PHP反序列化
serialize(); 将对象序列化成字符串
unserialize(); 将字符串反序列化回对象
序列号
- 对象转化成字符串
- 方便传输
创建类、创建对象(序列号)
<?php
class Stu{
public $name;
public $age;
public $sex;
public $score;
}
$stu1 = new Stu();
$stu1->name = "z99";
$stu1->age = 18;
$stu1->sex = true;
var_dump($stu1);
print("<br>");
$a=serialize($stu1);
echo $a;
print("<br>");
$b=unserialize($a);
var_dump($b);
?>
反序列化
字符串转换成对象
<?php
class Stu{
public $name;
public $age;
public $sex;
public $score;
public function __wakeup(){
if(@$_GET['cmd']=="z99"){
system("calc");
}
}
}
$stu1 = new Stu();
$stu1->name = "z99";
$stu1->age = 18;
$stu1->sex = true;
$stu2 = @serialize($stu1);
unserialize($stu2)
?>
正常访问时无无回显
当cmd=z99时,会弹出计算器