|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2010-02-28 12:47 UTC] johannes@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Nov 03 17:00:01 2025 UTC |
Description: ------------ If you serialize an object in the session and then change the properties declaration from public to protected (or any other change), the unserialized objects will have duplicated properties, once public and once protected, and the object will not be able to read the public value so it means the object state is broken. This is obviously due to the way the protected values are stored as "\0*\0property" => "value", but I still think the default unserializer code should check if "property" exists, and fill it no matter what the access level is, rather than creating another property with the same name. I don't know how easy it'd be and how it would impact performance though, but it's quite scary that the engine even allows having two properties with different access levels and the same name. Reproduce code: --------------- // Run once like this, then change public $property to protected $property, run again and look at var_dump output session_start(); class testClass { public $property; public function __construct($val) { $this->property = $val; } } if (!isset($_SESSION['obj'])) { $_SESSION['obj'] = new testClass('value'); } var_dump($_SESSION['obj']); Expected result: ---------------- object(testClass)[1] protected 'property' => string 'value' (length=5) Actual result: -------------- object(testClass)[1] protected 'property' => null public 'property' => string 'value' (length=5)