views:

88

answers:

4

What does the serialize do? Why do we need to serialize an Object and again unserialize it? Is it for any sort of security measures?

+1  A: 

Serialization is the process of converting objects into strings, which can then be unserialized back into the same objects that they originally were.

One reason for serializing an object would be to store the serialized object (a string) into a database, from which you could then re-create when retrieving the string and passing it to unserialize.

Jacob Relkin
Not necessarily strings.
bmargulies
I'm not sure what you are referring to, `serialize` returns a string, does it not?
Jacob Relkin
In PHP it does, but in other languages it could be a byte stream (Like java)
webdestroya
@webdestroys Good point.
Jacob Relkin
+1  A: 

Objects cannot be passed around as objects. We serialize them to text, pass them around, and then unserialize them so that they can be used at more than one place or time.

Ignacio Vazquez-Abrams
+1  A: 

It's for storing objects in files, databases or any thing that can store strings or for passing them to another application/server/whatever.

serialize() gives a string representation of an object while unserialize() rebuilds the objects from a serialized string. Remember that the objects class definition must still be present to rebuild it.

The PHP manual pretty much explains that, too...

Techpriester
+2  A: 

Serialization is the process of turning an object or an object graph into a form that is independent from the specifics of the current execution environment.

Deserialization is the reverse of serialization. It is the process of reading the data written during serialization and restoring the object or object graph in the current execution environment.

Serialization is similar to Data Marshalling, as both describe writing out an object as execution-independent data. However, serialization is typically tailored to a specific language/platform, often featuring idioms of the host language, while Data marshalling aims to be language-neutral, providing a level of interoperability.

Serialization formats may be opaque or transparent. For example, Java serialization is opaque - the data is not used for purposes other than for deserialization. Java also offers an XMLEncoder/XMLDecoder that writes objects as XML in terms of their public properties. That format is transparent and can be processed/manipulated easily.

Serialization itself is not a security measure. In fact it can be a vulnerability when dealing with secured data. Users of serialization should ensure that the serialized data is guarded by at least the same level of security as the original object instance. Failure to do so is opening up the data to unauthorized use.

mdma