PHON: Unserialize values exported with var_export

Recommend this page to a friend!

Download .zip

Info

View files (7)

Download .zip

Reputation

Support forum (1)

Blog

Links

Last Updated		Ratings				Unique User Downloads		Download Rankings
2008-04-20 (8 years ago)		Not yet rated by the users				Total: 241		All time: 7,474 This week: 916

Version		License		PHP version		Categories
`phon` 1.0.0		GNU Lesser Genera...		5.0		PHP 5, Data types, Security

Description Author

This class can be used to securely unserialize values exported with PHP var_export function.

var_export is a PHP function that can be used to export variable values as text string.

The exported data can be used as an alternative to XML or JSON to pass complex data values between the same or different computers. Thus the name PHP Object Notation: PHON (pronounced like font but silencing the ending "t" sound).

This class can use the eval function to unserialize and restore the original values exported with var_export.

Alternatively, it can also parse the expression and unserialize it securely by disallowing non-constant expressions in the exported values that could be used to run dangerous arbitrary PHP code.

Innovation Award

April 2008
Number 3

Prize: One subscription to the PDF edition of the magazine by PHP Architect

Serializing a variable value is a way to convert any type of variable into a single string that can be stored in a file, a database or sent to another application or another server, in a way that the original variable value can be easily restored.

One easy way convert the value of any variable into a single human-readable string is to use the PHP var_export function. To unserialize a value serialized this way, PHP applications only need to use the eval function.

However, applications must be careful when using the eval function to unserialize values received from untrusted sources. The problem is that serialized values may contain arbitrary PHP code that may allow security abuses that is executed when eval is called.

This class provides a secure solution to unserialized values serialized with var_export. It uses the PHP tokenizer extension to evaluate the serialized value. This way any kind of disallowed type of expression is detected by the class.

Manuel Lemos

Martin Alterisio

Name:	Martin Alterisio `<contact>`
Classes:	5 packages by Martin Alterisio
Country:	Argentina

Innovation award

Nominee: 5x

Files

File	Role	Description
`phon` (5 files)
`consumer.php`	Example	Consumer example
`provider.php`	Example	Provider example

Files

phon

File	Role	Description
`phon.lib.php`	Aux.	Main include file for the PHON package.
`InvalidPHON.php`	Class	File for the InvalidPHON Exception.
`PHONEvaluator.php`	Class	File for the PHONEvaluator class
`PHONValidator.php`	Class	File the for PHONValidator class
`SecurePHONClass.php`	Class	The file for SecurePHONClass interface

	phon-2008-04-20.zip 3KB
	phon-2008-04-20.tar.gz 2KB
	Install with Composer

Version Control

Unique User Downloads

Download Rankings

Total:	241
This week:	0

All time:	7,474
This week:	916

Applications that use this package

No pages of applications that use this class were specified.

If you know an application of this package, send a message to the author to add a link here.

Pages that reference this package


PHON: la misma idea que JSON pero para PHP Me valió un tercer puesto en los innovation awards de phpclasses...

Latest pages that reference packages

Advertise on this site

For more information send a message to info at phpclasses dot org.