<?php
$classNames = array(
"Foo", // userland class
"StdClass", // class defined by php-src, but still not considered as internal
"Bar", // userland class implementing Serializable
"ReflectionClass", // internal class
"ArrayObject", // internal class implementing Serializable
"Baz", // userland class extending internal class implementing Serializable
);
function instanitateWithoutConstructorThroughUnserialize($className) {
$class = new ReflectionClass($className);
return unserialize(
sprintf(
'%s:%d:"%s":0:{}',
(version_compare(PHP_VERSION, '5.4', '>') && $class->implementsInterface("Serializable") ? "C" : "O"),
strlen($className),
$className
)
);
}
function instanitateWithoutConstructorThroughReflection($className) {
try {
$ref = new ReflectionClass($className);
return $ref->newInstanceWithoutConstructor();
} catch (ReflectionException $e) {
return $e;
}
}
class Foo {}
class Bar implements Serializable {
private $data;
public function serialize() {
return serialize($this->data);
}
public function unserialize($data) {
$this->data = unserialize($data);
}
}
class Baz extends ArrayObject {}
foreach($classNames as $className) {
echo "$className\n";
var_dump(instanitateWithoutConstructorThroughUnserialize($className));
if (version_compare(PHP_VERSION, '5.4.0') >= 0) {
var_dump(instanitateWithoutConstructorThroughReflection($className));
}
echo "\n";
}
Deprecated: Bar implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in /in/l0t3c on line 35
Foo
object(Foo)#2 (0) {
}
object(Foo)#1 (0) {
}
StdClass
object(stdClass)#2 (0) {
}
object(stdClass)#1 (0) {
}
Bar
object(Bar)#2 (1) {
["data":"Bar":private]=>
bool(false)
}
object(Bar)#1 (1) {
["data":"Bar":private]=>
NULL
}
ReflectionClass
Fatal error: Uncaught Exception: Unserialization of 'ReflectionClass' is not allowed in /in/l0t3c:14
Stack trace:
#0 /in/l0t3c(14): unserialize('O:15:"Reflectio...')
#1 /in/l0t3c(51): instanitateWithoutConstructorThroughUnserialize('ReflectionClass')
#2 {main}
thrown in /in/l0t3c on line 14
Process exited with code 255.
Output for 8.1.0 - 8.1.27
Deprecated: Bar implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in /in/l0t3c on line 35
Foo
object(Foo)#2 (0) {
}
object(Foo)#1 (0) {
}
StdClass
object(stdClass)#2 (0) {
}
object(stdClass)#1 (0) {
}
Bar
object(Bar)#2 (1) {
["data":"Bar":private]=>
bool(false)
}
object(Bar)#1 (1) {
["data":"Bar":private]=>
NULL
}
ReflectionClass
Fatal error: Uncaught Exception: Unserialization of 'ReflectionClass' is not allowed in /in/l0t3c:19
Stack trace:
#0 /in/l0t3c(19): unserialize('O:15:"Reflectio...')
#1 /in/l0t3c(51): instanitateWithoutConstructorThroughUnserialize('ReflectionClass')
#2 {main}
thrown in /in/l0t3c on line 19
Process exited with code 255.
Output for 7.4.0 - 7.4.33, 8.0.0 - 8.0.30
Foo
object(Foo)#2 (0) {
}
object(Foo)#1 (0) {
}
StdClass
object(stdClass)#2 (0) {
}
object(stdClass)#1 (0) {
}
Bar
object(Bar)#2 (1) {
["data":"Bar":private]=>
bool(false)
}
object(Bar)#1 (1) {
["data":"Bar":private]=>
NULL
}
ReflectionClass
Warning: Erroneous data format for unserializing 'ReflectionClass' in /in/l0t3c on line 19
Notice: unserialize(): Error at offset 26 of 27 bytes in /in/l0t3c on line 19
bool(false)
object(ReflectionClass)#2 (1) {
["name"]=>
string(0) ""
}
ArrayObject
object(ArrayObject)#1 (1) {
["storage":"ArrayObject":private]=>
array(0) {
}
}
object(ArrayObject)#2 (1) {
["storage":"ArrayObject":private]=>
array(0) {
}
}
Baz
object(Baz)#1 (1) {
["storage":"ArrayObject":private]=>
array(0) {
}
}
object(Baz)#2 (1) {
["storage":"ArrayObject":private]=>
array(0) {
}
}