- unserialize: documentation ( source)
- serialize: documentation ( source)
<?php
//phpinfo();
$dp = new DatePeriod(new DateTime('2010-01-01 UTC'), new DateInterval('P1D'), 2);
echo "Original:\r\n";
foreach($dp as $dt) {
echo $dt->format('Y-m-d H:i:s')."\r\n";
}
echo "\r\n";
$ser = serialize($dp); // $ser is: O:10:"DatePeriod":0:{}
// Create dangerous instance
$dpu = unserialize($ser); // $dpu has invalid values…
echo "Unserialized:\r\n";
// …which leads to CRASH:
foreach($dpu as $dt) {
echo $dt->format('Y-m-d H:i:s')."\r\n";
}