lyte/serial
Composer 安装命令:
composer require lyte/serial
包简介
A safe unserializer for PHP serialized arrays and scalar types.
README 文档
README
PHP Serialized string array and scalar unserialization using pure PHP.
Runtime PHP 7.3+ (aligned with PHPUnit 9 for development). The composer.lock is resolved for PHP 7.3 via config.platform so installs stay consistent on older runtimes.
Usage
Install with composer:
composer require lyte/serial
Serial
Serial is a simplified interface that attempts to work well in a legacy code
base.
Load the namespace:
use Lyte\Serial\Serial; // unserialize statically $unserialized = Serial::unserialize($someSerializedString); // or with an instance $serial = new Serial; $unserialized = $serial->unserialize($someSerializedString); // check if a string appears to be serialized if (Serial::isSerialized($someUnknownString)) { $unserialized = Serial::unserialize($someUnknownString); } // or rely on exceptions try { $unserialized = Serial::unserialize($someUnknownString); } catch (\Exception $e) { // ... }
Unserializer
Unserializer is the internal work horse.
use Lyte\Serial\Unserializer; $serial = new Unserializer($someSerializedString); $unserialized = $serial->unserialize();
Wrong s: byte lengths (nested payloads)
If a string declares s:N: but the next " is not exactly N bytes later (common when counts used UTF-8 lengths, wrong newlines, or copy-paste errors), strict parsing fails. Enable inference and optional wire repair:
$u = new Unserializer($blob, ['repairLengths' => true]); $data = $u->unserialize(); // $u->lengthIssues lists declared vs actual lengths and digit span offsets list($fixedBlob, $issues) = Unserializer::repairSerializedString($blob); // or Serial::repairSerializedString($blob)
repairLengths is read with filter_var(..., FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) and must coerce to strict true (e.g. true, 1, "1", "true", "on", "yes"). Values such as false, 0, "0", "false", "no", "", null, or unset leave repair off (so string "false" from env/JSON does not accidentally enable it).
For values that look like nested PHP serialization (a:…, s:…, etc.), the actual length is derived by parsing one full value. For other strings, repair uses the first "; sequence with no " inside the payload (unsafe for arbitrary binary that may contain those bytes).
Why?
The standard serialize() and unserialize() calls in PHP are known to be unsafe even if you use the $allowed_classes filter in PHP 7 (there are memory corruption bugs).
The standard answer to this is "use JSON" but some applications were using PHP serialized strings for internal storage long before JSON was a thing (well... popular).
In this case it may be useful to have a safer parser that rejects anything that's not an array or scalar type (i.e what you could safely store in JSON) as a middle ground to harden a code base without having to immediately switch out the underlying storage format.
Note: I'm not advocating letting any strings be unserialized that can in anyway be modified by a user, just that if you use a safer parser and someone compromises some other part of your application this might at least slow them down.
Why can't I use $allowed_classes?
PHP 7 added the $allowed_classes option to the unserialize() function.
In theory you could just set this to null (or a safe set of classes), but unfortunately there's memory corruption bugs meaning if you rely on that behaviour, you are vulnerable.
lyte/serial 适用场景与选型建议
lyte/serial 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 29.43k 次下载、GitHub Stars 达 1, 最近一次更新时间为 2017 年 06 月 10 日, 在 PHP 生态内属于活跃度较高的组件。
我们在过去多个企业项目中使用过 lyte/serial 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 lyte/serial 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
统计信息
- 总下载量: 29.43k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 1
- 点击次数: 8
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2017-06-10