php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #68802 PDO::FETCH_SERIALIZE not properly documented
Submitted: 2015-01-12 01:00 UTC Modified: 2021-07-20 21:23 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: zerkms at zerkms dot ru Assigned:
Status: Verified Package: PDO related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
30 + 32 = ?
Subscribe to this entry?

 
 [2015-01-12 01:00 UTC] zerkms at zerkms dot ru
Description:
------------
PDO::FETCH_SERIALIZE flag must enable automatic deserialization of an object, while it does it in some wrong way.

If you additionally see the `passed data` line you will notice that the argument passed there contains extra data (the class name) that should not be there.

It causes the whole unserialization process to be broken.

The correspondning test https://github.com/php/php-src/blob/master/ext/pdo_mysql/tests/pdo_mysql_stmt_fetch_serialize.phpt is also invalid since it does not check that we can assemble the original object back.

Test script:
---------------
class foo implements Serializable {
    private $data;
    public function __construct() {
        $this->data = "My private data";
    }
    public function serialize() {
        return serialize($this->data);
    }
    public function unserialize($data) {
        var_dump('passed data: ', $data);
        $this->data = unserialize($data);
    }
    public function getData() {
        return $this->data;
    }
}
$foo = new foo;
//var_dump(serialize($foo));

$stmt = $pdo->prepare('SELECT \'C:3:"foo":23:{s:15:"My private data";}\'');
$stmt->execute();
$stmt->setFetchMode(PDO::FETCH_CLASS|PDO::FETCH_SERIALIZE, 'foo');
$data = $stmt->fetch();
var_dump($data);

Expected result:
----------------
  object(foo)#5 (1) {
    ["data":"foo":private]=>
    string(15) "My private data"
  }

Actual result:
--------------
object(foo)#4 (1) {
  ["data":"foo":private]=>
  object(foo)#5 (1) {
    ["data":"foo":private]=>
    string(15) "My private data"
  }
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-24 08:31 UTC] kalle@php.net
-Package: PDO Core +Package: PDO related
 [2021-07-20 21:23 UTC] cmb@php.net
-Summary: PDO::FETCH_SERIALIZE does not unserialize object +Summary: PDO::FETCH_SERIALIZE not properly documented -Status: Open +Status: Verified -Type: Bug +Type: Documentation Problem
 [2021-07-20 21:23 UTC] cmb@php.net
TIL that PDO::FETCH_SERIALIZE is a thing – fascinating!

It seems to me that you must not store the serialized object, but
rather only its properties.  Otherwise it would not really make
sense to also specify the class to unserialize into.  E.g.

    $pdo->prepare('SELECT \'s:15:"My private data";\'');

would yield the expected output.  ext/pdo/tests/pdo_018.phpt seems
to confirm that.

Apparently, this needs to be documented.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Oct 02 07:03:44 2022 UTC