rfc:not_serializable
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:not_serializable [2023/11/26 17:42] – maxsem | rfc:not_serializable [2023/12/10 12:31] (current) – maxsem | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== PHP RFC: # | ====== PHP RFC: # | ||
* Version: 1.0 | * Version: 1.0 | ||
- | * Date: 20123-11-26 | + | * Date: 2023-11-26 |
* Author: Max Semenik, maxsem.wiki@gmail.com | * Author: Max Semenik, maxsem.wiki@gmail.com | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | Some classes aren't supposed to be serialized. Examples include closures, various connections like '' | + | Some classes aren't supposed to be serialized. Currently, while PHP internal classes have a nice way of preventing being serialized/unserialized, userspace doesn' |
- | Compare the internals slapping '' | + | Compare the internals |
<code php> | <code php> | ||
class MyClass | class MyClass | ||
{ | { | ||
- | public function __sleep() // Wait, what it' | + | public function __sleep() // Wait, what its signature is supposed to be? Does it matter? |
{ | { | ||
throw new Exception(' | throw new Exception(' | ||
Line 26: | Line 26: | ||
</ | </ | ||
- | Not only is this method bulky, it also lacks a way for various code analysers | + | Not only is this method bulky, it's also less readable. It also lacks a way to indicate the intention to various code analysers |
+ | |||
+ | ===== Analysis ===== | ||
+ | As of the time I'm writing this, there are 94 uses of '' | ||
+ | * Closures | ||
+ | * Various connections like '' | ||
+ | * Reflection | ||
+ | |||
+ | What could userspace use this for? | ||
+ | * Wrappers for all the above. Imagine a PDO wrapper that creates connections on demand. If the connection hasn't been established yet, its serialization will succeed, which results in unpredictable behavior. | ||
+ | * Secret information that shouldn' | ||
+ | * Security-sensitive classes that are unsafe | ||
===== Proposal ===== | ===== Proposal ===== | ||
- | Introduce new attribute that would expose this functionality to userspace. | + | Introduce |
<code php> | <code php> | ||
Line 40: | Line 51: | ||
</ | </ | ||
- | This change | + | The non-serializable flag is inherited by descendants: |
+ | |||
+ | <code php> | ||
+ | class MyOtherClass extends MyClass | ||
+ | { | ||
+ | } | ||
+ | |||
+ | serialize(new MyOtherClass()); | ||
+ | </ | ||
+ | |||
+ | The above requires no changes to the engine whatsoever, all functionality is already present - it merely gets exposed | ||
+ | |||
+ | This feature will be exposed to reflection by the following additions to ReflectionClass: | ||
+ | |||
+ | <code php> | ||
+ | public const int IS_NOT_SERIALIZABLE = ZEND_ACC_NOT_SERIALIZABLE; | ||
+ | |||
+ | public function isSerializable(): | ||
+ | </ | ||
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== |
rfc/not_serializable.1701020541.txt.gz · Last modified: 2023/11/26 17:42 by maxsem