PHP :: Bug #1693 :: unserialize returns false

Bug #1693	unserialize returns false
Submitted:	1999-07-10 20:36 UTC	Modified:	2001-02-10 15:46 UTC
From:	colin at whistler dot net	Assigned:
Status:	Closed	Package:	Misbehaving function
PHP Version:	3.0.11	OS:	SunOS
Private report:	No	CVE-ID:	None

View Developer Edit

[1999-07-10 20:36 UTC] colin at whistler dot net

The problem appears inconsistently, but fairly frequently. My input is typically around 2K, but I have been able to successfully unserialize strings up to 10K successfully.

I don't think this is related to magic quotes, since I call stripslashes() before unserialize().

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[1999-11-11 19:09 UTC] joey at cvs dot php dot net

Is there any more info on this bug? Is it still in 3.0.12?
Is there a reproducable test case? Anything? :)

[1999-11-11 19:28 UTC] joey at cvs dot php dot net

Setting as Analyzed until more info is available.

[1999-11-11 22:34 UTC] joey at cvs dot php dot net

I will look into this more tomorrow. Here is the reply from the reporter.

Oops, should have updated or closed this one I guess.

The problem is with serialized strings. If the actual length of the
string is different than expected, as in the following case,
unserialize() returns false. 

s:9:"O'Reilly";

This can happen when magic quotes is turned on. If for example, you
were to read a string in from a file, serialize it, and store it in a
database, there is no way to then unserialize it:

file contents:                          O'Reilly
retrieved from file:            O\'Reilly
serialized:                                     s:9:"O\'Reilly";
stored in db:                           s:9:\"O\'Reilly\";
after stripslashes():           s:9:"O'Reilly";

If you pass the magic-quoted value to serialize, it will choke on the
escaped double quotes. If you run it through stripslashes(),
unserialize will choke on the string-too-short problem. You could maybe
work around it via regex, but...

I worked around it by turning off magic_quotes. Perhaps this is more of
a gotcha than a bug, but it would be nice to make unserialize smart
enough to deal with the possibility.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue May 06 12:01:29 2025 UTC