English
English
PHP sessions store user data on the server side using a unique session ID. Every time a user sends a request, PHP looks up the session ID and loads the corresponding session data. Data is typically accessed through the $_SESSION superglobal variable.
Internally, PHP automatically uses the serialize function to convert objects or arrays into strings for storage and the unserialize function to restore them to their original data types.
However, sometimes we want to directly access these serialized data or handle them manually, which is where the unserialize function becomes particularly useful.
The unserialize function converts a serialized string back into a PHP variable.
<span><span><span class="hljs-keyword">mixed</span></span><span> </span><span><span class="hljs-title function_ invoke__">unserialize</span></span><span>(</span><span><span class="hljs-keyword">string</span></span><span> </span><span><span class="hljs-variable">$data</span></span><span> [, </span><span><span class="hljs-keyword">array</span></span><span> </span><span><span class="hljs-variable">$options</span></span><span> = [] ] )</span></span>$data: The string to be unserialized.
$options: Optional parameter that provides additional control over unserialization (supported in PHP 7+). For example, you can specify which classes are allowed to be unserialized.
Returns the unserialized variable on success, or false on failure.
Suppose we have a user object containing basic user information. We will manually serialize this object and store it in the session.
<span><span><span class="hljs-title function_ invoke__">session_start</span></span><span>();
<p></span>// Create a user object<br>
</span>class User {<br>
</span>public $name;<br>
public $email;</p>
</span><span>$this->name = $name;
</span><span>$this->email = $email;
}
}
// Instantiate the user object
$user = new User('John Doe', '[email protected]');
// Serialize the user object and store it in the session
$_SESSION['user_data'] = serialize($user);
In the code above, we create a User class and serialize a John Doe object to store it in $_SESSION['user_data'].
Once the data is stored in the session, we can retrieve it in subsequent requests. Using the unserialize function, we can restore the serialized session data back into its original object form.
<span><span><span class="hljs-title function_ invoke__">session_start</span></span>();
<p></span>// Check if 'user_data' exists in the session<br>
</span>if (isset($_SESSION['user_data'])) {<br>
// Unserialize the session data<br>
</span>$user = unserialize($_SESSION['user_data']);</p>
</span><span>echo 'Name: ' . $user->name . '<br>';
</span><span>echo 'Email: ' . $user->email . '<br>';
} else {
echo 'No user data found in session.';
}
In this code, we first check if $_SESSION['user_data'] exists. If it does, we use unserialize to restore it into a User object and then output its properties.
When using unserialize, security is critical. Unserializing data from untrusted sources can lead to object injection attacks, where an attacker could craft malicious serialized data to perform dangerous actions. Therefore, it’s recommended to implement safety measures when using unserialize.
In PHP 7+, you can restrict the classes that can be unserialized using the allowed_classes option. For example, to allow only the User class:
$options = ['allowed_classes' => ['User']];
$user = unserialize($_SESSION['user_data'], $options);
This ensures that only User objects can be unserialized, while other classes are blocked.
Across different PHP versions or server environments, unserialize may face compatibility issues. For instance, if a class changes between versions, unserialization may fail. To avoid such issues, developers can use json_encode and json_decode as an alternative, especially for simple data structures.
Related Tags:
array_merge