3

When a user logs into my site, I create an instance of my User class, fetch some user-related data and store the object in the SESSION.

Some of the data I fetch from the database should be constant throughout the session AND I want the data to be accessible from other objects. I prefer using User::$static_value_in_class to $_SESSION['static_value_in_session'] when using the value from within another object, but I'm open to persuasion.

The problem is, the values aren't remembered when I serialize my User instance into the SESSION, then load a different page.

Class definitions:

class User {
    public $name;
    public static $allowed_actions;
    public function __construct($username, $password) {
        // Validate credentials, etc.
        self::$allowed_actions = get_allowed_actions_for_this_user($this);
    }   
}
class Blog {
    public static function write($text) {
        if (in_array(USER_MAY_WRITE_BLOG, User::$allowed_actions)) {
            // Write blog entry
        }
    }
}

login.php:

$user = new User($_POST['username'], $_POST['password']);
if (successful_login($user)) {
    $_SESSION['user'] = $user;
    header('Location: index.php');
}

index.php:

if (!isset($_SESSION['user'])) {
    header('Location: login.php');
}
Blog::write("I'm in index.php! Hooray!")
// Won't work, because Blog requires User::$allowed_actions

Should I implement Serializable and write my own version of serialize() and unserialize() to include the static data?

Should I bite my lip and access the $_SESSION variable from within the Blog class?

Should I require a valid User instance sent to the Blog write() method?

Or maybe the internets has a better idea...



EDIT: Writing my real use case (not full code, but enough to get the gist).

My site handles groups of users with shared budget accounts. Users may spend group money on certain things the group agreed upon, and they report transactions by creating instances of the Transaction class and sending it to the Bank class for database storage.

Bank class:

class Bank {
   // Group-agreed reasons to spend money
   public static $valid_transaction_reasons;
   public function __construct(User $user) {
      Bank::$valid_transaction_reasons = load_reasons_for_this_group($user->bank_id);
   }
}

User class:

class User {
   public $bank_id;
   public function __construct($username, $password) {
      $query = "SELECT bank_id FROM users WHERE username=$username AND password=$password";
      $result = mysql_fetch_array(mysql_query($query));
      $this->bank_id = $result['bank_id'];
   }
}

Transaction class:

class Transaction {
   public function __construct($reason, $amount) {
      if (!in_array($reason, Bank::$valid_transaction_reasons)) {
         // Error! Users can't spend money on this, the group doesn't cover it
      }
      else {
         // Build a Transaction object
      }
   }
}

Actual code (login.php, or something):

$user = new User($_GET['uname'], $_GET['pword']);
$_SESSION['bank'] = new Bank($user);

// Some shit happens, user navigates to submit_transaction.php

$trans = new Transaction(REASON_BEER, 5.65);
// Error! Bank::$valid_transaction_reasons is empty!
Improve this question
5
  • php.net/manual/en/oop4.magic-functions.php Commented Feb 13, 2013 at 17:21
  • 1
    Are you sure a $allowedActions should be static? Its part of the state of a user so it should not be static. Commented Feb 13, 2013 at 17:24
  • Thank you! Can you give an example of __sleep() and __wakeup that mimic the default serialize() and unserialized() so I know what to change? Commented Feb 13, 2013 at 17:26
  • @hek2mgl, $allowed_actions is an example. The code I posted is useless, just illustrating the problem, not an actual use case. Commented Feb 13, 2013 at 17:26
  • @Dori I'm currently about to write an answer that states design errors in your software. Although you can do this __sleep, __wakeup hack it will lead to unwanted side effects. Thats because of the nature of static vars. A static property is not part of the state of an object and will therefore not being serialized with it. Commented Feb 13, 2013 at 17:27

2 Answers 2

Reset to default
6

As I mentioned in the comment, this is more a software design question than a question how to achieve this with PHP.

A static property is not part of the state of an object and will therefore not being serialized with it.

