PHP unserialize() Function

Quick summary: The PHP unserialize() function converts a serialized string back into a PHP value.

PHP unserialize() Syntax

unserialize(string $data, array $options = []): mixed
PHP

PHP unserialize() Basic examples

$str = 'a:1:{s:1:"a";i:1;}';
var_dump(unserialize($str));
PHP
Output:
array(1) { ["a"]=> int(1) }

Restores serialized data.

PHP unserialize() Real-world usage

$cached = serialize(['count'=>5]);
$data = unserialize($cached);
var_dump($data['count']);
PHP
Output:
int(5)

Reads cached data.

PHP unserialize() Edge cases

var_dump(unserialize('invalid'));
PHP
Output:
bool(false)

Invalid serialized strings return false.

PHP unserialize() Common mistakes

Unserializing untrusted input

This can lead to object injection vulnerabilities.

Incorrect
unserialize($_POST['payload']);
Correct
unserialize($payload, ['allowed_classes'=>false]);

Restrict allowed classes or avoid unserialize.

PHP unserialize() Frequently Asked Questions

What does unserialize() do?

unserialize() converts a serialized string back to a PHP value.

Is unserialize() safe?

No, it can be unsafe with untrusted data.

What is allowed_classes?

Restricts which classes can be instantiated.

Can it return false?

Yes, on failure.

Use case?

Restoring stored PHP data.

Difference from json_decode()?

Handles PHP-specific serialized format.

Handles objects?

Yes.

Security risk?

Yes, object injection vulnerabilities.

Performance?

Moderate.

Common mistake?

Using with user input.

Can fail silently?

Yes, check return value.

Safer alternative?

json_decode().

PHP unserialize() Related PHP Functions