7

I am searching for the specification or an exact description about how the PHP serialize() function exactly works. All I could find for that topic is that comment in the manual.

Is there anywhere out there a more detailed description about how php implements this?

philipp
  • 15,947
  • 15
  • 61
  • 106
  • I guess the best specification is to look in the source code, but that might be a bit too much. What exactly do you want to know and what for? – Pekka May 07 '13 at 12:51
  • @Pekka웃 I am especially interested in the details of the string serialization. – philipp May 07 '13 at 12:53
  • I guess you may have to look in the source code then. What do you want to know it for? If you're looking for a portable format to transport data with, JSON seems more universal – Pekka May 07 '13 at 12:57
  • @Pekka웃 I am not looking for a portable format, I just try to find Strings that are serialized by php, so that they have the format: s::""; I want to make sure that my regexp wont miss any hit, or if it is possible at all to do that with an regexp. BTW. where can I find the source-code? – philipp May 07 '13 at 13:01
  • 2
    Depending on how many strings you are parsing (considering overhead), but if they are few, perhaps just trying to unserialize and checking if it succeeded might be the easier method.. – Damien Overeem May 07 '13 at 13:04
  • @damienovereem I plan to parse a lot and I would like to do that with Java, so that is no option – philipp May 07 '13 at 13:13
  • You know about `unserialize()`? – powtac May 07 '13 at 13:32
  • There is a question/answer combo on stack that is about detecting if a string is a serialized string. Ircmaxell gave a decent answer on the matter. Maybe it will help out: http://stackoverflow.com/questions/4748795/how-to-find-out-if-a-string-is-a-serialized-object-array-or-just-a-string – Damien Overeem May 08 '13 at 06:40

3 Answers3

4

I wanted to dig into this years ago. Warning: this blogpost is way old. I think the spec is still accurate, but ignore the content around it ;)

http://evertpot.com/133/ Jump to the section titled: The serialized data format.

Evert
  • 93,428
  • 18
  • 118
  • 189
2

To truly know how PHP handles serialized strings, one would need to dig in the sourcecode as suggested by Pekka 웃 in the comments.

Try starting at: http://lxr.php.net/search?q=PHP_FUNCTION+serialize&project=PHP_5_4 which gives a convenient way to search the sources.

This link comes from http://nikic.github.io/2012/03/16/Understanding-PHPs-internal-function-definitions.html which explains how to find specific function definitions in the php source.

Goodluck!

Damien Overeem
  • 4,487
  • 4
  • 36
  • 55
  • I chose this answer as the best because it delivers the best links to background information. Unfortunately it turned out that parsing those serialized strings with (not with php) is more a guessing and error prone too, but I could work out a working version with java. But in fact, corrupted Input will ever be able to break it, and since I was trying to process mysqldump files I had to realize that even all tests pass, it is possible to write another valid one that will fail. (f.i. a corrupted string that contains a serialzied object). – philipp Sep 03 '13 at 21:53
0

It is sad, PHP do not provide specification of serialization.

You can explore source code https://github.com/php/php-src/blob/master/ext/standard/php_var.h, https://github.com/php/php-src/blob/master/ext/standard/var_unserializer.c . But it's hard to understand.

You can try to search implimentation on other languange. JavaScript.

sectus
  • 15,605
  • 5
  • 55
  • 97