[PHP 4, PHP 5, PHP 7, PHP 8]
unserialize — Creates a PHP value from a stored representation
Description
unserialize[string $data, array $options = []]:
mixed
unserialize[] takes a single serialized variable and converts it back into a PHP value.
Warning
Do not pass untrusted user input to unserialize[] regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed
due to object instantiation and autoloading, and a malicious user may be able to exploit this. Use a safe, standard data interchange format such as JSON [via json_decode[] and json_encode[]] if you need to pass serialized data to the user.
If you need to unserialize externally-stored serialized data, consider using hash_hmac[] for data validation. Make sure data is not modified by anyone but you.
Parameters
dataThe serialized string.
If the variable being unserialized is an object, after successfully reconstructing the object PHP will automatically attempt to call the __unserialize[] or __wakeup[] methods [if one exists].
Note: unserialize_callback_func directive
It's possible to set a callback-function which will be called, if an undefined class should be instantiated during unserializing. [to prevent getting an incomplete object "__PHP_Incomplete_Class".] Use your php.ini, ini_set[] or .htaccess to define unserialize_callback_func. Everytime an undefined class should be instantiated, it'll be called. To disable this feature just empty this setting.
optionsAny options to be provided to unserialize[], as an associative array.
Valid optionsallowed_classes
| mixed | Either an array of class names which should be accepted, false to accept no classes, or true to accept all classes. If this option is defined and unserialize[] encounters an object of a class that isn't to be accepted, then the object will be instantiated as __PHP_Incomplete_Class instead. Omitting this option is the same as defining it as
true: PHP will attempt to instantiate objects of any class.
|
Return Values
The converted value is returned, and can be a bool, int, float, string, array or object.
In case the passed string is not unserializeable, false is returned and E_NOTICE is issued.
Errors/Exceptions
Objects may throw Throwables in their unserialization handlers.
Changelog
| 7.1.0 | The allowed_classes element of options] is now strictly typed, i.e. if anything other than an array or a bool is given, unserialize[] returns false and issues an E_WARNING.
|
Examples
Example #1 unserialize[] example
Example #2 unserialize_callback_func example
Notes
Warning
false is
returned both in the case of an error and if unserializing the serialized false value. It is possible to catch this special case by comparing data with serialize[false] or by catching the issued E_NOTICE.
See Also
- json_encode[] - Returns the JSON representation of a value
- json_decode[] - Decodes a JSON string
- hash_hmac[] - Generate a keyed hash value using the HMAC method
- serialize[] - Generates a storable representation of a value
- Autoloading Classes
- unserialize_callback_func
- __wakeup[]
- __serialize[]
- __unserialize[]
me+phpnet at unreal4u dot com ¶
4 years ago
Just some reminder which may save somebody some time regarding the `$options` array:
Say you want to be on the safe side and not allow any objects to be unserialized... My first thought was doing the following:
The correct way of doing this is the following:
Hope it helps somebody!
hadley8899 at gmail dot com ¶
2 years ago
For the people who are getting the error
PHP Notice: unserialize[]: Error at offset 191 of 285 bytes in ...
and are getting the data from a database, Make sure that you have the database set the the correct encoding, I had the database set as latin1_swedish_ci and all of the data looked perfect, Infact when i copied it into a online unserialize it worked fine. I changed the collation to utf8mb4_unicode_ci and all worked fine.
daniel at fourstaples dot com ¶
12 years ago
Here's a simple function to get the class of a serialized string [that is, the type of object that will be returned if it's unserialized]:
Child One
';// MAKE AN OBJECT [GIVES SimpleXMLElement]
$obj = SimpleXML_Load_String[$xml];// STORE THE OBJECT IN THE SESSION
$_SESSION['obj'] = $obj;
chris AT cmbuckley DOT co DOT uk ¶
14 years ago
As mentioned in the notes, unserialize returns false in the event of an error and for boolean false. Here is the first solution mentioned, without using error handling: