On Mon, Nov 26, 2018 at 10:28 AM Sebastian Bergmann <sebast...@php.net> wrote:
> The following classes register zend_class_serialize_deny: Closure, COM, > DOTNET, Generator, HashContext, Reflection, ReflectionClass, > ReflectionClassConstant, ReflectionExtension, ReflectionException, > ReflectionFunction, ReflectionFunctionAbstract, ReflectionGenerator, > ReflectionMethod, ReflectionNamedType, ReflectionObject, > ReflectionParameter, ReflectionProperty, ReflectionRype, > ReflectionZendExtension, SimpleXmlElement, SplFileInfo, Variant. > > Are these all the built-in classes that cannot be serialized? > > Would it be possible to implement ReflectionClass::isSerializable() that > returns false when the class is a) built-in and b) has > zend_class_serialize_deny registered? > Apart from serialize_deny, a pretty common pattern is throwing __wakeup. See for example CURLFile. We should migrate such cases to serialize_deny though. I think it's pretty weird to explicitly implement __wakeup (signalling that yes, you can be unserialized), and then use it to throw (sorry, I lied). In any case, what's your motivation here? As long as throwing (un)serialize/__sleep/__wakeup exist, you will not be able to determine whether a class can be (un)serialized a priori. It may even be that a class can only sometimes be serialized. The only reliable way to find out is to actually try it. What prevents you from attempting (un)serialization and catching potentially thrown exceptions? Nikita
