|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44409 PDO::FETCH_SERIALIZE calls __construct()
Submitted: 2008-03-11 19:53 UTC Modified: 2009-03-23 23:20 UTC
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: uwendel at mysql dot com Assigned: felipe
Status: Closed Package: PDO related
PHP Version: 5.3CVS-2008-03-11 (CVS) OS: *
Private report: No CVE-ID:
 [2008-03-11 19:53 UTC] uwendel at mysql dot com
There seems to be very few documentation about PDO::FETCH_SERIALIZE in the PHP manual but playing the guessing game from the code it seems that this feature aims to support SPL/Serialize interface. As I'm not sure about the purpose of PDO::FETCH_SERIALIZE I'm not sure if the following is a bug or not. However, it seems to me that PDO::FETCH_SERIALIZE unintentionally calls __construct().

One of the main ideas behind SPL/Serialize interface seems to be that for unserialization the constructor of a class does not get called. The constructor of a class has a different meaning than a helper function like unserialize() and thus should not be called automatically. Let's check:

class myclass implements Serialize {
  public function __construct() {
    printf("%s()\n", __METHOD__);
  public function serialize() {
    printf("%s()\n", __METHOD__);
    return "any data from serialize()";
  public function unserialize($dat) {
    printf("%s(%s)\n", __METHOD__, var_export($dat, true));

$obj1 = new myclass()     
  ---> myclass::__construct()
$tmp  = serialize($obj1)    
$obj2 = unserialize($tmp) 
  ---> myclass::unserialize('any data from serizalize()')

__construct() gets called only once for object creation but not again during unserialization. Let's try that with PDO:

$stmt = $db->query("SELECT dat FROM test");
$rows = $stmt->fetchAll(PDO::FETCH_CLASS|PDO::FETCH_SERIZALIZE, "myclass");
  --> myclass::unserialize("data from DB")
  --> myclass::__construct()

PDO first calls unserialize() as its supposed to do. But then it also calls __construct() which is against the idea of the Serialize interface not to call the constructor automatically during unserialization.

Reproduce code:
sapi/cli/php -r '$db = new PDO("sqlite:/tmp/foo"); $db->exec("DROP TABLE test"); $db->exec("CREATE TABLE test(dat VARCHAR(100))"); $db->exec("INSERT INTO test(dat) VALUES (\"Data from DB\")"); class myclass implements Serializable { public function __construct() { printf("%s()\n", __METHOD__); } public function serialize() { return "any data from serizalize()"; } public function unserialize($dat) { printf("%s(%s)\n", __METHOD__, var_export($dat, true)); }} $stmt = $db->query("SELECT * FROM test"); var_dump($stmt->fetchAll(PDO::FETCH_CLASS|PDO::FETCH_SERIALIZE, "myclass")); $obj = new myclass(); var_dump(unserialize(serialize($obj)));'
myclass::unserialize('Data from DB')
array(1) {
  object(myclass)#3 (0) {
myclass::unserialize('any data from serizalize()')
object(myclass)#4 (0) {


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-15 21:11 UTC]
Hmm is it supposed to say: PDO::FETCH_SERIZALIZE?
 [2009-03-22 10:04 UTC] matteo at beccati dot com
Fix available at:
 [2009-03-23 23:20 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

Commited in 5.3 and HEAD, thanks for the patch! :)
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Sat Nov 28 14:01:37 2015 UTC