Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:47064
Return-Path: <j.boggiano@seld.be>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 56864 invoked from network); 28 Feb 2010 20:00:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Feb 2010 20:00:11 -0000
Authentication-Results: pb1.pair.com header.from=j.boggiano@seld.be; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=j.boggiano@seld.be; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain seld.be designates 74.125.82.42 as permitted sender)
X-PHP-List-Original-Sender: j.boggiano@seld.be
X-Host-Fingerprint: 74.125.82.42 mail-ww0-f42.google.com  
Received: from [74.125.82.42] ([74.125.82.42:50356] helo=mail-ww0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7D/8E-36353-A4BCA8B4 for <internals@lists.php.net>; Sun, 28 Feb 2010 15:00:11 -0500
Received: by wwb13 with SMTP id 13so1000629wwb.29
        for <internals@lists.php.net>; Sun, 28 Feb 2010 12:00:05 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.89.9 with SMTP id b9mr2400778wef.61.1267387205099; Sun, 28 
	Feb 2010 12:00:05 -0800 (PST)
In-Reply-To: <f658eb6f1002281103k28973951xe3ba6512ee8350fe@mail.gmail.com>
References: <4B8A97AF.3060608@seld.be>
	 <f658eb6f1002281103k28973951xe3ba6512ee8350fe@mail.gmail.com>
Date: Sun, 28 Feb 2010 21:00:05 +0100
Message-ID: <4bcbf4711002281200u409f041dm330a328eb546e039@mail.gmail.com>
To: Herman Radtke <hermanradtke@gmail.com>
Cc: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Unserialize is broken
From: j.boggiano@seld.be (Jordi Boggiano)

On Sun, Feb 28, 2010 at 8:03 PM, Herman Radtke <hermanradtke@gmail.com> wro=
te:
>> Imo unserialize should check, when applying public or protected values,
>> if either exists on the object, and apply it to the one that exists.
>> Sure it's gonna cost some performance, but at least changing the
>> prototype of your class while stuff is running isn't going to kill your
>> code anymore.
>
> This seems like a corner case and one that a conversion script should
> handle. =A0Considering that serialize and unserialize are called for
> every single web-request, degrading the performance of unserialize is
> not something that should be done lightly.

Well.. the problem is you can't use __wakeup() for it, because at that
point it's too late to read the values, it could work if you got the
properties as an array or something as __wakeup($data), but that's not
the case. So the only approach would be to edit the scripts manually,
and that's the last thing I want to do honestly, in the playing with
fire category serialized strings are pretty high ranked.

Patching __wakeup handling could be a non-costly option I suppose, but
that's just another hack on top of the hackish hacks, and I don't want
to be the cause of it, so if unserialize can't be fixed I'd rather
have nothing.

Cheers,
Jordi