From:             joey at blouzar dot com
Operating system: All
PHP version:      5.2.10
PHP Bug Type:     Feature/Change Request
Bug description:  Make session serialization functions available to php

Description:
------------
The default serialisation scheme in php for session data is different than
that provides by php to the scripting environment. While on one scale it
uses the "userland" serialisation format overall it uses its own scheme
that is very hard to parse safely without writing a grammer.

There are existing functions that can serialise/deserialise session data
using the session scheme. However they are not flexible and can lead to
risky code. These functions are session_encode and session_decode. Their
short-fall is that they do not let the programmer choose where the data is
deserialised/serialised to or from. It always works with the $_SESSION
global.

I submit a simple proposal to provide functions to serialise session data
with the same level of flexibility as the conventional serialisation
functions.

An example of how the functions might appear (pseudo):

String|false session_serialize(Array* $in_assoc_array);

Array|false session_unserialize(String $serialized_data);
Or:
Boolean session_unserialize(String $serialized_data,Array*
$out_assoc_data);

Of course another suggestion would be to use normal php serialisation on
the whole array rather than just it's members.

Thanks.

Reproduce code:
---------------
                $result=$db->query('SELECT * FROM sessions WHERE 
user='.$recipient);
                $oldsession=session_encode();

                while($session=$result->object())
                {
                        $_SESSION=array();
                        session_decode($session->data);
                        ++$_SESSION['menu']['inbox'];
                        $db->query('UPDATE sessions SET
data="'.$db->escape(session_encode()).'" WHERE
id="'.$db->escape($session->id).'"');
                }

                $_SESSION=array();
                session_decode($oldsession);

Expected result:
----------------
As this is a feature request the code does exactly what is expected. The
code here is an example of the current system. Actually result contains the
downfalls of this.

Quick redundant note. This code may not be the best example (one might
argue that the counter should be stored elsewhere) but was the closest one
to hand.

Actual result:
--------------
While it works fine it is somewhat risky. Loading the data to the current
session is beyond requirement. If an inexperienced developer were to alter
this code it could result in a mistake such as breaking the restoration of
the session that causes the user submitting the post to adopt the session
of the recipient. It is also somewhat inefficient as the existing session
data should not really need to be backed up and restored. I did try just
copying the global to another variable and back again but this somehow
resulted in the user being logged in as the recipient. I decided to play it
safe after that and serialize/deserialize it instead.

With a custom save handler it could be possible to implement a security
switch. However, this is far from elegant.

-- 
Edit bug report at http://bugs.php.net/?id=48673&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=48673&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=48673&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=48673&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=48673&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=48673&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=48673&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=48673&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=48673&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=48673&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=48673&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=48673&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=48673&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=48673&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=48673&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=48673&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=48673&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=48673&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=48673&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=48673&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=48673&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=48673&r=mysqlcfg

Reply via email to