PHP Classes

PHON: Unserialize values exported with var_export

Recommend this page to a friend!
  Info   View files View files (7)   DownloadInstall with Composer Download .zip   Reputation   Support forum (1)   Blog    
Ratings Unique User Downloads Download Rankings
Not enough user ratingsTotal: 248 This week: 1All time: 7,940 This week: 560Up
Version License PHP version Categories
phon 1.0.0GNU Lesser Genera...5.0PHP 5, Data types, Security
Description 

Author

This class can be used to securely unserialize values exported with PHP var_export function.

var_export is a PHP function that can be used to export variable values as text string.

The exported data can be used as an alternative to XML or JSON to pass complex data values between the same or different computers. Thus the name PHP Object Notation: PHON (pronounced like font but silencing the ending "t" sound).

This class can use the eval function to unserialize and restore the original values exported with var_export.

Alternatively, it can also parse the expression and unserialize it securely by disallowing non-constant expressions in the exported values that could be used to run dangerous arbitrary PHP code.

Innovation Award
PHP Programming Innovation award nominee
April 2008
Number 3


Prize: One subscription to the PDF edition of the magazine by PHP Architect
Serializing a variable value is a way to convert any type of variable into a single string that can be stored in a file, a database or sent to another application or another server, in a way that the original variable value can be easily restored.

One easy way convert the value of any variable into a single human-readable string is to use the PHP var_export function. To unserialize a value serialized this way, PHP applications only need to use the eval function.

However, applications must be careful when using the eval function to unserialize values received from untrusted sources. The problem is that serialized values may contain arbitrary PHP code that may allow security abuses that is executed when eval is called.

This class provides a secure solution to unserialized values serialized with var_export. It uses the PHP tokenizer extension to evaluate the serialized value. This way any kind of disallowed type of expression is detected by the class.

Manuel Lemos
Picture of Martin Alterisio
Name: Martin Alterisio <contact>
Classes: 5 packages by
Country: Argentina Argentina
Age: 41
All time rank: 7348 in Argentina Argentina
Week rank: 416 Up3 in Argentina Argentina Up
Innovation award
Innovation award
Nominee: 5x

  Files folder image Files  
File Role Description
Files folder imagephon (5 files)
Accessible without login Plain text file consumer.php Example Consumer example
Accessible without login Plain text file provider.php Example Provider example

  Files folder image Files  /  phon  
File Role Description
  Accessible without login Plain text file phon.lib.php Aux. Main include file for the PHON package.
  Accessible without login Plain text file InvalidPHON.php Class File for the InvalidPHON Exception.
  Accessible without login Plain text file PHONEvaluator.php Class File for the PHONEvaluator class
  Accessible without login Plain text file PHONValidator.php Class File the for PHONValidator class
  Accessible without login Plain text file SecurePHONClass.php Class The file for SecurePHONClass interface

 Version Control Unique User Downloads Download Rankings  
 0%
Total:248
This week:1
All time:7,940
This week:560Up