cs278 / is_serialized.php
Created

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

PHP is_serialized() function.

View is_serialized.php
Raw
File suppressed. Click to show.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 
<?php

/**

 * This program is free software. It comes without any warranty, to

 * the extent permitted by applicable law. You can redistribute it

 * and/or modify it under the terms of the Do What The Fuck You Want

 * To Public License, Version 2, as published by Sam Hocevar. See

 * http://sam.zoy.org/wtfpl/COPYING for more details.

 */ 



/**

 * Tests if an input is valid PHP serialized string.

 *

 * Checks if a string is serialized using quick string manipulation

 * to throw out obviously incorrect strings. Unserialize is then run

 * on the string to perform the final verification.

 *

 * Valid serialized forms are the following:

 * <ul>

 * <li>boolean: <code>b:1;</code></li>

 * <li>integer: <code>i:1;</code></li>

 * <li>double: <code>d:0.2;</code></li>

 * <li>string: <code>s:4:"test";</code></li>

 * <li>array: <code>a:3:{i:0;i:1;i:1;i:2;i:2;i:3;}</code></li>

 * <li>object: <code>O:8:"stdClass":0:{}</code></li>

 * <li>null: <code>N;</code></li>

 * </ul>

 *

 * @author		Chris Smith <code+php@chris.cs278.org>

 * @copyright	Copyright (c) 2009 Chris Smith (http://www.cs278.org/)

 * @license		http://sam.zoy.org/wtfpl/ WTFPL

 * @param		string	$value	Value to test for serialized form

 * @param		mixed	$result	Result of unserialize() of the $value

 * @return		boolean			True if $value is serialized data, otherwise false

 */

function is_serialized($value, &$result = null)

{

	// Bit of a give away this one

	if (!is_string($value))

	{

		return false;

	}



	// Serialized false, return true. unserialize() returns false on an

	// invalid string or it could return false if the string is serialized

	// false, eliminate that possibility.

	if ($value === 'b:0;')

	{

		$result = false;

		return true;

	}



	$length	= strlen($value);

	$end	= '';



	switch ($value[0])

	{

		case 's':

			if ($value[$length - 2] !== '"')

			{

				return false;

			}

		case 'b':

		case 'i':

		case 'd':

			// This looks odd but it is quicker than isset()ing

			$end .= ';';

		case 'a':

		case 'O':

			$end .= '}';



			if ($value[1] !== ':')

			{

				return false;

			}



			switch ($value[2])

			{

				case 0:

				case 1:

				case 2:

				case 3:

				case 4:

				case 5:

				case 6:

				case 7:

				case 8:

				case 9:

				break;



				default:

					return false;

			}

		case 'N':

			$end .= ';';



			if ($value[$length - 1] !== $end[0])

			{

				return false;

			}

		break;



		default:

			return false;

	}



	if (($result = @unserialize($value)) === false)

	{

		$result = null;

		return false;

	}

	return true;

}
xfoxawy commented

great work ... testing it

Hazard2 commented

nice work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.