1--TEST-- 2Test unserialize() with second parameter 3--FILE-- 4<?php 5class foo { 6 public $x = "bar"; 7} 8$z = array(new foo(), 2, "3"); 9$s = serialize($z); 10 11var_dump(unserialize($s)); 12var_dump(unserialize($s, ["allowed_classes" => false])); 13var_dump(unserialize($s, ["allowed_classes" => true])); 14var_dump(unserialize($s, ["allowed_classes" => ["bar"]])); 15var_dump(unserialize($s, ["allowed_classes" => ["FOO"]])); 16var_dump(unserialize($s, ["allowed_classes" => ["bar", "foO"]])); 17--EXPECTF-- 18array(3) { 19 [0]=> 20 object(foo)#%d (1) { 21 ["x"]=> 22 string(3) "bar" 23 } 24 [1]=> 25 int(2) 26 [2]=> 27 string(1) "3" 28} 29array(3) { 30 [0]=> 31 object(__PHP_Incomplete_Class)#%d (2) { 32 ["__PHP_Incomplete_Class_Name"]=> 33 string(3) "foo" 34 ["x"]=> 35 string(3) "bar" 36 } 37 [1]=> 38 int(2) 39 [2]=> 40 string(1) "3" 41} 42array(3) { 43 [0]=> 44 object(foo)#%d (1) { 45 ["x"]=> 46 string(3) "bar" 47 } 48 [1]=> 49 int(2) 50 [2]=> 51 string(1) "3" 52} 53array(3) { 54 [0]=> 55 object(__PHP_Incomplete_Class)#%d (2) { 56 ["__PHP_Incomplete_Class_Name"]=> 57 string(3) "foo" 58 ["x"]=> 59 string(3) "bar" 60 } 61 [1]=> 62 int(2) 63 [2]=> 64 string(1) "3" 65} 66array(3) { 67 [0]=> 68 object(foo)#%d (1) { 69 ["x"]=> 70 string(3) "bar" 71 } 72 [1]=> 73 int(2) 74 [2]=> 75 string(1) "3" 76} 77array(3) { 78 [0]=> 79 object(foo)#%d (1) { 80 ["x"]=> 81 string(3) "bar" 82 } 83 [1]=> 84 int(2) 85 [2]=> 86 string(1) "3" 87} 88