search
HomeBackend DevelopmentPHP TutorialA deep dive into serialization and deserialization in PHP

A deep dive into serialization and deserialization in PHP

Feb 26, 2021 pm 06:11 PM
phpDeserializationSerialization

This article will give you an in-depth analysis of serialization and deserialization in PHP. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.

A deep dive into serialization and deserialization in PHP

##[Recommended learning: "

PHP Video Tutorial"]

Serialization

Serialization format

In PHP, serialization is used to store or transfer PHP values ​​without losing their type and structure.

The serialization function prototype is as follows:

string serialize ( mixed $value )
First look at the following example:

class CC {
	public $data;
	private $pass;

	public function __construct($data, $pass)
	{
		$this->data = $data;
		$this->pass = $pass;
	}
}
$number = 34;
$str = 'uusama';
$bool = true;
$null = NULL;
$arr = array('a' => 1, 'b' => 2);
$cc = new CC('uu', true);

var_dump(serialize($number));
var_dump(serialize($str));
var_dump(serialize($bool));
var_dump(serialize($null));
var_dump(serialize($arr));
var_dump(serialize($cc));
The output result is:

string(5) "i:34;"
string(13) "s:6:"uusama";"
string(4) "b:1;"
string(2) "N;"
string(30) "a:2:{s:1:"a";i:1;s:1:"b";i:2;}"
string(52) "O:2:"CC":2:{s:4:"data";s:2:"uu";s:8:" CC pass";b:1;}"
So serialization for different types gets The string format is:

  • String : s:size:value;
  • Integer : i:value;
  • Boolean : b:value;(save 1 or 0)
  • Null : N;
  • Array : a:size:{key definition;value definition;(repeated per element)}
  • Object : O:strlen(object name):object name:object size:{s:strlen (property name):property name:property definition;(repeated per property)}

Serialized object

As we can see from the above example When serializing an object, only the property values ​​are saved.

    Will the constants in the object be saved?
  • If it is inheritance, will the variables of the parent class be saved?
class CB {
	public $CB_data = 'cb';
}

class CC extends CB{
	const SECOND = 60;

	public $data;
	private $pass;

	public function __construct($data, $pass)
	{
		$this->data = $data;
		$this->pass = $pass;
	}

	public function setPass($pass)
	{
		$this->pass = $pass;
	}
}
$cc = new CC('uu', true);

var_dump(serialize($cc));
The output result is:

string(75) "O:2:"CC":3:{s:4:"data";s:2:"uu";s:8:" CC pass";b:1;s:7:"CB_data";s:2:"cb";}"
Obviously, when the object is serialized, it will not be saved. The value of the constant. Variables in the parent class will be retained.

Object serialization customization

When serializing an object, we do not need to save some sensitive attributes in the object. How should we deal with this?

When calling the

serialize() function to serialize an object, the function checks whether there is a magic method __sleep() in the class. If present, this method will be called first, and then the serialization operation will be performed. You can customize the serialization behavior by overloading this method. The prototype of this method is as follows:

public array __sleep ( void )
    This method returns an array containing the names of all variables in the object that should be serialized
  • This method does not return anything, then NULL is serialized , and generates an
  • E_NOTICE level error
  • __sleep() cannot return the name of the private member of the parent class. Doing so will generate an E_NOTICE level error. At this time, the Serializable interface can only be used instead.
  • Commonly used for cleaning when saving large objects to avoid saving too much redundant data
Look at the following example:

class User{
	const SITE = 'uusama';

	public $username;
	public $nickname;
	private $password;

	public function __construct($username, $nickname, $password)
	{
		$this->username = $username;
		$this->nickname = $nickname;
		$this->password = $password;
	}

	// 重载序列化调用的方法
	public function __sleep()
	{
		// 返回需要序列化的变量名,过滤掉password变量
		return array('username', 'nickname');
	}
}
$user = new User('uusama', 'uu', '123456');
var_dump(serialize($user));
The return result is as follows, obviously The value of the password field is ignored during serialization.

string(67) "O:4:"User":2:{s:8:"username";s:6:"uusama";s:8:"nickname";s:2:"uu";}"

Serialized object storage

Through the above introduction, we can serialize a copied object or data into a sequence string, and colleagues who save the value also save their structure.

We can save the serialized value and store it in a file or cache. It is not recommended to store it in the database because of the readability problem, and it is not easy to migrate and maintain, and it is not easy to query.

