PHP supports a method known as 'serialize (Object)' that is used to serialize the object. In PHP 7, an additional security feature has been added by introducing filtering 'unserialize (arg1, arg2)' method. This feature seeks to provide better security when unserializing objects on untrusted data. It prevents possible code injections by enabling the developer to whitelist classes that can be unserialized.
$data = unserialize($serializeObj, ["allowed_classes" => true]);
In above syntax, the first argument is always the serialized object and is mandatory. If we do not pass a serialized object as the first argument then the PHP 7 parser will throw a runtime exception as 'unserialize () expects parameter 1 to be string'. Second argument is optional and if passed, it allows adding additional filter criteria on the serialized class object that is passed as the first argument depending on the following values.
'__PHP_Incomplete_Class'.'__PHP_Incomplete_Class'.<?php
class MyClass {
public $datamem1;
}
class MyClass2 {
public $datamem2;
}
// Instantiate the two classes objects
$obj1 = new MyClass();
$obj1->datamem1 = 150;
$obj2 = new MyClass2();
$obj2->datamem2 = 250;
$serializObject1 = serialize($obj1);
$serializObject2 = serialize($obj2);
$data = unserialize($serializObject1, ["allowed_classes" => true]);
$data2 = unserialize($serializObject2, ["allowed_classes" => ["MyClass", "MyClass2"]]);
echo "Result of MyClass data memeber: " . $data->datamem1;
echo "<br />";
echo "Result of MyClass2 data memeber: " . $data2->datamem2;
?>
Output:
Result of MyClass data memeber: 150 Result of MyClass2 data memeber: 250