Is serialized

Is there a way to detect if a string is a serialized object/array ?

eg



if there isn't then I may have to write my own, and knowing my ambitions it will end up trying to detect php's serialize, json and xml. Knowing my skills, this may not fully work!!!

Hi,

where do these strange strings come from?

If it's a leftover of some buggy program or something and there's really no better solution, I'd simply call unserialize() and check if the return value is not "false". But you have to make sure the string isn't actually a serialized "false" (b:0 -- the genius of PHP strikes again.

Of course that's not an elegant solution, but the problem isn't elegant, either.

I wouldn't even try to parse the strings. You'd end up rewriting complex stuff that PHP has already built in. Only do that if you're dealing with gigantic values that cannot simply be deserialized on the fly.

It's coming from several external sources in POST requests

In one instance it's a payment gateway similar to paypal, some values are plain text scalar values, others have been serialzed using php's serialize function or equivilent

In another case it is coming from a POST request made by client side javascript and could be either xml or JSON.

However, in some cased the entire response is either JSON or XML (i use file_get_contents("php://input");) in other cases I am receiving more standard URL encoded POST data, with some values serialised or JSON'd

I am attempting to consolidate the code, so I only have to maintain one receiver, rather than 3...if I could get the code to decide what to run then future development would be easier.

I could look at the first few characters and attempt to make a decision, decode and compare to the original....but it all just seems a bit messy

Does each value have a predefined data format? If that's the case, then why you don't you use this information to select the correct decoding function?

I'm not really sure what you're trying to do. If you're trying to write a generalized function, which automatically determines the data format for each case, then this is not a good idea. Set the format explicitly.

Or is the data format of the values not even known beforehand? That would be a real mess ...

Some, but not all



most of the time this is true

The problem is that the data is not being properly handled/formatted by the 3rd parties.

for example, the serialized strings could easily be url encoded, but it's serialized instead, eg $_POST['response'] is a serilaized string as its value, rather than being an array like

$_POST['response']['amount'] or $_POST['response']['auth_number']

testing if something is an array is nice and easy...testing if something was an array....

Well, in this case either use unserialize() as suggested above or your idea of checking only the first few characters.

If you need the unserialized values, anyway, then unserialize() would actually be a pretty good way of dealing with this.

I'm hoping to avoid unnecessarily calling unserialize() on values which are not serialized

Why? If it's not serialized, the function will simply fail after the first few characters.

If you don't like that, then use your idea. Give up hope of finding a perfect solution for this. The application you're getting the values from is simply broken, so all you can do is try to find an acceptable workaround. You have two sensible options. Both aren't elegant, but they'll work.

Yes, you could dig deep into the PHP source code, look up the exact serialize() logic and then write a parser. But how would that improve the application? It would be just as broken as it was before, but you'll have wasted a lot of time.

A quick check would be to see if the string stars with \w+:, so:

-Dan