$user = new User('uusama', 'uu', '123456');
$ser = serialize($user);
// 保存在本地
file_put_contents('user.ser', $ser);

Deserialization

Usage method

Through the above explanation, we can serialize the object into a string And save it, so how to restore these serialized strings to their original state? PHP provides the deserialization function:

mixed unserialize ( string $str )

unserialize()The deserialization function is used to convert a single serialized variable back to a PHP value.

    If the passed string cannot be deserialized, FALSE is returned and a
  • E_NOTICE is generated.
  • The value returned is the converted value, which can be
  • integer``float, string, array or object
  • If the variable being deserialized is an object, in After successfully reconstructing the object, PHP will automatically try to call the
  • __wakeup() member function (if it exists)
See the following example:

class User{
	const SITE = 'uusama';

	public $username;
	public $nickname;
	private $password;
	private $order;

	public function __construct($username, $nickname, $password)
	{
		$this->username = $username;
		$this->nickname = $nickname;
		$this->password = $password;
	}

	// 定义反序列化后调用的方法
	public function __wakeup()
	{
		$this->password = $this->username;
	}
}
$user_ser = 'O:4:"User":2:{s:8:"username";s:6:"uusama";s:8:"nickname";s:2:"uu";}';
var_dump(unserialize($user_ser));
The output result is:

object(User)#1 (4) {
  ["username"]=>
  string(6) "uusama"
  ["nickname"]=>
  string(2) "uu"
  ["password":"User":private]=>
  string(6) "uusama"
  ["order":"User":private]=>
  NULL
}
The following conclusion can be drawn:

    ##__wakeup()
  • The function is executed after the object is constructed, so $this->username The value is not emptyWhen deserializing, the variable value will be matched and copied to the serialized object as much as possible
Processing of undefined classes

In the above example, we defined the

User

class in advance before calling the deserialization function unserialize(). What would happen if we did not define it? Woolen cloth? <pre class="brush:php;toolbar:false">$user_ser = 'O:4:&quot;User&quot;:2:{s:8:&quot;username&quot;;s:6:&quot;uusama&quot;;s:8:&quot;nickname&quot;;s:2:&quot;uu&quot;;}'; var_dump(unserialize($user_ser));</pre>In this example, we did not define any

User

class. The deserialization was executed normally and no error was reported. The result obtained is as follows: <pre class="brush:php;toolbar:false">object(__PHP_Incomplete_Class)#1 (3) {   [&quot;__PHP_Incomplete_Class_Name&quot;]=&gt;   string(4) &quot;User&quot;   [&quot;username&quot;]=&gt;   string(6) &quot;uusama&quot;   [&quot;nickname&quot;]=&gt;   string(2) &quot;uu&quot; }</pre>Note before comparison The result of defining the

User

class, the object obtained by deserialization here is __PHP_Incomplete_Class, and the class name of the undefined class is specified. <p>如果这个时候我们去使用这个反序列化后的不明对象,则会抛出<code>E_NOTICE。这么看着不能用也不是办法,那么如何处理呢?有两种方案。

  • 定义__autoload()等函数,指定发现未定义类时加载类的定义文件
  • 可通过 php.ini、ini_set() 或 .htaccess 定义unserialize_callback_func。每次实例化一个未定义类时它都会被调用

以上两种方案的实现如下:

// unserialize_callback_func 从 PHP 4.2.0 起可用
ini_set('unserialize_callback_func', 'mycallback'); // 设置您的回调函数
function mycallback($classname) 
{
   // 只需包含含有类定义的文件
   // $classname 指出需要的是哪一个类
}


// 建议使用下面的函数,代替__autoload()
spl_autoload_register(function ($class_name) {
	// 动态加载未定义类的定义文件
    require_once $class_name . '.php';
});

PHP预定义序列化接口Serializable

还记得上面在将序列化过程中遇到的:无法在__sleep()方法中返回父类对象的问题吗,方法就是实现序列化接口Serializable

该接口的原型如下:

Serializable {
	abstract public string serialize ( void )
	abstract public mixed unserialize ( string $serialized )
}

