php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26737 unexpected __sleep() serialization behavior
Submitted: 2003-12-29 00:20 UTC Modified: 2004-08-21 16:15 UTC
Votes:18
Avg. Score:4.9 ± 0.2
Reproduced:18 of 18 (100.0%)
Same Version:13 (72.2%)
Same OS:14 (77.8%)
From: rob dot wills at gmail dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5.0.0 OS: *
Private report: No CVE-ID:
 [2003-12-29 00:20 UTC] rob dot wills at gmail dot com
Description:
------------
I have an object instance ($obj_root) that I want to 
persist in a 
session.
The object's class (object_container) defines the 
__sleep() function, and 
returns the array of member variables to be serialized.

function __sleep()
{ 
    return array("objs");
}

The member variable 'objs' ($this->objs = array('foo');) 
is not serialized as expected; 
Arrays or other object-types result in null strings.

Upon comparing the serialized instance strings, I have 
discovered that the string-ified names of the member 
variables are very different:

serialize() without __sleep() wraps null chars around 
the instance class name, followed by the member variable 
name.

obj_root|O:16:"object_container":1:{s:
22:"^@object_container^@objs";a:1:{s:3:"foo" ....

serialize() with __sleep() uses the plain member 
variable name, and dismisses it as null.


If I use the __sleep() function and supply the member 
variable name with null chars quoting the class name the 
serialization works.

function __sleep()
{ 
    return array("\0object_container\0objs");
}

Could this be a bug, or should the documentation be 
updated to reflect this curious behaviour of __sleep().


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-26 20:34 UTC] mastabog at hotmail dot com
Same problem here. And I'm downloading the CVS php5 version daily since May 2003.

I assumed this was to be solved in a much later stage seeing that all CVS releases (and all 4 betas of PHP5) had this bug.

In all my php5 projects i haven't use any __sleep() methods at all because they weren't working.

I use php5 mainly with win32 and about once a week with Linux. Both have this bug ... very irritating (I have some objects that make my session file go up to 100kb, because i cant use __sleep(), which would be large for a production site.)
 [2004-02-26 21:24 UTC] mastabog at hotmail dot com
Complete info on this bug:

To quote "rob at cue dot cc", you don't have to enclose only the class name with null characters. As far as I've seen you have to enclose with null chars ALL Php5 serialization identifiers of class properties types, the ones I figured out to be for now (let x be the property name):

- class name if x is 'private' => "\0" . __CLASS__ . "\0x"
- * if x is 'protected' => "\0*\0x"
- nothing if x is 'public' => "x"

Here's what I mean:

<?php

class aTest
{
  public $a = 'one';
  protected $b = 'two';
  private $c = 'three';
  private $d = 'something you dont wanna save';

  function __sleep()
  {
    return array("a",
                 "\0*\0b",
                 "\0aTest\0c");
    // or
    // return array("a",
    //              "\0*\0b",
    //              "\0" . __CLASS__ . "\0c");
  }
}

?>

Anything else in the return array of __sleep() and the property will come up empty after unserialization ... not nice.

My hope is that this is a bug, cus forming those strings with null chars is just, well, ugly :)
 [2004-07-13 00:10 UTC] trevorrowe at gmail dot com
Last posting was made on feb 26, its now jul 12. 
------------------------------------------------

Anyone have any more current news on this bug?

The bug seems to still persist in php5 rc3.  mastabog's suggestion of padding the variable name with nulls for private, padding the * for protected and nothing for public works, but seems like an ugly hack.  My biggest fear is when the bug is patched, my variable names will be double padded and things will start to break.
 [2004-07-15 04:14 UTC] rob dot wills at gmail dot com
PHP5.0.0 still exhibits this behaviour.

Is there anything else I can provide to help with this 
issue/bug?

Thanks,

Rob
 [2004-07-15 12:44 UTC] magnus@php.net
Verified.
The workaround still works too.

 [2004-07-28 15:21 UTC] albin at kth dot se
What is even the point of __sleep being supposed to return an array of the properties that should be serialized? I think it would be much easier just to manually unset those variables that you DON'T want to serialize, and letting PHP serialize everything else. 
I thought __sleep was supposed just to be a way of closing database-connections etc, but due to the current implementation that seems almost impossible.
 [2004-08-03 02:23 UTC] mastabog at hotmail dot com
I really *really* don't understand why this bug (it is a bug .. everyone sees it that way) doesn't get fixed. It's quite important ...

Padding the variables with nulls and classname or * is not my suggestion or hack, it's what I've seen it does looking in the session file. Currently ther eis no other way to selectively save variables between sessions.

Right now i'm using the Reflection API to autodetect property types and then construct the array for __sleep(). Hope I won't be force to develop too many of those ...

For {albin at kth dot se}: the point of specifying which variables to save is quite easy to explain .. sometimes you only want to save a few out of a bunch of properties. Its easier to state those which you want to save than those which you don't. Of course, sometimes its the othr way around and you wish you had something to specify those you don't want. Here's where the Reflection API can help (see the Zend2 Engine changes, bottom: http://sitten-polizei.de/php/reflection_api/docs/language.reflection.html)
 [2004-08-21 16:15 UTC] andrey@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2004-08-21 21:45 UTC] mastabog at hotmail dot com
Oh thank you, thank you! I eventually wrote a patch for this bug seeing everyone avoided it. 10x again :)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 18:02:13 2014 UTC