Fri, 24 Feb 2006 08:33:33 +0000

[...] One interesting article is the use of Yahoo web service which return serialized PHP structures instead of XML. This make the handling of the returned data easy as calling the unserialize function. But before jumping up and down, make sure you read the possible down-sides of this. [...]

By: Rhyll > PHP Blog > Yahoo! - PHP Developer Center

Rhyll > PHP Blog > Yahoo! - PHP Developer Center — Thu, 23 Feb 2006 20:18:31 +0000

[...] UPDATE Thu 23 Feb 2006 @ 12:25pm: Harry Fuecks has some additional details about detailing with serialized PHP over at SitePoint. [...]

By: HarryF

HarryF — Thu, 23 Feb 2006 18:34:05 +0000

Although I agree there may be some security risks, object constructors are not called on unserialize. The primary reason being that constructors can have arguments, which the serializer would not know what to do with.

You’re right – trying again don’t know where I got that one from – one of those old assuptions I haven’t thougt about for a long time.

It’s the __wakeup function (if it exists) that get’s called when unserializing. Will do an update to the entry soon. In PHP5 you also have the destructor though, when the object goes out of scope or the script ends/

This is low risk but all the same, I personally don’t like the idea of unexpected code being executed and it costs almost nothing to protect yourself.

Good point on JSON also. At the same time, there’s only so much damage you can cause with a browser and eval() – main danger is probably session hijacking and similar. On a server there’s much more dangerous functionality around.