PHP __PHP_Incomplete_Class Object with my $_SESSION data

__php_incomplete_class object serialize
php unserialize object
php unserialize not working
__php_incomplete_class object error
how to get serialized array data in php
php store object in session
php stringify
php unserialize fails

I've got a site setup that, on page load, turns all user submitted strings into SafeString objects. For those unfamiliar with SafeString, it basically forces the user to echo out sanitized data preventing XSS and whatnot..

Anyways, there's a problem. My $_SESSION array is being filled with __PHP_Incomplete_Class Object. From what I've read, this is due to not initializing the class before the session and then storing class objects in the session.

Here's my code:

require_once __WEBROOT__ . '/includes/safestring.class.php'; 

$temp = array
   &$_SERVER, &$_GET, &$_POST, &$_COOKIE,
   &$_SESSION, &$_ENV, &$_REQUEST, &$_FILES,

function StringsToSafeString(&$array)
   foreach ($array as $key => $value)
      if (is_string($array[$key]))
         $array[$key] = new SafeString($value);

      if (is_array($array[$key]))



I can't think of a way to rewrite this which would solve the problem :/

Any ideas?

When you're accessing $_SESSION, you're not just changing the current script's copy of the data read from the session, you're writing SafeString objects back into the active session.

But putting custom objects in the session is dodgy and something I would generally try to avoid. To be able to do it you have to have defined the class in question before calling session_start; if you don't, PHP's session handler won't know how to deserialise the instances of that class, and you'll end up with the __PHP_Incomplete_Class Object.

So avoid frobbing the session. If you must take this approach, make a copy of the data from $_SESSION into a local $mysession array. However, I have to say I think the whole idea of a SafeString is dangerous and unworkable; I don't think this approach is ever going to be watertight. Whether a string of raw text is ‘safe’ is nothing to do with where it came from, it is a property of how you encode it for the target context.

If you get another text string from a different source such as the database, or a file, or calculated within the script itself, it needs exactly the same handling as a string that came from the user: it needs to be htmlspecialchars​ed. You're going to have to write that escape anyway; the safestring gains you nothing. If you need to send the string to a different destination format, you would need a different escape.

You cannot encapsulate all string processing problems into one handy box and never think about them again; that's just not how strings work.

The __PHP_Incomplete_Class Object in PHP, Debugging the $_SESSION we will find that our object is available and is stored as a Duration: 2:11 Posted: 18 Aug 2012 Catchable fatal error: Object of class __PHP_Incomplete_Class could not be converted to string in G:\xampp\htdocs\Manstore\Views\template\header.phtml on line 24 I realised that this was because i needed to include my Person class before session_start(); so i now have this in my header of the page:

I know it's been years since this was asked, but I'm posting my answer because none of the answers above actually explain to the OP what is actually wrong.

PHP serializes its sessions using the built-in serialize and unserialize methods. serialize of PHP has the ability to serialize PHP objects (aka class instances) and convert them to string. When you unserialize those strings, It converts them back those same classes with those values. Classes who have some private properties and want to encode/decode that or do something complex in their serialization/deserialization implement the Serializable class and add serialize and unserialize methods to the class.

When PHP's unserialize tries to unserialize a class object, but the class name isn't declared/required, instead of giving a warning or throwing an Exception, it converts it to an object of __PHP_Incomplete_Class.

If you don't want your session objects to convert to __PHP_Incomplete_Class, You can do it by either requiring the class files before you invoke session_start, or by registering an autoload function.

unserialize - Manual, Here, we use unserialize() to load session data to the If you store such an object in $_SESSION, you will get a post-execution error that says this: __​PHP_Incomplete_Class Object tells you there is an object that needs to be declared  PHP PHP Incomplete Class Object with my $ SESSION data j'ai une configuration de site qui, au chargement de la page, transforme toutes les chaînes soumises par l'utilisateur en objets sécurisés. Pour ceux qui ne sont pas familiers avec SafeString, il oblige essentiellement l'utilisateur à l'écho des données assainies empêchant XSS et

You just have to include the safestring.class.php before you call session_start() when you want to read the SafeString objects from $_SESSION variable:


require_once __WEBROOT__ . '/includes/safestring.class.php';    


and yeah, if you are using PHP framework that (most probably) calls session_start() internally, make sure you require_once the class file beforehand (use hooks or whatever mechanisms that the framework provides).

Php_Incomplete_Class Issue - General Discussion, I need help. This is the error: Fatal error: Cannot use object of type PHP __​PHP_Incomplete_Class Object with my $_SESSION data. php  It does no one any good if this bit of important info about accessing and storing session data remains buried in manual comments. Session variables with a single number will not work, however "1a" will work, as will "a1" and even a just single letter, for example "a" will also work.

Lukman's answer is correct. But you already mention that in your question, so apparently you can't instantiate the class before the session starts, for some reason.

