Download the PHP package xkerman/restricted-unserialize without Composer

On this page you can find all versions of the php package xkerman/restricted-unserialize. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package restricted-unserialize

restricted-unserialize

Build Status codecov Scrutinizer Code Quality Latest Stable Version

This composer package provides unserialize function that is safe for PHP Obejct Injection (POI).

If normal unserialize function is used for deserializing user input in your PHP application:

  1. Don't use this package, use json_decode in order to avoid PHP Object Injection
  2. If compatibility matters, first use this function and then try to use json_decode in the near future

Why POI-safe?

unserialize function in this package only deserializes boolean, integer, floating point number, string, and array, and not deserializes object instance. Since any instances that has magic method for POP chain (such as __destruct or __toString) cannot instantiate, any plan to exploit POP chain just fails. ( You can read detailed explanation of POP chain https://www.insomniasec.com/downloads/publications/Practical%20PHP%20Object%20Injection.pdf )

Installation

How to use

if your PHP version > 5.5:

if your PHP version >= 5.3 and <= 5.5:

if your PHP version is 5.2:

Related other packages

mikegarde/unserialize-fix

mikegarde/unserialize-fix package provides \unserialize\fix function that tries to use unserialize function first. So the function is not POI-safe.

academe/serializeparser

academe/serializeparser package privides \Academe\SerializeParser\Parser::parse method that is PHP-implemented unserialize, but doesn't deserialize object instances. So the method seems that POI-safe, but there is no test.

jeroenvdheuve/serialization

jeroenvdheuve/serialization package provides \jvdh\Serialization\Unserializer\unserialize method that is also PHP-implemented unserialize, and doesn't deserialize object instance. So the method seems that POI-safe. The method can deserialize serialized PHP references, which cannot deserialized by this (xkerman/restricted-unserilize) package. By using PHP reference, we can create cyclic structure, but that makes migration to json_decode harder, since JSON doesn't support cyclic structure decode/encode.

Development

To generate code for PHP 5.2, run composer run generate. Generated code will be saved under genereated/ directory.

LICENSE

MIT License


All versions of restricted-unserialize with dependencies

PHP Build Version
Package Version
Requires php Version >=5.2
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package xkerman/restricted-unserialize contains the following files

Loading the files please wait ....