serialize() / unserialize() Since: PHP 4(2000)
Functions that convert PHP values into a byte string for storage or transfer, and restore them back to their original values. Commonly used for saving session data and caching.
Syntax
// Serializes a value and returns it as a string. serialize($value); // Restores a serialized string back to its original PHP value. unserialize($data, $options);
Function List
| Function | Description |
|---|---|
| serialize($value) | Converts a PHP value into a byte string. Supports nearly all types including arrays, objects, integers, and strings, but cannot serialize resource types or closures. |
| unserialize($data, $options) | Restores a serialized string back to its original PHP value. The allowed_classes option in the second argument lets you restrict which classes are allowed to be restored. |
Sample Code
<?php
// Serialize an array.
$data = ['name' => 'Taro', 'age' => 25, 'skills' => ['PHP', 'JavaScript']];
$serialized = serialize($data);
echo $serialized; // Outputs the serialized string.
// Restore the serialized string.
$restored = unserialize($serialized);
echo $restored['name']; // Outputs "Taro".
print_r($restored['skills']); // Restores the original array.
// Check the serialized output for various types.
echo serialize(42); // Outputs "i:42;".
echo serialize(3.14); // Outputs "d:3.14;".
echo serialize("PHP"); // Outputs 's:3:"PHP";'.
echo serialize(true); // Outputs "b:1;".
echo serialize(null); // Outputs "N;".
// Serialize an object.
class UserData {
public function __construct(
public string $name,
public string $email
) {}
}
$user = new UserData("Hanako", "hanako@example.com");
$serialized_user = serialize($user);
echo $serialized_user;
// Safe unserialize: restrict classes using allowed_classes.
$safe_data = unserialize($serialized_user, [
'allowed_classes' => ['UserData'] // Only allow the UserData class to be restored.
]);
echo $safe_data->name; // Outputs "Hanako".
// Setting allowed_classes to false rejects all classes.
$no_objects = unserialize($serialized_user, [
'allowed_classes' => false // Objects become __PHP_Incomplete_Class instances.
]);
// Example of saving data to a file.
$settings = [
'theme' => 'dark',
'lang' => 'ja',
'notifications' => true
];
file_put_contents('/tmp/settings.dat', serialize($settings));
$loaded = unserialize(file_get_contents('/tmp/settings.dat'), [
'allowed_classes' => false
]);
echo $loaded['theme']; // Outputs "dark".
// Comparison with JSON. Use JSON when exchanging data with external systems.
$data = ['id' => 1, 'title' => 'PHP Basics'];
echo serialize($data); // PHP-specific format
echo json_encode($data); // Format readable by other languages
Notes
serialize() converts a PHP value into a byte string, which is useful for storing complex data structures in files or databases. PHP's session mechanism also uses serialize() and unserialize() internally to save and restore session data.
Always specify the allowed_classes option in the second argument when using unserialize(). Unserializing untrusted data without allowed_classes can restore malicious objects, potentially leading to remote code execution vulnerabilities. When unserializing external input, set allowed_classes => false to prevent object restoration entirely.
When exchanging data with external systems, JSON is preferable as it is not PHP-specific. Use json_encode() / json_decode() for JSON. For debug output, see 'var_dump()'.
If you find any errors or copyright issues, please contact us.
シェアする