Am 26.11.2018 um 12:20 schrieb Nikita Popov:
Apart from serialize_deny, a pretty common pattern is throwing __wakeup.
See for example CURLFile.
We should migrate such cases to serialize_deny though. I think it's pretty
weird to explicitly implement __wakeup (signalling that yes, you can be
unserialized), and then use it to throw (sorry, I lied).
In any case, what's your motivation here? As long as throwing
(un)serialize/__sleep/__wakeup exist, you will not be able to determine
whether a class can be (un)serialized a priori. It may even be that a class
can only sometimes be serialized. The only reliable way to find out is to
actually try it. What prevents you from attempting (un)serialization and
catching potentially thrown exceptions?
If I can rely on classes to throw an exception when serialize() is
performed (be it through zend_class_serialize_deny or in __sleep())
then, yes, I can just try it.
I, too, think that classes that currently throw in __sleep() should be
migrated to use zend_class_serialize_deny.
Only if all classes that cannot be serialized use
zend_class_serialize_deny then it would make sense to expose that
information through the Reflection API.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
