PHP VERSION: 8.2.18

filtered_unserialize.php


<?php
// filtered unserialize

include __DIR__ . '/foo_bar_baz.php';

// all OK
var_dump(unserialize($serialized['foo']));

// __PHP__Incomplete_Class
var_dump(unserialize($serialized['foo'], ['allowed_classes' => FALSE]));

// works OK
var_dump(unserialize($serialized['foo'], ['allowed_classes' => ['Foo','Bar']]));

// error
var_dump(unserialize($serialized['baz'], ['allowed_classes' => ['Foo','Bar']]));

Output

object(Foo)#4 (1) {
  ["foo"]=>
  string(3) "FOO"
}
object(__PHP_Incomplete_Class)#4 (2) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(3) "Foo"
  ["foo"]=>
  string(3) "FOO"
}
object(Foo)#4 (1) {
  ["foo"]=>
  string(3) "FOO"
}
object(__PHP_Incomplete_Class)#4 (2) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(3) "Baz"
  ["baz"]=>
  string(3) "BAZ"
}

SOURCE CODE