System.Runtime.Serialization.Formatters.Binary.BinaryFormatter class
Warning
Binary serialization can be dangerous. For more information, see BinaryFormatter security guide.
This article provides supplementary remarks to the reference documentation for this API.
The SoapFormatter and BinaryFormatter classes implement the IRemotingFormatter interface to support remote procedure calls (RPCs), and the IFormatter interface (inherited by the IRemotingFormatter) to support serialization of a graph of objects. The SoapFormatter class also supports RPCs with ISoapMessage objects, without using the IRemotingFormatter functionality.
During RPCs, the IRemotingFormatter interface allows the specification of two separate object graphs: the graph of objects to serialize, and an additional graph that contains an array of header objects that convey information about the remote function call (for example, transaction ID or a method signature).
RPCs that use the BinaryFormatter separate into two distinct parts: method calls, which are sent to the server with the remote object that contains the method called, and method responses, which are sent from the server to the client with the status and response information from the called method.
During serialization of a method call the first object of the object graph must support the IMethodCallMessage interface. To deserialize a method call, use the Deserialize method with the HeaderHandler parameter. The remoting infrastructure uses the HeaderHandler delegate to produce an object that supports the ISerializable interface. When the BinaryFormatter invokes the HeaderHandler delegate, it returns the URI of the remote object with the method that is being called. The first object in the graph returned supports the IMethodCallMessage interface.
The serialization procedure for a method response is identical to that of a method call, except the first object of the object graph must support the IMethodReturnMessage interface. To deserialize a method response, use the DeserializeMethodResponse method. To save time, details about the caller object are not sent to the remote object during the method call. These details are instead obtained from the original method call, which is passed to the DeserializeMethodResponse method in the IMethodCallMessage parameter. The first object in the graph returned by the DeserializeMethodResponse method supports the IMethodReturnMessage interface.
Important
Using binary serialization to deserialize untrusted data can lead to security risks. For more information, see Validate All Inputs and the BinaryFormatter security guide.
Unpaired surrogates
Any unpaired surrogate characters are lost in binary serialization. For example, the following string contains a high surrogate Unicode character (\ud800) in between the two Test words:
Test\ud800Test
Before serialization, the byte array of the string is as follows:
| Byte Array Value | Character |
|---|---|
| 84 | T |
| 101 | e |
| 115 | s |
| 116 | t |
| 55296 | \ud800 |
| 84 | T |
| 101 | e |
| 115 | s |
| 116 | t |
After deserialization, the high surrogate Unicode character is lost:
| Byte Array Value | Character |
|---|---|
| 84 | T |
| 101 | e |
| 115 | s |
| 116 | t |
| 84 | T |
| 101 | e |
| 115 | s |
| 116 | t |