php新特性(8)-----PHP 过滤 unserialize()
PHP 过滤 unserialize()
<?php
class A{
public $name = 'admin_a';
}
class B{
public $name = 'admin_b';
}
$objA = new A();
$objB = new B();
$serializedObjA = serialize($objA);
$serializedObjB = serialize($objB);
//默认行为是接收所有类; 第二个参数可以忽略
$dataA = unserialize($serializedObjA , ["allowed_classes" => true]);
var_dump($dataA);//object(A)#3 (1) { ["name"]=> string(7) "admin_a" }
//如果allowed_classes设置为false,unserialize会将所有对象转换为__PHP_Incomplete_Class对象
$dataA = unserialize($serializedObjA , ["allowed_classes" => false]);
var_dump($dataA);//object(__PHP_Incomplete_Class)#4 (2) { ["__PHP_Incomplete_Class_Name"]=> string(1) "A" ["name"]=> string(7) "admin_a" }
//转换所有对象到 __PHP_Incomplete_Class对象,除了对象"B"
$dataB = unserialize($serializedObjB , ["allowed_classes" => ["B"]]);
var_dump($dataB);//object(B)#3 (1) { ["name"]=> string(7) "admin_b" }