|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31502 Wrong deserialization from session when using WDDX serializer
Submitted: 2005-01-12 02:15 UTC Modified: 2005-04-11 12:39 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: kubis at pawouk dot net Assigned:
Status: Closed Package: WDDX related
PHP Version: 5CVS-2005-02-28 OS: WinXP SP2
Private report: No CVE-ID: None
 [2005-01-12 02:15 UTC] kubis at pawouk dot net
I have found that sometimes if you have an object A as a member of a another object B and your try to store the object B in session AND you are using wddx serializer as default session serializer, after deserialization back from session the object A in member of object B deserializes wrong. While using the standard php serializer, all seems working perfectly.

Reproduce code:
class Logger {
  public $logfile;
  public $logtype;
  function __construct(){
     $this->logfile = '/tmp/user.log';
// some logger class implementation


class User {
  public $logger;

function __construct()
   $this->logger = new Logger();

function __wakeup(){
   $this->logger->logtype .... // you won't find '/tmp/user.log' here, you won't find the $logtype variable at all.

Expected result:
I am expecting that the value of $this->logger->logtype would be the '/tmp/user.log' string; but there is not any value at all, and it seems there is not any member 'logfile' at all. While debugging using Zend studio i have seen that all members of the Logger class have lost their names; there were just some numbers.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-12 13:15 UTC] kubis at pawouk dot net
once more the __wakeup() function; i messed it up:

function __wakeup(){
   $this->logger->logfile.... // you won't find '/tmp/user.log' here,
you won't find the $logtype variable at all.
 [2005-01-12 13:57 UTC] petr at mudroch dot net
It seems that the problem appears when the wddx serializer tries to serialize and then deserialize objects with private members; private members are not serialized and the deserialized values of private members are NULL

with session.serialize_handler = wddx in php.ini try this and then look at file, in which session data are stored

class Petr {
	private $priv;
	public $pub;
	protected  $prot;
	public $pavel;
	function __construct() {
			$this->priv = "private";
			$this->pub = "public";
			$this->prot = "protected";
			$this->pavel = new Pavel();

class Pavel {
	private $priv;
	public $pub;
	protected   $prot;
	function __construct() {
			$this->priv = "private";
			$this->pub = "public";
			$this->prot = "protected";

$petr = new Petr();

$_SESSION['test'] = $petr;

you will see

<wddxPacket version='1.0'><header/><data><struct><var name='test'><struct><var name='php_class_name'><string>Petr</string></var><var name=''><string>private</string></var><var name='pub'><string>public</string></var><var name=''><string>protected</string></var><var name='pavel'><struct><var name='php_class_name'><string>Pavel</string></var><var name=''><string>private</string></var><var name='pub'><string>public</string></var><var name=''><string>protected</string></var></struct></var></struct></var></struct></data></wddxPacket>


protected and private members are not serialized correctly - only value of variable, nor its name, is serialized
 [2005-02-28 21:09 UTC]
Please try using this CVS snapshot:
For Windows:

 [2005-02-28 21:53 UTC] kubis at pawouk dot net
Still not working on 5.1.0-dev; member names are still missing.
 [2005-04-11 12:39 UTC]
The bug is fixed in CVS HEAD and PHP_5_0.
Now WDDX extension can serialize/deserialize private and protected members.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon May 20 07:01:34 2024 UTC