> This is not a good situation, and presently there are no way to > avoid it except dropping serialize() completely - which may not be > an option is some cases and in any case would require serious > changes to the production code.
And what about automatic un/serialize() of objects in $_SESSION? People don't even see those function calls in their code, so dropping the function/ality would be a wildly drastic move. IMO, there's a minefield of "most surprise" to worry about unless you tread gently, as in your suggestion of an extra param. And probably want two optional PHP.INI settings: one for when unserialize() is called automatically (so you can't pass it anything), and one for when unserialize() is called in user code without a second argument but you want a default whitelist to be applied (say, to instantly "harden" a codebase and sort out consequences later). -- S. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php