PHP数据序列化与反序列化安全序列化是把对象转换成可存储格式的过程。但反序列化不受信任的数据可能导致安全漏洞。今天说说PHP序列化的安全使用。序列化和反序列化。phpclass User{public function __construct(public string $name,public int $age,private string $password) {}}$user new User(张三, 28, secret123);$serialized serialize($user);echo 序列化: $serialized\n;$unserialized unserialize($serialized);echo 姓名: {$unserialized-name}\n;?安全的反序列化。php// 不安全接受任何类$data unserialize($userInput);// 安全只允许指定的类$data unserialize($userInput, [allowed_classes [User::class, DateTime::class]]);// 最安全不允许任何类$data unserialize($userInput, [allowed_classes false]);?JSON序列化更安全。php$userData [name 张三, age 28, email testtest.com];$json json_encode($userData, JSON_UNESCAPED_UNICODE);echo JSON: $json\n;$decoded json_decode($json, true);echo 姓名: {$decoded[name]}\n;// JSON比PHP序列化更安全不会触发对象创建// JSON是跨语言的但只能序列化基本数据类型?自定义序列化控制。phpclass SecureUser implements Serializable{public function __construct(public string $name,public string $email,private string $password ) {}public function serialize(): string{return serialize([name $this-name, email $this-email]);}public function unserialize(string $data): void{$arr unserialize($data);$this-name $arr[name];$this-email $arr[email];$this-password ;}}// PHP 7.4 推荐 __serialize/__unserializeclass SecureUser2{public function __serialize(): array{return [name $this-name, email $this-email];}public function __unserialize(array $data): void{$this-name $data[name];$this-email $data[email];$this-password ;}}?反序列化漏洞的防护。phpfunction safeUnserialize(string $data, array $allowedClasses []): mixed{return unserialize($data, [allowed_classes $allowedClasses]);}function detectMaliciousPayload(string $data): bool{// 检测常见的危险类$dangerous [RCE, System, Shell, Eval];foreach ($dangerous as $class) {if (str_contains($data, $class)) return true;}return false;}$userInput O:8:stdClass:0:{};if (!detectMaliciousPayload($userInput)) {$obj safeUnserialize($userInput, [DateTime::class]);}?序列化的选择。PHP序列化适合内部数据交换但反序列化不可信数据有风险。JSON序列化更安全适合API数据交换。自定义序列化控制可以避免敏感信息泄露。不要反序列化用户输入的数据。