Home/Guides/PHP unserialize Explained

PHP Serialization Guides

PHP unserialize Explained

What PHP unserialize does, where serialized data appears, and how to avoid unsafe usage.

PHP unserialize() rebuilds a PHP value from a serialized string. It is useful for legacy data but needs care.

Common scenarios

Code example

$value = unserialize($payload, ['allowed_classes' => false]);

Common errors

Never call unserialize() on untrusted user input with classes enabled. Prefer JSON for new storage and APIs.

Try PHP Unserialize Online.

FAQ

Is unserialize dangerous?

It can be dangerous with untrusted data, especially when object classes are allowed.

What should I use for new data formats?

JSON is usually easier to inspect and safer for interchange.

Related tools

Related guides