PHP Serialization method
February 25th, 2009. Published under PHP. No Comments.
PHP allows us to serialize objects, arrays, etc… with the serialize() function.
What means serialization? Serialization means a storable reprezentation of a value, where the value can be an array, object, etc…
How it works:
Suppose you have this array:
1 2 3 4 5 6 7 8 9 10 11 12 | <?php <span id="more-73"></span> $book = array( 'title' => 'Cocoa Programming for Mac OS X', 'publisher' => 'Addison-Wesley Professional', 'language' => 'English', 'ISBN' => '978-0321503619' ); ?> |
and you want to write this data to MySQL database for example, ok you can create a DB table called BOOK with 4 fields and insert each php array value in its field, but how can you write all this data at once in one DB field.
PHP function serialize() can create a serialized value of the above array, so that we could write it into the DB field value, and when we need it back, we just unserialize() it.
Example of serialization of above PHP array:
1 2 3 4 5 | <?php $value = serialize($book); ?> |
Now we have a serialized value in the php $value variable, it looks like this:
1 | a:4:{s:5:"title";s:30:"Cocoa Programming for Mac OS X";s:9:"publisher";s:27:"Addison-Wesley Professional";s:8:"language";s:7:"English";s:4:"ISBN";s:14:"978-0321503619";} |
Well, this is a plain formatted string, now you can write it to the DB field.
To get back the PHP array from this value, use the PHP unserialize() function like this:
1 2 3 4 5 | <?php $book = unserialize($value); ?> |
Ok, what next:
we have the serialization and un-serialization mechanism. What if you want to send the data as a HTTP GET value like this
1 | http://www.somehost.com/activateuser.php?userid=1233&action=eliminate_cache&code=434bdf32g2 |
This is a simple URL that sometimes is used in activation user accounts in some websites (unfortunately this is not securely written because the values are sent in plain text, even if the code parameter is encrypted, a smart hacker, analizing the parameters sent by GET, can activate any user in that system).
How to generate such URLs in a more secure way. Ok I am not going to talk about PHP security, I’d like to show one small thing that can be accomplished with the serialize() and unserialize() PHP function.
We’ll use two functions for encryption and decryption of serialized value
The two function definitions:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | <?php function encrypt($string, $key) { $result = ''; for($i = 0; $i <strlen($string); $i++) { $char = substr($string, $i, 1); $keychar = substr($key, ($i % strlen($key)) - 1, 1); $char = chr( ord($char) + ord($keychar) ); $result .= $char; } return base64_encode($result); } function decrypt($string, $key) { $result = ''; $string = base64_decode($string); for($i = 0; $i < strlen($string); $i++) { $char = substr($string, $i, 1); $keychar = substr($key, ($i % strlen($key)) - 1, 1); $char = chr( ord($char)-ord($keychar) ); $result .= $char; } return $result; } ?> |
These functions are for encrypt and decrypt strings in a base64 algorithm.
Well now we can extend the PHP serialize() and unserialize() functions by adding the encryption and decryption of serialized values.
The two extended funcrtions
1 2 3 4 5 6 7 8 9 10 11 12 13 | <?php function serializeEncription($data, $secret) { $serialized = serialize($data); return encrypt($serialized, $secret); } function unserializeEncription($data, $secret) { $decripted = decrypt($data, $secret); return unserialize($decripted); } ?> |
and now we could write the above HTTP GET URL like this
1 2 3 4 5 6 7 8 9 10 11 12 13 | <?php $urlData = array( 'userid' => '1233', 'action' => 'eliminate_cache', 'code' => '434bdf32g2' ); $value = serializeEncription($urlData, 'ACTIVATE USER'); $url = 'http://www.somehost.com/activateuser.php?data=' . urlencode($value); ?> |
What we do here is create an array with the GET parameters and their values, then encrypt the serialized array with a secret phrase ‘ACTIVATE USER’ (need to remember this phrase when decrypting the value got when the user request this URL). So we’ll have just one GET parameter called data.
The full URL will look like this:
1 | http://www.somehost.com/activateuser.php?data=s3t2jsTJe4p/QsrGqsSqp3aEv3uFd1OIjriMd312qrm1vbSOd464jHJ4jmu7rb2yicO0ubegprWsvqZ2gJOPh390pLK4rnh8x39RhY1nhnR3tq28dIasUneOwg== |
yes it is a bit longer, but it is full encrypted, and you are assured that you’ll get the full array data when decrypting it with unserializeEncription($_GET['data'], ‘ACTIVATE USER’);
Happy PHPing!
