Detailed explanation of PHP serialization and deserialization principles

This article shares with you the relevant knowledge of PHP serialization and deserialization principles in the PHP deserialization vulnerability series. Friends who need this can refer to it.

0. Preface

The serialization and deserialization functions of objects will not be described in detail. The result of serialization in PHP is a PHP-customized string format. , somewhat similar to json.

We need to solve several problems when designing the serialization and deserialization of objects in any language

After serializing an object, the serialization result is Self-describing function (knowing the specific type of this object from the serialization result,

Knowing the type is not enough, of course you also need to know the specific value corresponding to this type).

Permission control during serialization, you can customize serialization fields, etc., for example, it is very convenient to do it in golang.

Time performance issues: In some performance-sensitive scenarios , object serialization cannot be a hindrance, for example: high-performance services (I often use protobuf to serialize).

Space performance issues: The result after serialization cannot be too long, such as an int in memory Object, after serialization, the data length becomes 10 times the length of int, then there is a problem with this serialization algorithm.

This article only explains the serialization and deserialization in PHP from the perspective of PHP code process. Remember that serialization and deserialization only operate on object data. Anyone with experience in object-oriented development should easily understand this.

1. Serialize and Deserialization method unserialize

php natively provides object serialization function, unlike c...^_^. It is also very simple to use, just two interfaces.

class fobnn
{
 public $hack_id;
 private $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  echo $this->hack_name.PHP_EOL;
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj); //通过serialize接口序列化
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);//通过unserialize反序列化
$toobj->print();

fobnn
O:5:"fobnn":2:{s:7:"hack_id";i:1;s:16:"fobnnhack_name";s:5:"fobnn";}
fobnn

See the second line of output, this string is the result of serialization, this structure is actually very easy After reading it, you can find that it is mapped through object name/member name. Of course, the tag names after serialization of members with different access rights are slightly different.

According to the three questions I mentioned above, then we You can take a look at

1. Self-describing function

O:5:"fobnn":2 where o represents the object type, and the type name is fobnn, using this format, what follows The 2 indicates that there are two member objects.

Regarding the member objects, it is actually the same set of sub-descriptions. This is a recursive definition.

The function of self-description is mainly to record objects through strings and the names of members to achieve.

2. Performance issues

The time performance of PHP serialization will not be analyzed in this article. See the details later, but the serialization results are actually similar to those defined by json/bson The protocol has a protocol header. The protocol header describes the type, and the protocol body describes the value corresponding to the type. The serialization result will not be compressed.

2. Magic in deserialization Method

corresponds to the second problem mentioned above. In fact, there are also solutions in PHP. One is through magic method, and the second is through custom serialization function. Let’s introduce it first. The magic methods __sleep and __wakeup

class fobnn
{
 public $hack_id;
 private $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  echo $this->hack_name.PHP_EOL;
 }
 public function __sleep()
 {
  return array("hack_name");
 }
 public function __wakeup()
 {
  $this->hack_name = 'haha';
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj);
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);
$toobj->print();

fobnn
O:5:"fobnn":1:{s:16:"fobnnhack_name";s:5:"fobnn";}
haha

will call __sleep first before serialization and return is an array of member names that need to be serialized. Through this, we can control the data that needs to be serialized. In the case, I only returned hack_name. You can see that only the hack_name member is serialized in the result.

In After the serialization is completed, __wakeup will be used. Here we can do some follow-up work, such as reconnecting to the database.

3. Customize the Serializable interface

interface Serializable {
abstract public string serialize ( void )
abstract public void unserialize ( string $serialized )
}

Through this interface we can customize the behavior of serialization and deserialization. This function can mainly be used to customize our serialization format.

class fobnn implements Serializable
{
 public $hack_id;
 private $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  echo $this->hack_name.PHP_EOL;
 }

 public function __sleep()
 {
  return array('hack_name');
 }

 public function __wakeup()
 {
  $this->hack_name = 'haha';
 }

 public function serialize()
 {
  return json_encode(array('id' => $this->hack_id ,'name'=>$this->hack_name ));
 }

 public function unserialize($var)
 {
  $array = json_decode($var,true);
  $this->hack_name = $array['name'];
  $this->hack_id = $array['id'];
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj);
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);
$toobj->print();

fobnn
C:5:"fobnn":23:{{"id":1,"name":"fobnn"}}
fobnn

When a custom serialization interface is used, our magic method is useless.

4.PHP dynamic type and PHP deserialization

Since the self-describing function mentioned above, the type of object is saved in the serialization result, and PHP is dynamic Type language, then we can do a simple experiment.

class fobnn
{
 public $hack_id;
 public $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  var_dump($this->hack_name);
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj);
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);
$toobj->print();
$toobj2 = unserialize("O:5:\"fobnn\":2:{s:7:\"hack_id\";i:1;s:9:\"hack_name\";i:12345;}");
$toobj2->print();

We modify the deserialization result of hack_name to int type, i:12345

string(5) "fobnn"
O:5:"fobnn":2:{s:7:"hack_id";i:1;s:9:"hack_name";s:5:"fobnn";}
string(5) "fobnn"
int(12345)

It can be found that the object was successfully serialized back! And it can work normally!. Of course, this mechanism of PHP provides flexible and changeable syntax, but it also introduces Security risks. We will continue to analyze the security issues caused by the serialization and deserialization features of PHP.

The above is all the knowledge we have compiled about the principles of PHP serialization and deserialization. Thank you for your understanding of PHP Chinese website support.

Articles you may be interested in:

Explanation of the code implementation process for the WeChat code scanning login function based on Swoole

Detailed explanation of hello word implementation method for PHP7 extension development

Detailed explanation of the method of using lib library based on function method for PHP extension development

The above is the detailed content of Detailed explanation of PHP serialization and deserialization principles. For more information, please follow other related articles on the PHP Chinese website!