I'll give you a short example how I would solve a related problem. Imagine you have the following message class, that has a static $id property to make sure all instances have a unique id:

class Message {

    public static $id;

    public $instanceId;

    public $text;

    /**
     *
     */
    public function __construct($text) {
        // the id will incremented in a static var
        if(!self::$id) {
            self::$id = 1;
        } else {
            self::$id++;
        }

        // make a copy at current state
        $this->instanceId = self::$id; 
        $this->text = $text;
    }
}

Serialization / Unserialization code:

$m1 = new Message('foo');
printf('created message id: %s text: %s%s',
    $m1->instanceId,  $m1->text, PHP_EOL);
$m2 = new Message('bar');
printf('created message id: %s text: %s%s',
    $m2->instanceId,  $m2->text, PHP_EOL);

$messages = array($m1, $m2);

$ser1 = serialize($m1);
$ser2 = serialize($m2);

$m1 = unserialize($ser1);
printf('unserialized message id: %s text: %s%s',
    $m1->instanceId,  $m1->text, PHP_EOL);
$m2 = unserialize($ser2);
printf('unserialized message id: %s text: %s%s',
    $m2->instanceId,  $m2->text, PHP_EOL);

To make sure that the id is unique across multiple script runs further work is nessary. You'll have to make sure that Message::$id is initialized before any object creation, using the value from last script run. This will get additionally wired when it comes to parallel PHP request on a webserver.

Its just an example with the simplest static property I know: an instance counter. In this case I would do so. But I hope you see that there is further work required to serialize / unserialize static properties without have side effects. And this depends on your application needs.

This question cannot be answered general I tend to say it makes no sense in any case to serialize static members. But I would appreciate comments on this.

Improve this answer
Sign up to request clarification or add additional context in comments.

14 Comments

So basically, copy the values of the static value to actual class properties so they will be serialized?
Its just an example with the simplest static property I know: an instance counter. In this case I would do so. But read the last paragraph. I hope you see that there is further work required to serialize / unserialize static properties without have side effects
@Dori the problem with turning them into actual object properties is that they will not get updated when some other code changes the class state.
@Gordon the class state won't change until the SESSION is destroyed, and then I will need to reserialize a new instance anyway
@Dori so the allowed actions are per user. It's pretty clear that they should be object members in the User object then.
|
1

Some of the data I fetch from the database should be constant throughout the session AND I want the data to be accessible from other objects.

If the data is really constant, then make them a constant.

If the data is not constant, consider whether they belong to the individual users (the object instances) or the User as the general concept (which is what a class is).

Should I implement Serializable and write my own version of serialize() and unserialize() to include the static data?

It does not make sense to store static members in the serialized object's string because they are independent from each other. Storing them would be a snapshot of the class state at the time the object was serialized.

Consider the following code snippet:

$user = new User;
$user::$allowed_actions = 'foo';
$string = serialize($user);
unset($user);

Now imagine some other part of your code does this:

echo User::$allowed_actions;

It still gives "foo" despite no object being in memory at the moment. That is because it's a static member. It's class state.

Now imagine you do this:

User::$allowed_actions = 'bar';

If you do unserialize the object now what should $allowed_actions be? Foo or Bar?

$user = unserialize($string);
echo $user::$allowed_actions;

The output should and would be "bar", because static members are about the class. The fact that we created, destroyed and brought back an object from it is irrelevant. It's all state of the class we changed here.

Also, take into account that statics are death to testability and you want to avoid them when possible. After all, it's called OOP not Class-Oriented-Progamming.

Should I bite my lip and access the $_SESSION variable from within the Blog class?

No, you should not access any of the superglobals anywhere but write abstractions for each of them or rather for the data inside them. They are merely input sources. In case of $_SESSION what you want to do is get all the data you need for that particular request right in your bootstrap and then pass the data around instead, e.g. recreate the user and pass that around.

Should I require a valid User instance sent to the Blog write() method?

In general, methods should be on the objects with the most information to fulfill an action. Whether that applies to your Blog::write I do not know. If the allowed_actions are part of the User instance, then probably yes, you should likely require a valid User instance.

Or maybe the internets has a better idea...

Another option would be to put the permissions into a dedicated Permissions object, holding the user role and it's permission. You could then lookup the permission from that list by passing in a User object. Search for Access Control Lists (ACL) for more info on possible implementations.

EDIT: Writing my real use case (not full code, but enough to get the gist).

If your concern is simply that Bank::$valid_transaction_reasons could be empty, then don't store Bank in the Session at all but only load it from the user when you run the transaction, e.g. create the Bank instance in submit_transaction.php (create it when you need it). That way you will never run into an error.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.