English
English
PHP sessions store user data on the server using a unique session ID. Each time a user makes a request, PHP looks up the session ID and loads the corresponding session data. The data is usually accessed and modified through the $_SESSION superglobal.
Internally, PHP automatically uses the serialize function to convert objects or arrays into strings for storage and uses unserialize to restore them to their original data types.
However, sometimes we want to directly access these serialized data or handle them manually. This is where the unserialize function becomes particularly useful.
The unserialize function converts a serialized string back into a PHP variable.
<span><span><span class="hljs-keyword">mixed</span></span><span> </span><span><span class="hljs-title function_ invoke__">unserialize</span></span><span> ( </span><span><span class="hljs-keyword">string</span></span><span> </span><span><span class="hljs-variable">$data</span></span><span> [, </span><span><span class="hljs-keyword">array</span></span><span> </span><span><span class="hljs-variable">$options</span></span><span> = [] ] )
</span></span>$data: The string to be unserialized.
$options: Optional parameters providing additional control over deserialization (supported in PHP 7+). For example, you can specify which classes are allowed to be unserialized.
Returns the unserialized variable on success, or false on failure.
Suppose we have a user object containing some basic user information. We will manually serialize this object and store it in the session.
<span><span><span class="hljs-title function_ invoke__">session_start</span></span><span>();
<p></span>// Create a user object<br>
class User {<br>
public $name;<br>
public $email;</p>
</span><span><span class="hljs-variable language_">$this</span></span><span>->name = </span><span><span class="hljs-variable">$name</span></span><span>;
</span><span><span class="hljs-variable language_">$this</span></span><span>->email = </span><span><span class="hljs-variable">$email</span></span><span>;
}
}
// Instantiate the user object
$user = new User('John Doe', '[email protected]');
// Serialize the user object and store it in the session
$SESSION['user_data'] = serialize($user);
In the code above, we create a User class and serialize a user object John Doe into $_SESSION['user_data'].
Once the data is stored in the session, we can retrieve it in subsequent requests. Using the unserialize function, we can convert the serialized data back into its original object form.
<span><span><span class="hljs-title function_ invoke__">session_start</span></span><span>();
<p></span>// Check if 'user_data' exists in the session<br>
if (isset($<em>SESSION['user_data'])) {<br>
// Unserialize the session data<br>
$user = invoke__">unserialize($_SESSION['user_data']);</p>
</span><span><span class="hljs-keyword">echo</span></span><span> </span><span><span class="hljs-string">'Name: '</span></span> . </span><span><span class="hljs-variable">$user</span></span><span>->name . </span><span><span class="hljs-string">'<br>'</span></span><span>;
</span><span><span class="hljs-keyword">echo</span></span><span> </span><span><span class="hljs-string">'Email: '</span></span> . </span><span><span class="hljs-variable">$user</span></span><span>->email . </span><span><span class="hljs-string">'<br>'</span></span><span>;
} else {
echo 'No user data found in session.';
}
In this code, we first check if $_SESSION['user_data'] exists. If it does, we use unserialize to restore it to a User object and then output its properties.
When using unserialize, security must be a top priority. Deserializing data from untrusted sources can lead to object injection attacks, allowing attackers to execute dangerous operations by crafting malicious serialized data. Therefore, it's recommended to implement security measures when using unserialize.
In PHP 7+, you can use the allowed_classes option to limit which classes can be unserialized. For example, you can restrict deserialization to only the User class:
<span><span><span class="hljs-variable">$options</span></span><span> = [</span><span><span class="hljs-string">'allowed_classes'</span></span> => [</span><span><span class="hljs-string">'User'</span></span>]];
</span><span><span class="hljs-variable">$user</span></span><span> = </span><span><span class="hljs-title function_ invoke__">unserialize</span></span><span>(</span><span><span class="hljs-variable">$_SESSION</span></span><span>[</span><span><span class="hljs-string">'user_data'</span></span><span>], </span><span><span class="hljs-variable">$options</span></span><span>);
</span></span>This ensures that only objects of the User class can be unserialized, while others are blocked.
When working across different PHP versions or server environments, unserialize may encounter compatibility issues. For instance, if a class has changed between versions, deserialization may fail. To avoid such problems, developers can use json_encode and json_decode as alternatives, especially for simple data structures.
