[Summary view] [Print] [Text view]

   1  <?php
   2  // $Id: PHP.php,v 1.1.2.1 2008/10/03 07:09:50 nicolasconnault Exp $
   3  /**
   4   * PHP Serializer
   5   *
   6   * @category   HTML
   7   * @package    AJAX
   8   * @author     Arpad Ray <arpad@php.net>
   9   * @copyright  2005 Arpad Ray
  10   * @license    http://www.opensource.org/licenses/lgpl-license.php  LGPL
  11   * @version    Release: 0.5.6
  12   * @link       http://pear.php.net/package/HTML_AJAX
  13   */
  14  class HTML_AJAX_Serializer_PHP 
  15  {    
  16      function serialize($input) 
  17      {
  18          return serialize($input);
  19      }
  20  
  21      /**
  22       * Unserializes the given string
  23       *
  24       * Triggers an error if a class is found which is not
  25       * in the provided array of allowed class names.
  26       *
  27       * @param   string  $input
  28       *  the serialized string to process
  29       * @param   array   $allowedClasses
  30       *  an array of class names to check objects against
  31       *  before instantion
  32       * @return  mixed
  33       *  the unserialized variable on success, or false on
  34       *  failure. If this method fails it will also trigger
  35       *  a warning.
  36       */
  37      function unserialize($input, $allowedClasses) 
  38      {
  39          if (version_compare(PHP_VERSION, '4.3.10', '<')
  40               || (substr(PHP_VERSION, 0, 1) == '5' && version_compare(PHP_VERSION, '5.0.3', '<'))) {
  41              trigger_error('Unsafe version of PHP for native unserialization');
  42              return false;
  43          }
  44          $classes = $this->_getSerializedClassNames($input);
  45          if ($classes === false) {
  46              trigger_error('Invalidly serialized string');
  47              return false;
  48          }
  49          $diff = array_diff($classes, $allowedClasses);
  50          if (!empty($diff)) {
  51              trigger_error('Class(es) not allowed to be serialized');
  52              return false;
  53          }
  54          return unserialize($input);
  55      }
  56      
  57      /**
  58       * Extract class names from serialized string
  59       *
  60       * Adapted from code by Harry Fuecks
  61       *
  62       * @param   string  $string
  63       *  the serialized string to process
  64       * @return  mixed
  65       *  an array of class names found, or false if the input
  66       *  is invalidly formed
  67       */
  68      function _getSerializedClassNames($string) {
  69          // Strip any string representations (which might contain object syntax)
  70          while (($pos = strpos($string, 's:')) !== false) {
  71              $pos2 = strpos($string, ':', $pos + 2);
  72              if ($pos2 === false) {
  73                  // invalidly serialized string
  74                  return false;    
  75              }
  76              $end = $pos + 2 + substr($string, $pos + 2, $pos2) + 1;
  77              $string = substr($string, 0, $pos) . substr($string, $end);
  78          }
  79          
  80          // Pull out the class names
  81          preg_match_all('/O:[0-9]+:"(.*)"/U', $string, $matches);
  82          
  83          // Make sure names are unique (same object serialized twice)
  84          return array_unique($matches[1]);
  85      }
  86  }
  87  /* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
  88  ?>