Current Location: Home> Latest Articles> What is the unserialize function in PHP? A quick guide to its basic usage

What is the unserialize function in PHP? A quick guide to its basic usage

gitbox 2025-09-25

<?php
/**

  • What is the unserialize function in PHP? A quick guide to its basic usage

  • In PHP programming, we often encounter situations where we need to store complex data structures (such as arrays, objects, etc.) into files or databases.

  • In such cases, PHP provides two very useful functions: serialize() and unserialize().

    1. Introduction to the unserialize function

  • The unserialize() function is used to convert a serialized string (created by serialize()) back into the original PHP data type.

  • In simple terms, it is the "reverse operation" of serialize().

  • Function prototype:

  • mixed unserialize ( string $str [, array $options = [] ] )

  • Parameter description:

    1. $str: Required. The string to be unserialized.

    1. $options: Optional. Currently, this is mainly used for allowing a list of classes to be unserialized, enhancing security.

  • Return value:

  • On success, it returns the original data type (array, object, string, etc.) before serialization. On failure, it returns FALSE.

    1. Basic usage examples
      */

// Example 1: Unserialize an array
$serializedArray = 'a:3:{i:0;s:4:"PHP!";i:1;s:3:"123";i:2;s:6:"hello!";}';
$array = unserialize($serializedArray);
echo "

"</span></span><span>;<br>
</span><span><span class="function_ invoke__">print_r</span></span><span>(</span><span><span>$array</span></span><span>);<br>
</span><span><span>echo</span></span><span> </span><span><span>"
";

// Output:
// Array
// (
// [0] => PHP!
// [1] => 123
// [2] => hello!
// )

// Example 2: Unserialize an object
class User {
public $name;
public $age;
}

$serializedObject = 'O:4:"User":2:{s:4:"name";s:4:"John";s:3:"age";i:25;}';
$user = unserialize($serializedObject);
echo "

"</span></span><span>;<br>
</span><span><span class="function_ invoke__">print_r</span></span><span>(</span><span><span>$user</span></span><span>);<br>
</span><span><span>echo</span></span><span> </span><span><span>"
";

// Output:
// User Object
// (
// [name] => John
// [age] => 25
// )

/**

  • 3. Security considerations for unserialize

  • Using unserialize on data from untrusted sources can be very dangerous, as it may lead to object injection attacks.

  • Attackers can execute arbitrary code by crafting specially designed serialized strings.

  • Security recommendations:

    1. Avoid unserializing data provided by users whenever possible.

    1. Use the allowed_classes parameter to limit the classes that can be unserialized.

    1. Strictly validate and filter data sources.

    1. Conclusion

    • unserialize() is used to restore a serialized string back to its original PHP data.

    • It works well with serialize() for storing and transmitting complex data.

    • Always be cautious about security issues, especially when dealing with external data.

  • Mastering unserialize() allows you to handle data persistence and object storage more flexibly in PHP.
    */
    ?>

<?php // Unrelated PHP code after the article $footer = "Here is the footer with unrelated code"; echo $footer; ?>

Related
Latest Articles