PHP7過濾unserialize()
PHP7引入了過濾 unserialize()函數以在反序列化不受信任的數據對象時提供更好的安全性。它可以防止可能的代碼注入,使開發人員能夠使用序列化白名單類。
示例
obj1prop = 1; $obj2 = new MyClass2(); $obj2->obj2prop = 2; $serializedObj1 = serialize($obj1); $serializedObj2 = serialize($obj2); // default behaviour that accepts all classes // second argument can be ommited. // if allowed\_classes is passed as false, unserialize converts all objects into \_\_PHP\_Incomplete\_Class object $data = unserialize($serializedObj1 , \["allowed\_classes" => true\]); // converts all objects into \_\_PHP\_Incomplete\_Class object except those of MyClass1 and MyClass2 $data2 = unserialize($serializedObj2 , \["allowed\_classes" => \["MyClass1", "MyClass2"\]\]); print($data->obj1prop); print(""); print($data2->obj2prop); ?>
這將在瀏覽器產生以下輸出 -
1
2