Unserialization in php7

I am trying to use the unserialize function with the second param that was introduced in php7 (http://www.php.net/manual/en/function.unserialize.php)
However, it looks like php generates an error saying the second param should be an array and not a bool value https://3v4l.org/9PhpO
Does anyone have any idea why this behaviour?

The second parameter should be an array:-

Any options to be provided to unserialize(), as an associative array.

If you want true then try leaving it out:-

Omitting this option is the same as defining it as TRUE: PHP will attempt to instantiate objects of any class.

That documentation page is a bit unclear though. It does say that the second parameter is an array, but when expanding on the description it says it can be an array, or TRUE, or FALSE. And the initial description on this page : https://wiki.php.net/rfc/secure_unserialize : seems to suggest the same thing. However if you read further down that page, the author suggests they have re-thought the second parameter.

// this will unserialize everything as before
$data = unserialize($foo); 
// this will convert all objects into __PHP_Incomplete_Class object
$data = unserialize($foo, ["allowed_classes" => false]); 
// this will convert all objects except ones of MyClass and MyClass2 into __PHP_Incomplete_Class object
$data = unserialize($foo, ["allowed_classes" => ["MyClass", "MyClass2"]); 
//accept all classes as in default
$data = unserialize($foo, ["allowed_classes" => true]); 
1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.