Why are objects being turned into strings when other unrelated objects are serialized?

Question

The server at my old employer was rooted this past weekend and apparently the server provider made changes to the server which is affecting the PHP code.

The issue that has arisen is related to serializing objects. The objects being serialized, and other objects not being serialized, are being converted to strings thus breaking the code. This code worked before the server was hacked.

Here is what is happening:

$plate = new Plate();
$plate2 = clone $plate;
gettype($plate); // Prints "object"
gettype($plate2); // Prints "object"

$_SESSION['plate'] = serialize($plate);

gettype($plate); // Prints "string"
gettype($plate2); // Prints "string"


$plate = new Plate();
$plate2 = new Plate();
gettype($plate); // Prints "object"
gettype($plate2); // Prints "object"

$_SESSION['plate'] = serialize($plate);

gettype($plate); // Prints "string"
gettype($plate2); // Prints "string"

As you can see the objects, even those not being serialized, are being converted to strings. Any insights?

EDIT: They are running PHP 5.2.12 with register globals on.

Answer 1

Update: I can reproduce half of your test case on PHP 5.3.1 but only if I have register_globals set to On:

session_start(); // obviously

class Plate  // to have something on my plate
 {

    var $Member1;
    var $Member2;

 }

$plate = new Plate();
$plate2 = clone $plate;
echo gettype($plate); // Prints "object"
echo gettype($plate2); // Prints "object"

$_SESSION['plate'] = serialize($plate);

echo gettype($plate); // Prints "string"
echo gettype($plate2); // Prints "object", unlike in your example

$plate = new Plate();
$plate2 = new Plate();
echo gettype($plate); // Prints "object"
echo gettype($plate2); // Prints "object"
$_SESSION['plate'] = serialize($plate);

echo gettype($plate); // Prints "string"
echo gettype($plate2); // Prints "object", unlike in your example

$plate2 always remains untouched for me. Maybe you have a funny $plate2 = &something reference somewhere? Is this actual code? What does my code snippet do on your system?

I think the buggy part has to do with that $_SESSION bug (or side-effect) that treats unitialized variables in $_SESSION as global variables. See this SO question. Changing the name of the session variable to something else will remedy this.

$_SESSION['session_plate'] = serialize($plate);  // $plate will remain unharmed

If setting register_globals to On was the change the provider made, then you should also go beat up your provider.