Hi!
> And what about automatic un/serialize() of objects in $_SESSION?
> People don't even see those function calls in their code, so dropping
> the function/ality would be a wildly drastic move.
Nothing about it, the change is for unserialize() function.
> tread gently, as in your suggestion of
> This is not a good situation, and presently there are no way to
> avoid it except dropping serialize() completely - which may not be
> an option is some cases and in any case would require serious
> changes to the production code.
And what about automatic un/serialize() of objects in $_SESSION?
On Sat, Mar 30, 2013 at 8:31 PM, Stas Malyshev wrote:
> Hi!
>
> We currently have around 40 RFCs on the wiki under "Under Discussion"
> section, but many of them aren't actually being discussed and hasn't
> been for long a time. This makes the issues that are actively
> discussed/worked on hard to
Hi!
We currently have around 40 RFCs on the wiki under "Under Discussion"
section, but many of them aren't actually being discussed and hasn't
been for long a time. This makes the issues that are actively
discussed/worked on hard to find. How about taking those that had last
change more than coupl
Hi!
> I think Stas proposes a solution to the problem and I think Anthony
> proposes a viable alternative. I would say that Anthony has found the
> shortest distance between the two points (the problem and the solution),
> however.
The fact is that people do use serialize() for data that may be
On Sat, Mar 30, 2013 at 11:05 PM, Anthony Ferrara wrote:
> Stas,
>
> Serious question: Why bother trying to clean this up? Why not just
> recommend using JSON or some other generic serialization without tieing
> into specific objects, and pushing the creation logic into userland (where
> it belong
Stas,
Serious question: Why bother trying to clean this up? Why not just
recommend using JSON or some other generic serialization without tieing
into specific objects, and pushing the creation logic into userland (where
it belongs IMHO, at least from a security perspective). At least for any
times
Hi!
As many probably know, unserialize() has a security issue following from
the fact that you can create objects with data from unserialize(), and
these object may have behavior that is invoked automatically - namely
__destruct - that can result in unintended results. See e.g.
http://heine.famili
On 03/30/2013 07:45 AM, Joe Watkins wrote:
On 03/29/2013 04:50 PM, Frank Liepert wrote:
Hello Internals,
I'm thinking about a new function returning an array of classes and their
individual number of instances. It would look pretty much like the
result of
get_declared_classes().
An Example:
On 03/29/2013 04:50 PM, Frank Liepert wrote:
Hello Internals,
I'm thinking about a new function returning an array of classes and their
individual number of instances. It would look pretty much like the result of
get_declared_classes().
An Example:
print_r (get_instantiated_classes());
// Arr
10 matches
Mail list logo