You may want to check if sessions start automatically in the php config:

If they are and yu cant help that, you may want to check if you can have your classes autoloaded prior to that:

If all else fails, you can still serialize the objects before you store them in a session, and unserialize them each them you retrieve them:

I dont see in your code where you store your variables, but it would be something like

$mystuff = unserialize($_SESSION["mystuff"]);
$_SESSION["mystuff"] = serialize($mystuff);

Be sure to load the class definition before you unserialize your variables

$2c, *-pike

What is an incomplete class in PHP?, In order to unserialize such an object, PHP needs the class itself, otherwise it don​'t have any So basically, __PHP_Incomplete_Class means: there is an object from PHP serializes its sessions using the built-in serialize and unserialize  Edit: finally I figured out what the bug was, looks like somehow $_SESSION['user'] gets overwritten by some mysterious force, if I use any variable other than 'user', then everything's fine. PHP(at least 5.3 which is the version I'm using) does serialize and unserialize automatically when you put object in the $_SESSION.

I just dealt with something like this. Took me hours to finally find how my order was screwed.

I had a file being called asynchronously.


that file contained the following..

$result = include ("myOtherFile.php");
return $result;

Myotherfile.php has something like this

require_once "lib/myClassLibs.php";
require_once "webconfig.php";

the webconfig.php had the session_start() call in it.

The lib/myClassLibs has all the class info init. If you check before the webconfig call, you can see that the class is available.

If you check before the webconfig call, you will also see that the session has started already. If you check before the lib/myClassLibs.php, you will see the session is already started.

Checking in myFile.php before you include MyOtherFile.php, you find the session has not started.

This represented legacy code that has worked for the last 8 years without me fiddling with it. I pulled the includes out of the "MyOtherFile.php". Now my sessions are synching properly.

How to access object that is stored in session in PHP?, This is how I've stored an object in session, if ($_REQUEST) if ($_REQUEST) { $userDataObj = new UserData(); $userDataObj->userName = $_REQUEST['​name_text']; Actually my data is storing, here is my session data, => Mahuariya [country] => India ) __PHP_Incomplete_Class Object  If this option is defined and unserialize() encounters an object of a class that isn't to be accepted, then the object will be instantiated as __PHP_Incomplete_Class instead. Omitting this option is the same as defining it as TRUE : PHP will attempt to instantiate objects of any class.

How to access session array? - PHP, data['password']. <p>You are logged in as <span> <?php echo $_SESSION['​loggedin']?> </span></p> Catchable fatal error: Object of class __​PHP_Incomplete_Class could not be converted to string in G:\xampp\htdocs\​Manstore\Views\  You cannot simply store an object instance into the session. Otherwise the object will not be appeared correctly in your next page and will be an instance of __PHP_Incomplete_Class. To do so, you need to serializeyour object in the first call and unserializethem in the next calls to have the object definitions and structure all intact.

Sessions, The $_SESSION variable is an array, and you can Note that if you store an object in a session, it can be Otherwise, the object will come out as the type __​PHP_Incomplete_Class , which may later  Description: ----- This is a very special case. If an object of class that extends ArrayIterator is saved in session data and the class definition is not available in a later call, then the session data gets corrupted. Call the example code three times to see the bug.

PHP PHP Incomplete Class Object with my $ SESSION data, Mon tableau $_SESSION est rempli avec __PHP_Incomplete_Class Object . D'​après ce que j'ai lu, ceci est dû au fait de ne pas initialiser la classe avant la  Do you have session.auto_start enabled? The manual's session page states that if you do, you have to load the class definition differently: If you turn on session.auto_start then the only way to put objects into your sessions is to load its class definition using auto_prepend_file in which you load the class definition else you will have to serialize your object and unserialize it afterwards.

  • Great Answer. +1. I love PHP :D My problem was an old cache file. Would assume, a error message like that: "Object couldn't be deserialized, because it couldn't be found"...
  • "require the class BEFORE calling session_start()"
  • ProTip: if the solution doesn't seem to work, remember to clear the session/session cookie/try in a private browsing window. I wasted time debugging because I forgot the __PHP_Incomplete_Class objects had already been stored in the session, doh!
  • If using SPL, would it works? (Still not implemented, but would eventually)
  • Thank you so much <3
  • Thanks, this solution seems the easiest, especially for my small class/object. Can somebody tell me if there are any security concerns with this?
  • Autoloading (or explicit loading, which you won't want in modern PHP) is always needed when a class being unserialized from $_SESSION data - this has nothing to do with the version of PHP being used... you can't unserialize a class, if that class can't be (or isn't already) loaded, hence you get __PHP_Incomplete_Class for anything that failed to autoload.
  • Calling session_start twice does not cause the problem. Not having the needed class loaded causes the problem.