需要注意的是,如果定义的类实现了Serializable接口,那么序列化和反序列化的时候,PHP就不会再去调用__sleep()方法和__wakeup()方法。

class CB implements Serializable{
	public $CB_data = '';
	private $CB_password = 'ttt';

	public function setCBPassword($password)
	{
		$this->CB_password = $password;
	}

	public function serialize()
	{
		echo __METHOD__ . "\n";
		return serialize($this->CB_password);
	}

	public function unserialize($serialized)
	{
		echo __METHOD__ . "\n";
	}
}

class CC extends CB {
	const SECOND = 60;

	public $data;
	private $pass;

	public function __construct($data, $pass)
	{
		$this->data = $data;
		$this->pass = $pass;
	}

	public function __sleep()
	{
		// 输出调用了该方法名
		echo __METHOD__ . "\n";
	}

	public function __wakeup()
	{
		// 输出调用了该方法名
		echo __METHOD__ . "\n";
	}
}
$cc = new CC('uu', true);
$ser = serialize($cc);
var_dump($ser);
$un_cc = unserialize($ser);
var_dump($un_cc);

运行结果为:

CB::serialize
string(24) "C:2:"CC":10:{s:3:"ttt";}"
CB::unserialize
object(CC)#2 (4) {
  ["data"]=>
  NULL
  ["pass":"CC":private]=>
  NULL
  ["CB_data"]=>
  string(0) ""
  ["CB_password":"CB":private]=>
  string(3) "ttt"
}

可以完全定义serialize()方法,该方法返回的值就是序列化后大括号内的值,只要保证自定义序列化和反序列化的规则一致即可。

题外话

在PHP应用中,序列化和反序列化一般用做缓存,比如session缓存,cookie等。

序列化和反序列化在PHP中用得不算多,在Java语言中用得比较多。其实你有没有发现,这种把一个对象或者数组的变量转化成字符串的方式,json也可以做到。

使用json来实现对象和字符串之间的转换,在PHP中显得更加直观和轻便。而且经过测试,使用json_encode()serialize()方法更加快速,大概快2~3倍。

在我看来,序列化和反序列化是一种传输抽象数据的思想。通过定义序列化和反序列化的规则,我们可以实现将PHP中的对象序列化成字节流,然后传输给别的语言或者系统使用,这在远程调用里面非常的方便。

更多编程相关知识,请访问:编程视频!!

The above is the detailed content of A deep dive into serialization and deserialization in PHP. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:博客园. If there is any infringement, please contact admin@php.cn delete
What is PDO in PHP?What is PDO in PHP?Apr 28, 2025 pm 04:51 PM

The article discusses PHP Data Objects (PDO), an extension for database access in PHP. It highlights PDO's role in enhancing security through prepared statements and its benefits over MySQLi, including database abstraction and better error handling.

What is Memcache and Memcached in PHP? Is it possible to share a single instance of a Memcache between several projects of PHP?What is Memcache and Memcached in PHP? Is it possible to share a single instance of a Memcache between several projects of PHP?Apr 28, 2025 pm 04:47 PM

Memcache and Memcached are PHP caching systems that speed up web apps by reducing database load. A single instance can be shared among projects with careful key management.

What are the steps to create a new database using MySQL and PHP?What are the steps to create a new database using MySQL and PHP?Apr 28, 2025 pm 04:44 PM

Article discusses steps to create and manage MySQL databases using PHP, focusing on connection, creation, common errors, and security measures.

Does JavaScript interact with PHP?Does JavaScript interact with PHP?Apr 28, 2025 pm 04:43 PM

The article discusses how JavaScript and PHP interact indirectly through HTTP requests due to their different environments. It covers methods for sending data from JavaScript to PHP and highlights security considerations like data validation and prot

How to execute a PHP script from the command line?How to execute a PHP script from the command line?Apr 28, 2025 pm 04:41 PM

The article discusses executing PHP scripts from the command line, including steps, common options, troubleshooting errors, and security considerations.

What is PEAR in PHP?What is PEAR in PHP?Apr 28, 2025 pm 04:38 PM

PEAR is a PHP framework for reusable components, enhancing development with package management, coding standards, and community support.

What are the uses of PHP?What are the uses of PHP?Apr 28, 2025 pm 04:37 PM

PHP is a versatile scripting language used mainly for web development, creating dynamic pages, and can also be utilized for command-line scripting, desktop apps, and API development.

What was the old name of PHP?What was the old name of PHP?Apr 28, 2025 pm 04:36 PM

The article discusses PHP's evolution from "Personal Home Page Tools" in 1995 to "PHP: Hypertext Preprocessor" in 1998, reflecting its expanded use beyond personal websites.

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

MantisBT

MantisBT

Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

PhpStorm Mac version

PhpStorm Mac version

The latest (2018.2.1) professional PHP integrated development tool