Serializing Objects

o Functions: serialize() / unserialize()

o Magic method __sleep() is executed with serialization, if available o allows you to specify which properties should be stored (serialized) and which should not be stored

o Can also create/change properties for serialization

o Magic method __wakeup() is executed with deserialization, if available ex: to open a database connection unique to the object


Object cloning is creating a copy of an object. An object copy is created by using the clone keyword and the __clone() method cannot be called directly. In PHP, cloning an object is doing a shallow copy and not a deep copy. Meaning, the contained objects of the copied objects are not copied. If you wish for a deep copy, then you need to define the __clone() method.

When an object is cloned, PHP 5 will perform a shallow copy of all of the object’s properties. Any properties that are references to other variables will remain references.

Once the cloning is complete, if a __clone() method is defined, then the newly created object’s __clone() method will be called, to allow any necessary properties that need to be changed.

 class Customer {
 private $name;
 public function setName($name) {
 $this->name = $name;
 public function getName() {
 return $this->name;
 public function __clone() {
 $c = new Customer();
 return $c;
 $c1 = new Customer();
 $c2 = clone $c1;

 echo $c1->getName()."\n";
 echo $c2->getName()."\n";


• Secure Socket Layer (ssl) encryption protects data as it is transmitted between client and server

• SSH (secure shell protocol) encrypts the network connection between the client and the database server

• Augment data encryption as ciphertext using openssl_encrypt() and openssl_decrypt()

• Encrypt data before insertion and decrypt with retrieval

• Store sensitive data as a hashed value


Way of storing data in a browser to id / track a user . Create (set) cookies with the setcookie() or setrawcookie() function and It must be called before sending any output to browser .

It can delay script output using output buffering, to allow time to decide to set cookies or send headers

Setcookie() params are defined according to specifications:

  • $name=value string
  • $value=value string
  • $expire=date optional; default is session end
  • $path=path specifies urls in a domain for which cookie is valid
  • $domain=domain_name check on domain attributes of cookies against host internet domain name
  • $secure cookie only transmitted via secure channels (https); boolean
  • $httponly cookie only made accessible via http protocol, not javascript; boolean

Access with $_cookie or $_request superglobals . Cookie data from the client is automatically sent to $_cookie, if params of variables_order() include “c” (environment/get/post/cookie/server) . It will overwrite itself if name, path, domain, secure, and http_only are identical .

Cookies are part of the http header o as with sessions, multiple values can be assigned to an array and To assign all values to only one cookie, can use serialize() or implode() with first value


Implement at key stages in form submission process.

html interpretation: htmlspecialchars() function encodes special characters in data, as a security measure

URL : encode data with urldecode() to decodes URL-encoded string


Way of collecting data online from user accessing a web site.

Form data automatically available to php scripts. Dots and spaces in variable names converted to underscores.

Form data can be made into an array using the following syntax <input name=”FormArray[]”> .

Group elements by assigning the same array name to different elements; can specify keys.

$_POST superglobal contains all POST data; paired with post method

$_GET superglobal contains all GET data and $_REQUEST is independent of data source, and merges information from sources like GET, POST, and COOKIES; usage is not recommended


Way of preserving data across a series of web site accesses by the user . session support is enabled by default . configuration options set in php.ini .SID(STRING) is a pre-defined constant within this extension.

User assigned a unique identifier, the “SESSION ID”. Session id is stored in a cookie on the client or in the url .

Site access by user triggers session id check automatically session.auto_start = 1 or upon request … using session_start().

$_SESSION is available as a global variable.

Enable session.use_only_cookies to enforce cookie usage (and prevent session ids in the url) and enable session.cookie_httponly to prevent javascript cookie access (and help prevent session hijacking via xss) .


Finally block may also be specified after or instead of catch blocks. Code within the finally block will always be executed after the try and catch blocks, regardless of whether an exception has been thrown, and before normal execution resumes.

 function doSomething($a, $b) {
 return $a / $b;
 try {
 } catch (Exception $ex) {
 echo 1;
 } catch (ArgumentCountError $ace) {
 echo 2;
 } catch (DivisionByZeroError $dbze) {
 echo 3;
 }finally {
 print "This part is always executed\n";