ichikaway/private property injection, don't use unserialize() to user input data

## private property injection, don't use unserialize() to user input data
<?php

//private property injection, don't use unserialize() to user input data

class Foo {
  public $var1 = '';
  protected $var2 = '';
  private $var3 = '';

  public function __construct() {
    echo "construct\n";

  }

  public function setVars($var1, $var2, $var3) {
    $this->var1 = $var1;
    $this->var2 = $var2;
    $this->var3 = $var3;
  }

  public function __destruct() {
    echo $this->var1;
    echo "\ndestruct\n";
  }

}


// ---make a text having object data---
//
//$obj = new Foo();
//$obj->setVars('public2', 'protected2', 'private2');
//echo base64_encode(serialize($obj));exit;


$a = 'TzozOiJGb28iOjM6e3M6NDoidmFyMSI7czo3OiJwdWJsaWMyIjtzOjc6IgAqAHZhcjIiO3M6MTA6InByb3RlY3RlZDIiO3M6OToiAEZvbwB2YXIzIjtzOjg6InByaXZhdGUyIjt9';

$a = base64_decode($a);

unserialize($a);

?>
	<?php

	//private property injection, don't use unserialize() to user input data

	class Foo {
	public $var1 = '';
	protected $var2 = '';
	private $var3 = '';

	public function __construct() {
	echo "construct\n";

	}

	public function setVars($var1, $var2, $var3) {
	$this->var1 = $var1;
	$this->var2 = $var2;
	$this->var3 = $var3;
	}

	public function __destruct() {
	echo $this->var1;
	echo "\ndestruct\n";
	}

	}


	// ---make a text having object data---
	//
	//$obj = new Foo();
	//$obj->setVars('public2', 'protected2', 'private2');
	//echo base64_encode(serialize($obj));exit;


	$a = 'TzozOiJGb28iOjM6e3M6NDoidmFyMSI7czo3OiJwdWJsaWMyIjtzOjc6IgAqAHZhcjIiO3M6MTA6InByb3RlY3RlZDIiO3M6OToiAEZvbwB2YXIzIjtzOjg6InByaXZhdGUyIjt9';

	$a = base64_decode($a);

	unserialize($a);

	?>