PHP :: Bug #1693 :: unserialize returns false

Bug #1693	unserialize returns false
Submitted:	1999-07-10 20:36 UTC	Modified:	2001-02-10 15:46 UTC
From:	colin at whistler dot net	Assigned:
Status:	Closed	Package:	Misbehaving function
PHP Version:	3.0.11	OS:	SunOS
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	colin at whistler dot net
New email:
PHP Version:		OS:

New Comment:

[1999-07-10 20:36 UTC] colin at whistler dot net

The problem appears inconsistently, but fairly frequently. My input is typically around 2K, but I have been able to successfully unserialize strings up to 10K successfully.

I don't think this is related to magic quotes, since I call stripslashes() before unserialize().

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[1999-11-11 19:09 UTC] joey at cvs dot php dot net

Is there any more info on this bug? Is it still in 3.0.12?
Is there a reproducable test case? Anything? :)

[1999-11-11 19:28 UTC] joey at cvs dot php dot net

Setting as Analyzed until more info is available.

[1999-11-11 22:34 UTC] joey at cvs dot php dot net

I will look into this more tomorrow. Here is the reply from the reporter.

Oops, should have updated or closed this one I guess.

The problem is with serialized strings. If the actual length of the
string is different than expected, as in the following case,
unserialize() returns false. 

s:9:"O'Reilly";

This can happen when magic quotes is turned on. If for example, you
were to read a string in from a file, serialize it, and store it in a
database, there is no way to then unserialize it:

file contents:                          O'Reilly
retrieved from file:            O\'Reilly
serialized:                                     s:9:"O\'Reilly";
stored in db:                           s:9:\"O\'Reilly\";
after stripslashes():           s:9:"O'Reilly";

If you pass the magic-quoted value to serialize, it will choke on the
escaped double quotes. If you run it through stripslashes(),
unserialize will choke on the string-too-short problem. You could maybe
work around it via regex, but...

I worked around it by turning off magic_quotes. Perhaps this is more of
a gotcha than a bug, but it would be nice to make unserialize smart
enough to deal with the possibility.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue May 06 14:01:28 2025 UTC