> On 27 Oct 2014, at 20:38, Andrea Faulds <a...@ajf.me> wrote: > > >> On 27 Oct 2014, at 08:03, Stas Malyshev <smalys...@sugarcrm.com> wrote: >> >> I'd like to have a vote on unserialize() improvement proposal outlined here: >> https://wiki.php.net/rfc/secure_unserialize > > Suggestion on improving the API: Why bother with three values? > > If there’s no parameter, use current behaviour. If there’s an array, it’s > allowed classes. If that array is empty, obviously there are no allowed > classes.
For example: // this will unserialize everything as before $data = unserialize($foo); // this will convert all objects into __PHP_Incomplete_Class object $data = unserialize($foo, []); // this will convert all objects except ones of MyClass and MyClass2 into __PHP_Incomplete_Class object $data = unserialize($foo, ["MyClass", “MyClass2"]); -- Andrea Faulds http://ajf.me/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
