In PHP 2 identical objects have 2 different hash keys once serialized

Question

Take the following PHP code:

$a = new stdClass;
$b = $a;
var_dump(spl_object_hash($a) === spl_object_hash($b)); // true

list ($cachedA, $cachedB) = unserialize(serialize([$a, $b]));
var_dump(spl_object_hash($cachedA) === spl_object_hash($cachedB)); // true

$cachedA = unserialize(serialize($a));
$cachedB = unserialize(serialize($b));
var_dump(spl_object_hash($cachedA) === spl_object_hash($cachedB)); // false

It seems that object $a and object $b even though they are the same object once serialised and then deserialised have a different hash identifier.

Could someone explain is this expected behaviour?

Jos&#233; Lorenzo Rodr&#237;guez · Accepted Answer

This is completely expected, in fact serilizing/unserializing has been a cheap object cloning trick for quite a while.

spl_object_hash is a actually an address in the memory allocation table for objects in PHP. It is easier to understand why an object with the same properties gets assigned a new hash if you think that the hash is not the result of its type and properties values. If it were, then the hash would be changing constantly. Moreover, if you think as it as a memory address, then you realize that it first needs to be created before the object is constructed, thus, while unserializing it gets a different one.

From an implementation perspective, you can imagine why would assigning the same address is troublesome and dangerous. The first problem would be that the memory address, or object hash, would need to be stored in the serialized string, memory addresses change in between requests, so keeping track of that is not trivial. Additionally, any malicious user would then be able to alter this hash and point anywhere in the address space a cause segmentation faults of just fatal errors.

In PHP 2 identical objects have 2 different hash keys once serialized

Answers (2)

spl_object_hash

PHP's serialize format

Related Questions