php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #77872 private/protected __serialize/__unserialize should throw Error
Submitted: 2019-04-09 13:51 UTC Modified: 2021-08-06 19:10 UTC
From: nicolas dot grekas+php at gmail dot com Assigned:
Status: Open Package: *General Issues
PHP Version: Next Minor Version OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nicolas dot grekas+php at gmail dot com
New email:
PHP Version: OS:

 

 [2019-04-09 13:51 UTC] nicolas dot grekas+php at gmail dot com 
Description:
------------
When the new __serialize/__unserialize method are made protected or private, a warning is thrown.
Throwing an Error might be better.

Test script:
---------------
class foo
{
    private function __serialize()
    {
        return [123];
    }

    public function __unserialize($a)
    {
    }
}

$f = new foo();

$s = serialize($f);


Expected result:
----------------
"Fatal error: Uncaught Error: Call to private method foo::__serialize()" or similar


Actual result:
--------------
Warning: Invalid callback foo::__serialize, cannot access private method foo::__serialize() in /var/www/html/test.php on line 22

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-09 15:31 UTC] nikic@php.net 
This is a standard warning generated by the internal call mechanism, not by the serialization handling. If we change something here it should probably only be in PHP 8 and for all users of the mechanism.
 [2019-04-09 15:39 UTC] nicolas dot grekas+php at gmail dot com 
Changing that for PHP8 would be great then, yes!
 [2021-08-06 19:10 UTC] cmb@php.net
-Summary: private/protected __serialize/__unserialize triggers a warning +Summary: private/protected __serialize/__unserialize should throw Error -Type: Bug +Type: Feature/Change Request
 [2021-08-06 19:10 UTC] cmb@php.net 
> Changing that for PHP8 would be great then, yes!

Seems to have been forgotten.  Not sure what to do now – postpone
to PHP 9?  How to make sure that we don't forget it?
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Nov 02 08:00:02 2025 UTC