PHP __PHP_Incomplete_Class Object with my $_SESSION data

PHP __PHP_Incomplete_Class Object with my $_SESSION data

I've got a site setup that, on page load, turns all user submitted strings into SafeString objects. For those unfamiliar with SafeString, it basically forces the user to echo out sanitized data preventing XSS and whatnot..

Anyways, there's a problem. My $_SESSION array is being filled with __PHP_Incomplete_Class Object. From what I've read, this is due to not initializing the class before the session and then storing class objects in the session.

Here's my code:

require_once __WEBROOT__ . '/includes/safestring.class.php';   $temp = array (    &$_SERVER, &$_GET, &$_POST, &$_COOKIE,    &$_SESSION, &$_ENV, &$_REQUEST, &$_FILES,    &$HTTP_SERVER_VARS, &$HTTP_GET_VARS,    &$HTTP_POST_VARS, &$HTTP_COOKIE_VARS,    &$HTTP_POST_FILES, &$HTTP_ENV_VARS );   function StringsToSafeString(&$array) {    foreach ($array as $key => $value)    {       if (is_string($array[$key]))       {          $array[$key] = new SafeString($value);       }         if (is_array($array[$key]))       {          StringsToSafeString($array[$key]);       }    } }  StringsToSafeString($temp);  unset($temp); 

I can't think of a way to rewrite this which would solve the problem :/

Any ideas?

How does the Objective-C runtime instantiate the root metaclass and other class descriptions?


How can I apply a CSS class to an element with a given id, without modifying the element?
When you're accessing $_SESSION, you're not just changing the current script's copy of the data read from the session, you're writing SafeString objects back into the active session..
A class subclass of itself. Why mutual subclassing is forbidden?
But putting custom objects in the session is dodgy and something I would generally try to avoid.

Is it reasonable to have a fair amount of public properties in a class?
To be able to do it you have to have defined the class in question before calling session_start; if you don't, PHP's session handler won't know how to deserialise the instances of that class, and you'll end up with the __PHP_Incomplete_Class Object..
How do I declare a default constructor for sub-class of abstract class?
So avoid frobbing the session.

AS3 Scope issue, How do I dynamically create a new MC in a package/class?
If you must take this approach, make a copy of the data from $_SESSION into a local $mysession array.

NSClassFromString returns nil
However, I have to say I think the whole idea of a SafeString is dangerous and unworkable; I don't think this approach is ever going to be watertight.

Error when calling the metaclass bases: function() argument 1 must be code, not str
Whether a string of raw text is ‘safe’ is nothing to do with where it came from, it is a property of how you encode it for the target context.. If you get another text string from a different source such as the database, or a file, or calculated within the script itself, it needs exactly the same handling as a string that came from the user: it needs to be htmlspecialchars​ed.

You're going to have to write that escape anyway; the safestring gains you nothing.

If you need to send the string to a different destination format, you would need a different escape.. You cannot encapsulate all string processing problems into one handy box and never think about them again; that's just not how strings work..


You just have to include the safestring.class.php before you call session_start() when you want to read the SafeString objects from $_SESSION variable:.
<?php  require_once __WEBROOT__ . 

'/includes/safestring.class.php'; session_start(); print_r($_SESSION);
and yeah, if you are using PHP framework that (most probably) calls session_start() internally, make sure you require_once the class file beforehand (use hooks or whatever mechanisms that the framework provides)..


I know it's been years since this was asked, but I'm posting my answer because none of the answers above actually explain to the OP what is actually wrong.. PHP serializes its sessions using the built-in serialize and unserialize methods.

serialize of PHP has the ability to serialize PHP objects (aka class instances) and convert them to string.

When you unserialize those strings, It converts them back those same classes with those values.

Classes who have some private properties and want to encode/decode that or do something complex in their serialization/deserialization implement the Serializable class and add serialize and unserialize methods to the class.. When PHP's unserialize tries to unserialize a class object, but the class name isn't declared/required, instead of giving a warning or throwing an Exception, it converts it to an object of __PHP_Incomplete_Class.. If you don't want your session objects to convert to __PHP_Incomplete_Class, You can do it by either requiring the class files before you invoke session_start, or by registering an autoload function..


I just dealt with something like this.

Took me hours to finally find how my order was screwed.

. I had a file being called asynchronously.

. myFile.php. that file contained the following...
$result = include ("myOtherFile.php"); return $result; 
Myotherfile.php has something like this.
require_once "lib/myClassLibs.php"; require_once "webconfig.php"; 
the webconfig.php had the session_start() call in it.

. The lib/myClassLibs has all the class info init.

If you check before the webconfig call, you can see that the class is available.

. If you check before the webconfig call, you will also see that the session has started already.

If you check before the lib/myClassLibs.php, you will see the session is already started.. Checking in myFile.php before you include MyOtherFile.php, you find the session has not started.

. This represented legacy code that has worked for the last 8 years without me fiddling with it.

I pulled the includes out of the "MyOtherFile.php".

Now my sessions are synching properly.



Lukman's answer is correct.

But you already mention that in your question, so apparently you can't instantiate the class before the session starts, for some reason.. You may want to check if sessions start automatically in the php config: If they are and yu cant help that, you may want to check if you can have your classes autoloaded prior to that: If all else fails, you can still serialize the objects before you store them in a session, and unserialize them each them you retrieve them: I dont see in your code where you store your variables, but it would be something like .
$mystuff = unserialize($_SESSION["mystuff"]); $mystuff->dostuff(); $_SESSION["mystuff"] = serialize($mystuff); 
Be sure to load the class definition before you unserialize your variables. $2c, *-pike.


I solved this problem by including the __autoload function at the top of my php file.

So it looks like this: .
<?php  require_once("path/to/");  //Needed for serialization/deserialization function __autoload($class_name) {     include "path/to/". 

$class_name .

'.php'; }
In PHP 5, this function isn't be needed but I was stuck until I used this function.

Hope this helps someone else!.


I solved the problem using json_encode and json_decode function.

. This is where I wanted to assign the value to session..
$user_json              = json_encode($user); $_SESSION['user']           = $user_json; 
This is where I show the user after decoding the json.
session_start();  $user_json= $_SESSION['user']; $user = json_decode($user_json); 
This solves my problem but I am not sure about performance or security.

I haven't checked them..


You might just be calling, .
session_start(); session_start(); 
twice in your code.

Call it once.

Check required php classes for repeats.

This was the fix for me..

94 out of 100 based on 84 user ratings 1234 reviews