Just came across something interesting.
This is the first time I see an API that offers a serialized php object as one of the possible formats in which it returnes data.
Here:
http://help.tweetmeme.com/2009/04/07/api-documentation/
How would you use this data?
I don’t think calling unserialize($string) will create an object.
You need to have a class, but where is it?
Can anyone offer any use cases?
<?php
$strData = 'a:2:{s:6:"status";s:7:"success";s:5:"story";a:8:{s:5:"title";s:38:"Tweetmeme - Hottest Stories on Twitter";s:3:"url";s:25:"http://www.tweetmeme.com/";s:10:"media_type";s:4:"news";s:10:"created_at";s:19:"2009-02-19 13:06:36";s:9:"url_count";i:3141;s:7:"tm_link";s:35:"http://tweetmeme.com/story/26054116";s:13:"comment_count";i:115;s:7:"excerpt";s:73:"RT @tweetmeme Tweetmeme - Hottest Stories on Twitter http://bit.ly/151Dl1";}}';
$arrData = unserialize($strData);
echo '<pre>',print_r($arrData),'</pre>';
echo '<p>',$arrData['story']['title'],'</p>';
?>
I get it now. It’s just an array. They call it serialized php object, but it’s just a serialized array. Now bad, I’ve never seen APIs that return pure raw php data, but why not - JSON is just a pure javascript object, so why not return php.
Look like a good idea.
I’d fear unserializing untrusted data. unserialize() can have side effects. They have the power to make you create objects, and objects can have behavior. __wakeup(), and the other functions that might get executed if the class is undefined. Not to mention the possible errors that can result.