Introduction to PHP deserialization

PHP unserialize is a function that can be used to convert serialized data into actual user input data. It’s the opposite of a serialization function. It focuses on arrays, mapping collections, and it will calculate an array index for each element, large size, or some other complex data structure. We use some default methods to manipulate data. So an error is returned in the output console. The object was created separately for the unserialize function.

Syntax.

PHP has its own syntax for variables, keywords, and functions for creating more complex Web-based applications. In general, PHP’s serialization format is not as well-documented as the serialize() function; It supports serialized integers, floating point numbers, Booleans, strings, and arrays. Object, and it also includes other references for support in the implementation of Unserialize.

<? The PHP $input = array (' ', '); $var = serialize($input); $var1 = unserialize($var); ---some php codes based on the user needs--- ? >

The above code is the basic syntax for using the serialize() and unserialize() functions in PHP. It supports all data types and other default functions.

How does the unserialize function work in PHP?

  • The deserialization function depends on the serialization function; Whatever data is called and used on this function will be fully serialized with a key. If we want to access this data, we need to deserialize or de-serialize the data in our code. Then, only we have access to the data; It is also used with the concept of files. Using these serialization and deserialization () functions always returns Boolean conditions, which will be safe and have more protection for deserialized objects, or what we might call untrustworthy data. As a result, it will avoid some other malware and viruses from outside the machine. It can also ensure code injection security, even database side can avoid some untrusted malware sites SQL injection attacks.
  • In general, the unserialize() function takes two arguments, STR and options; STR is one of the parameters that contains serialized strings waiting to be deserialized, and options is one of the arrays that controls certain functional behavior. It only accepts valid users, especially built-in classes such as allowed_classes. It only accepts the specified class name, especially methods such as _wakeup() and _destruct(); These methods are implemented by using serialized objects; When we use this method, it executes automatically when unserialize() is called on a particular object.

Example of PHP unserialize

An example of PHP unserialize is given below.

Example # 1

The code.

<? php $inputs = serialize(array('Siva', 'Raman', 'Sivaraman', 'wdigb', 'dwiugv', '87dhg', 'wdhgv', 'edhgfv', 'hfe', 'wgieufv', 'ehoije', 'iwuoegf', 'wuieguv','jdgv', 'wqgdjf', 'khwdjgh','jdhfdkswi', 'uqiwuke', 'iqweyf', 'oiuqiwleyugu' )); echo $inputs . '<br>'; $vars = unserialize($inputs); var_dump ($vars); echo $vars; ? >

The output.

In the example above, we used the serialize and unserialize() functions in the same code. Whenever the user provides input to the application, it will be stored in a separate variable, which is the serialized variable, which will also be printed on the console by using the Echo statement. We want to unserialize the data by using the unserialize() function, which will be stored in a separate variable and will also be printed by using the same echo statement. If we want to print the results in the console, we’ll use the other default methods, such as print, echo, and so on, which are some of the methods used in PHP scripts.

Example # 2

The code.

<? php class demo { public $vars; } class demo1 { public $vars1; } class demo2 extends demo { public $vars2, $vars3; } class demo3 extends demo2{ public $vars4; } class demo4 extends demo3 { public $vars5; } class demo5 extends demo4 { public $vars6; } class demo6 extends demo5{ public $vars7; } class demo7 extends demo6 { public $vars8,$vars9, $vars10; } $c1 = new demo(); $c1->vars = 1234; $c3 = new demo2(); $c3->vars2 = "Siva"; $c2 = new demo1(); $c2->vars1 = 2756876; $d1 = serialize($c1); $d2 = serialize($c2); $d5 = serialize($c3); $d3 = unserialize($d1, ["allowed_classes" => true]); $d6 = unserialize($d5, ["allowed_classes" => true]); $d4 = unserialize($d2, ["allowed_classes" => ["demo", "demo1"]]); $d7 = unserialize($d5, ["allowed_classes" => ["demo", "demo1", "demo2"]]); echo "Welcome To My Domain is: " . $d3->vars, $d6 ->vars2; echo "<br />"; echo "Result of demo1 d3 memeber is: " . $d4->vars1; echo "<br/>"; echo "Result of demo2 d7 memeber is: " . $d7->vars2; ? >

The output.

In the second example, we use the same serialize and unserialize concepts. However, some classes are used here. In addition, each parent-child relationship of a class has its own independent variables, with public access modifiers to exploit the same variables outside of the class; By using objects in this way, we can initialize the values of independent variables. They will be serialized and stored in a separate variable; After that, we can deserialize the variable value and store it as a separate variable. We can add n variables with separate values to the serialized and deserialized data. We use allowed_classes to validate the serialized data in the code.

Example # 3

The code.

<? php class demo { public $vars; } $vars1= new demo(); $vars1->vars= "siva"; $vars2= serialize($vars1); echo "Welcome To My Domain<br> '$vars2'"; echo "<br><br>"; $vars3= unserialize($vars2); echo "Have a Nice Day <br>"; echo var_dump($vars3); echo "<br> <br>"; echo "Thank you users your net result is shown" . $vars3->vars; ? >

The output.

In the last example, we use both serialization and deserialization functions, and we use key-value pairs to deserialize arrays and objects in PHP. We use a variable with the value “Siva “, which will be a plain text string, and then be converted to the serialized and deserialized objects.

conclusion

In PHP, we use default functions, variables, and keywords to create the user-friendly nature of the Web application. Just as it is possible to use some default classes and methods to create some advanced technologies in a Web-based application, so we use technologies like serialize() and unserialize() to store and retrieve more secure data.