|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #49649 unserialize() doesn't handle changes in property visibility
Submitted: 2009-09-24 07:08 UTC Modified: 2010-12-20 09:38 UTC
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:2 (66.7%)
From: coolfactor at mac dot com Assigned:
Status: Closed Package: Class/Object related
PHP Version: 5.3.0 OS: OS X 10.5.8
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: coolfactor at mac dot com
New email:
PHP Version: OS:


 [2009-09-24 07:08 UTC] coolfactor at mac dot com
Unserializing an object after changing some of its class properties' 
from public to protected results in properties present in both states. 

(As a workaround, migration code can be written using get_object_vars() 
to update the a protected property from the corresponding public version 
within a __wakeup() call.)

Reproduce code:
(It's difficult to write reproduce code for this, so I hope the following step-by-steps are OK)

1. Object "John" of class "Person" stored in serialized form has property "age" with public visibility.
2. Change visibility of property "age" in class definition to "protected".
3. Unserialize "John". The property "age" will be present in both public and protected states.
4. Attempting to access the "age" property directly correctly returns the value stored in the protected version.
5. Using get_object_vars() returns the value stored in the public version.

Expected result:
Changes in property visibility should migrate the values gracefully upon 
unserialization. Properties by any given name should only exist once, 
but the current behavior conflicts with that.

Actual result:
Both versions of a property (public and protected) exist in unserialized 


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-24 07:15 UTC] coolfactor at mac dot com
1. there's no way to unset() the public version.
2. using __sleep() to return the properties to serialize results in the 
public version being serialized again, so there's no way to migrate the 
values permanently without reconstructing the object from scratch.
 [2010-12-20 09:38 UTC]
-Package: Feature/Change Request +Package: Class/Object related
 [2017-07-10 06:27 UTC]
Automatic comment on behalf of
Log: Fix #49649 - Handle property visibility changes on unserialization
 [2017-07-10 06:27 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jun 19 20:01:31 2024 UTC