PHP :: Bug #44409 :: PDO::FETCH_SERIALIZE calls _

PHP :: Bug #44409 :: PDO::FETCH_SERIALIZE calls __construct()

Bug #44409

PDO::FETCH_SERIALIZE calls __construct()

Submitted:

2008-03-11 19:53 UTC

Modified:

2009-03-23 23:20 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	2 of 2 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (50.0%)

From:

uwendel at mysql dot com

Assigned:

felipe (profile)

Status:

Closed

Package:

PDO related

PHP Version:

5.3CVS-2008-03-11 (CVS)

OS:

Private report:

CVE-ID:

None

[2008-03-11 19:53 UTC] uwendel at mysql dot com

Description:
------------
There seems to be very few documentation about PDO::FETCH_SERIALIZE in the PHP manual but playing the guessing game from the code it seems that this feature aims to support SPL/Serialize interface. As I'm not sure about the purpose of PDO::FETCH_SERIALIZE I'm not sure if the following is a bug or not. However, it seems to me that PDO::FETCH_SERIALIZE unintentionally calls __construct().

One of the main ideas behind SPL/Serialize interface seems to be that for unserialization the constructor of a class does not get called. The constructor of a class has a different meaning than a helper function like unserialize() and thus should not be called automatically. Let's check:

class myclass implements Serialize {
  public function __construct() {
    printf("%s()\n", __METHOD__);
  }
  public function serialize() {
    printf("%s()\n", __METHOD__);
    return "any data from serialize()";
  }
  public function unserialize($dat) {
    printf("%s(%s)\n", __METHOD__, var_export($dat, true));
  }
}

$obj1 = new myclass()     
  ---> myclass::__construct()
$tmp  = serialize($obj1)    
$obj2 = unserialize($tmp) 
  ---> myclass::unserialize('any data from serizalize()')

__construct() gets called only once for object creation but not again during unserialization. Let's try that with PDO:

[...]
$stmt = $db->query("SELECT dat FROM test");
$rows = $stmt->fetchAll(PDO::FETCH_CLASS|PDO::FETCH_SERIZALIZE, "myclass");
  --> myclass::unserialize("data from DB")
  --> myclass::__construct()
[...]

PDO first calls unserialize() as its supposed to do. But then it also calls __construct() which is against the idea of the Serialize interface not to call the constructor automatically during unserialization.

Reproduce code:
---------------
sapi/cli/php -r '$db = new PDO("sqlite:/tmp/foo"); $db->exec("DROP TABLE test"); $db->exec("CREATE TABLE test(dat VARCHAR(100))"); $db->exec("INSERT INTO test(dat) VALUES (\"Data from DB\")"); class myclass implements Serializable { public function __construct() { printf("%s()\n", __METHOD__); } public function serialize() { return "any data from serizalize()"; } public function unserialize($dat) { printf("%s(%s)\n", __METHOD__, var_export($dat, true)); }} $stmt = $db->query("SELECT * FROM test"); var_dump($stmt->fetchAll(PDO::FETCH_CLASS|PDO::FETCH_SERIALIZE, "myclass")); $obj = new myclass(); var_dump(unserialize(serialize($obj)));'
myclass::unserialize('Data from DB')
myclass::__construct()
array(1) {
  [0]=>
  object(myclass)#3 (0) {
  }
}
myclass::__construct()
myclass::unserialize('any data from serizalize()')
object(myclass)#4 (0) {
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-02-15 21:11 UTC] davidc@php.net

Hmm is it supposed to say: PDO::FETCH_SERIZALIZE?

[2009-03-23 23:20 UTC] felipe@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Commited in 5.3 and HEAD, thanks for the patch! :)