PHP unserialize() Function
Quick summary: The PHP unserialize() function converts a serialized string back into a PHP value.
PHP unserialize() Syntax
unserialize(string $data, array $options = []): mixed
PHP
PHP unserialize() Basic examples
$str = 'a:1:{s:1:"a";i:1;}';
var_dump(unserialize($str));
PHP
Output:
array(1) { ["a"]=> int(1) }
Restores serialized data.
PHP unserialize() Real-world usage
$cached = serialize(['count'=>5]);
$data = unserialize($cached);
var_dump($data['count']);
PHP
Output:
int(5)
Reads cached data.
PHP unserialize() Edge cases
var_dump(unserialize('invalid'));
PHP
Output:
bool(false)
Invalid serialized strings return false.
PHP unserialize() Common mistakes
Unserializing untrusted input
This can lead to object injection vulnerabilities.
Incorrect
unserialize($_POST['payload']);
Correct
unserialize($payload, ['allowed_classes'=>false]);
Restrict allowed classes or avoid unserialize.
PHP unserialize() Frequently Asked Questions
What does unserialize() do?
unserialize() converts a serialized string back to a PHP value.
Is unserialize() safe?
No, it can be unsafe with untrusted data.
What is allowed_classes?
Restricts which classes can be instantiated.
Can it return false?
Yes, on failure.
Use case?
Restoring stored PHP data.
Difference from json_decode()?
Handles PHP-specific serialized format.
Handles objects?
Yes.
Security risk?
Yes, object injection vulnerabilities.
Performance?
Moderate.
Common mistake?
Using with user input.
Can fail silently?
Yes, check return value.
Safer alternative?
json_decode().