| Subject: | Integer check should be stricter |
When you try to serialize a long string of integers, you get an integer with a value of -1. Try serialize('5555555555'), for example, gives 'i:-1;'. The %d format for sprintf only handles 32-bit signed integers, but encode() treats all strings of digits as integers. Even without sprintf, PHP wouldn't be able to handle integers outside that range.
I've attached a patch. I also had to change the regex for floats to avoid having it catch the long digit strings. Probably the float check should be tightened further as well, but I'm not sure what the limits should be or how to avoid losing accuracy. The float check is less of a problem, since long strings that look like floats are much less common, whereas long strings of digits often show up in product codes and the like.
Index: PHP/Serialization.pm
===================================================================
RCS file: /home/cvs/common/perl/PHP/Serialization.pm,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- PHP/Serialization.pm 2004/04/13 20:19:41 1.1
+++ PHP/Serialization.pm 2004/04/23 22:10:46 1.2
@@ -304,9 +304,9 @@
if ( ! defined $val ) {
return $self->_encode('null',$val);
} elsif ( ! ref($val) ) {
- if ( $val =~ /^-?\d+$/ ) {
+ if ( $val =~ /^-?\d{1,10}$/ && abs($val) < 2**31 ) {
return $self->_encode('int',$val);
- } elsif ( $val =~ /^-?\d+(\.\d+)?$/ ) {
+ } elsif ( $val =~ /^-?\d+\.\d*$/ ) {
return $self->_encode('float',$val);
} else {
return $self->_encode('string',$val);