php新特性（8）—–PHP 过滤 unserialize()

PHP 过滤 unserialize()

<?php

class A{

public $name = ‘admin_a’;

}

class B{

public $name = ‘admin_b’;

}

$objA = new A();

$objB = new B();

$serializedObjA = serialize($objA);

$serializedObjB = serialize($objB);

//默认行为是接收所有类; 第二个参数可以忽略

$dataA = unserialize($serializedObjA , [“allowed_classes” => true]);

var_dump($dataA);//object(A)#3 (1) { [“name”]=> string(7) “admin_a” }

//如果allowed_classes设置为false,unserialize会将所有对象转换为__PHP_Incomplete_Class对象

$dataA = unserialize($serializedObjA , [“allowed_classes” => false]);

var_dump($dataA);//object(__PHP_Incomplete_Class)#4 (2) { [“__PHP_Incomplete_Class_Name”]=> string(1) “A” [“name”]=> string(7) “admin_a” }

//转换所有对象到 __PHP_Incomplete_Class对象，除了对象”B”

$dataB = unserialize($serializedObjB , [“allowed_classes” => [“B”]]);

var_dump($dataB);//object(B)#3 (1) { [“name”]=> string(7) “admin_b” }

智云一二三科技