> -----Original Message----- > From: Nikita Popov [mailto:nikita....@gmail.com] > Sent: Friday, April 21, 2017 12:39 PM > To: PHP internals <internals@lists.php.net> > Subject: [PHP-DEV] A replacement for the Serializable interface > > Hi internals, > > I'd like to propose the addition of a new mechanism which essentially works > the > same way as Serializable, but uses arrays instead of strings and does not > share > context. I'm not sure about the naming (RealSerializable, anyone?), so I'll > just go > with magic methods __serialize() and > __unserialize() for now: > > public function __serialize() : array; > public function __unserialize(array $data) : void;
I think this is a very interesting idea that's definitely worth exploring. One thing I think is worth doing is reviewing some of the countless issues we've had with unserialize() over the last year, and try to estimate how many of those would not be relevant with this new approach (which you may have already done). If most of them become irrelevant then this is probably the right direction to go towards. Would you go as far as saying that you think that would be safe to run on untrusted input? > Thoughts? Generally, thumbs up from me. Thanks! Zeev
