php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44409 PDO::FETCH_SERIALIZE calls __construct()
Submitted: 2008-03-11 19:53 UTC Modified: 2009-03-23 23:20 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: uwendel at mysql dot com Assigned: felipe
Status: Closed Package: PDO related
PHP Version: 5.3CVS-2008-03-11 (CVS) OS: *
Private report: No CVE-ID:
 [2008-03-11 19:53 UTC] uwendel at mysql dot com
Description:
------------
There seems to be very few documentation about PDO::FETCH_SERIALIZE in the PHP manual but playing the guessing game from the code it seems that this feature aims to support SPL/Serialize interface. As I'm not sure about the purpose of PDO::FETCH_SERIALIZE I'm not sure if the following is a bug or not. However, it seems to me that PDO::FETCH_SERIALIZE unintentionally calls __construct().

One of the main ideas behind SPL/Serialize interface seems to be that for unserialization the constructor of a class does not get called. The constructor of a class has a different meaning than a helper function like unserialize() and thus should not be called automatically. Let's check:

class myclass implements Serialize {
  public function __construct() {
    printf("%s()\n", __METHOD__);
  }
  public function serialize() {
    printf("%s()\n", __METHOD__);
    return "any data from serialize()";
  }
  public function unserialize($dat) {
    printf("%s(%s)\n", __METHOD__, var_export($dat, true));
  }
}

$obj1 = new myclass()     
  ---> myclass::__construct()
$tmp  = serialize($obj1)    
$obj2 = unserialize($tmp) 
  ---> myclass::unserialize('any data from serizalize()')

__construct() gets called only once for object creation but not again during unserialization. Let's try that with PDO:

[...]
$stmt = $db->query("SELECT dat FROM test");
$rows = $stmt->fetchAll(PDO::FETCH_CLASS|PDO::FETCH_SERIZALIZE, "myclass");
  --> myclass::unserialize("data from DB")
  --> myclass::__construct()
[...]

PDO first calls unserialize() as its supposed to do. But then it also calls __construct() which is against the idea of the Serialize interface not to call the constructor automatically during unserialization.

Reproduce code:
---------------
sapi/cli/php -r '$db = new PDO("sqlite:/tmp/foo"); $db->exec("DROP TABLE test"); $db->exec("CREATE TABLE test(dat VARCHAR(100))"); $db->exec("INSERT INTO test(dat) VALUES (\"Data from DB\")"); class myclass implements Serializable { public function __construct() { printf("%s()\n", __METHOD__); } public function serialize() { return "any data from serizalize()"; } public function unserialize($dat) { printf("%s(%s)\n", __METHOD__, var_export($dat, true)); }} $stmt = $db->query("SELECT * FROM test"); var_dump($stmt->fetchAll(PDO::FETCH_CLASS|PDO::FETCH_SERIALIZE, "myclass")); $obj = new myclass(); var_dump(unserialize(serialize($obj)));'
myclass::unserialize('Data from DB')
myclass::__construct()
array(1) {
  [0]=>
  object(myclass)#3 (0) {
  }
}
myclass::__construct()
myclass::unserialize('any data from serizalize()')
object(myclass)#4 (0) {
}



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-15 21:11 UTC] davidc@php.net
Hmm is it supposed to say: PDO::FETCH_SERIZALIZE?
 [2009-03-22 10:04 UTC] matteo at beccati dot com
Fix available at:

http://www.beccati.com/misc/php/pdo_pgsql_bug44409_php_5_3.patch
 [2009-03-23 23:20 UTC] felipe@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Commited in 5.3 and HEAD, thanks for the patch! :)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 00:02:04 2014 UTC