PHP :: Bug #68802 :: PDO::FETCH_SERIALIZE does not unserialize object

Bug #68802

PDO::FETCH_SERIALIZE does not unserialize object

Submitted:

2015-01-12 01:00 UTC

Modified:

2017-10-24 08:31 UTC

Votes:	3
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 2 (50.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

zerkms at zerkms dot ru

Assigned:

Status:

Open

Package:

PDO related

PHP Version:

Irrelevant

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	zerkms at zerkms dot ru
New email:
PHP Version:		OS:

New/Additional Comment:

[2015-01-12 01:00 UTC] zerkms at zerkms dot ru

Description:
------------
PDO::FETCH_SERIALIZE flag must enable automatic deserialization of an object, while it does it in some wrong way.

If you additionally see the `passed data` line you will notice that the argument passed there contains extra data (the class name) that should not be there.

It causes the whole unserialization process to be broken.

The correspondning test https://github.com/php/php-src/blob/master/ext/pdo_mysql/tests/pdo_mysql_stmt_fetch_serialize.phpt is also invalid since it does not check that we can assemble the original object back.

Test script:
---------------
class foo implements Serializable {
    private $data;
    public function __construct() {
        $this->data = "My private data";
    }
    public function serialize() {
        return serialize($this->data);
    }
    public function unserialize($data) {
        var_dump('passed data: ', $data);
        $this->data = unserialize($data);
    }
    public function getData() {
        return $this->data;
    }
}
$foo = new foo;
//var_dump(serialize($foo));

$stmt = $pdo->prepare('SELECT \'C:3:"foo":23:{s:15:"My private data";}\'');
$stmt->execute();
$stmt->setFetchMode(PDO::FETCH_CLASS|PDO::FETCH_SERIALIZE, 'foo');
$data = $stmt->fetch();
var_dump($data);

Expected result:
----------------
  object(foo)#5 (1) {
    ["data":"foo":private]=>
    string(15) "My private data"
  }

Actual result:
--------------
object(foo)#4 (1) {
  ["data":"foo":private]=>
  object(foo)#5 (1) {
    ["data":"foo":private]=>
    string(15) "My private data"
  }
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-10-24 08:31 UTC] kalle@php.net

-Package: PDO Core +Package: PDO related

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2019 The PHP Group All rights reserved.	Last updated: Mon Oct 21 17:01:27 2019 UTC