|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #49649 unserialize() doesn't handle changes in property visibility
Submitted: 2009-09-24 07:08 UTC Modified: 2010-12-20 09:38 UTC
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:2 (66.7%)
From: coolfactor at mac dot com Assigned:
Status: Closed Package: Class/Object related
PHP Version: 5.3.0 OS: OS X 10.5.8
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
48 + 34 = ?
Subscribe to this entry?

 [2009-09-24 07:08 UTC] coolfactor at mac dot com
Unserializing an object after changing some of its class properties' 
from public to protected results in properties present in both states. 

(As a workaround, migration code can be written using get_object_vars() 
to update the a protected property from the corresponding public version 
within a __wakeup() call.)

Reproduce code:
(It's difficult to write reproduce code for this, so I hope the following step-by-steps are OK)

1. Object "John" of class "Person" stored in serialized form has property "age" with public visibility.
2. Change visibility of property "age" in class definition to "protected".
3. Unserialize "John". The property "age" will be present in both public and protected states.
4. Attempting to access the "age" property directly correctly returns the value stored in the protected version.
5. Using get_object_vars() returns the value stored in the public version.

Expected result:
Changes in property visibility should migrate the values gracefully upon 
unserialization. Properties by any given name should only exist once, 
but the current behavior conflicts with that.

Actual result:
Both versions of a property (public and protected) exist in unserialized 


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-24 07:15 UTC] coolfactor at mac dot com
1. there's no way to unset() the public version.
2. using __sleep() to return the properties to serialize results in the 
public version being serialized again, so there's no way to migrate the 
values permanently without reconstructing the object from scratch.
 [2010-12-20 09:38 UTC]
-Package: Feature/Change Request +Package: Class/Object related
 [2017-07-10 06:27 UTC]
Automatic comment on behalf of
Log: Fix #49649 - Handle property visibility changes on unserialization
 [2017-07-10 06:27 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 24 03:01:29 2024 UTC