php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #77872 private/protected __serialize/__unserialize should throw Error
Submitted: 2019-04-09 13:51 UTC Modified: 2021-08-06 19:10 UTC
From: nicolas dot grekas+php at gmail dot com Assigned:
Status: Open Package: *General Issues
PHP Version: Next Minor Version OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
14 + 10 = ?
Subscribe to this entry?

 
 [2019-04-09 13:51 UTC] nicolas dot grekas+php at gmail dot com 
Description:
------------
When the new __serialize/__unserialize method are made protected or private, a warning is thrown.
Throwing an Error might be better.

Test script:
---------------
class foo
{
    private function __serialize()
    {
        return [123];
    }

    public function __unserialize($a)
    {
    }
}

$f = new foo();

$s = serialize($f);


Expected result:
----------------
"Fatal error: Uncaught Error: Call to private method foo::__serialize()" or similar


Actual result:
--------------
Warning: Invalid callback foo::__serialize, cannot access private method foo::__serialize() in /var/www/html/test.php on line 22

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-09 15:31 UTC] nikic@php.net 
This is a standard warning generated by the internal call mechanism, not by the serialization handling. If we change something here it should probably only be in PHP 8 and for all users of the mechanism.
 [2019-04-09 15:39 UTC] nicolas dot grekas+php at gmail dot com 
Changing that for PHP8 would be great then, yes!
 [2021-08-06 19:10 UTC] cmb@php.net
-Summary: private/protected __serialize/__unserialize triggers a warning +Summary: private/protected __serialize/__unserialize should throw Error -Type: Bug +Type: Feature/Change Request
 [2021-08-06 19:10 UTC] cmb@php.net 
> Changing that for PHP8 would be great then, yes!

Seems to have been forgotten.  Not sure what to do now – postpone
to PHP 9?  How to make sure that we don't forget it?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 18:01:31 2024 UTC