PHP Variable Handling unserialize() Function

Previous
Quiz
Next

The PHP Variable Handling unserialize() function is used to converts a stored (serialized) string back to a PHP value. This means that if a value was saved in a certain format using serialize(), we can get the original value with unserialize().

But it is important to use be careful while using this function, particularly with data from unknown sources, because it can be harmful. It is suggested to use safer functions like json_encode() and json_decode().

Syntax

Below is the syntax of the PHP Variable Handling unserialize() function −

mixed unserialize ( string $data, array $options = [] )

Parameters

Below are the parameters of the unserialize() function −

  • $data − This is the serialized string that needs to be converted back into its original format.

  • $options − This is an optional setting that lets you determine how unserialize() works. Valid options are as follows:

    • allowed_classes (array|bool): Defines which classes can be unserialized. Setting it to false prevents any classes from becoming unserialized. Setting it to true enables all classes.

    • max_depth (int): This parameter shows how deep the unserialization method can go to avoid errors. The default value is 4096.

Return Value

The unserialize() function returns the converted value, which can be a boolean, integer, float, string, array, or object. If the input string cannot be unserialized, the function returns false and gives a warning.

Warning

Avoid using untrusted user input with the unserialize() function. Even if you enable the allowed_classes option, the code remains unsafe. This is because unserialize() generates objects and loads code that hackers can attack.

If you need to give users data, use JSON (json_encode() and json_decode()). If you need to read serialized data from an external source, use hash_hmac() to assure that it was not modified by anybody else.

PHP Version

First introduced in core PHP 4, the unserialize() function continues to function easily in PHP 5, PHP 7, and PHP 8.

Example 1

First we will show you the basic example of the PHP Variable Handling unserialize() function to serialize an array, then unserializes it to get the original array. The print_r() method is used to show the results.

<?php
   // Define a simple array
   $serializedData = serialize(["apple", "banana", "cherry"]);

   // Unserialize the data
   $unserializedData = unserialize($serializedData);

   // Print the result
   print_r($unserializedData);
?>

Output

Here is the outcome of the following code −

Array
(
   [0] => apple
   [1] => banana
   [2] => cherry
)

Example 2

In the below PHP code we will use the unserialize() function and show how an object can be serialized and then unserialized. The unserialize function restores the item and the print_r() function will display it.

<?php
   class Fruit {
      public $name;
      public function __construct($name) {
         $this->name = $name;
      }
   }

   // Create an object and serialize it
   $fruit = new Fruit("Mango");
   $serializedObject = serialize($fruit);

   // Unserialize the object
   $unserializedObject = unserialize($serializedObject);

   // Display the object
   print_r($unserializedObject);
?>

Output

This will generate the below output − 

Fruit Object
(
   [name] => Mango
)

Example 3

This example provides that only the Animal class can be unserialized. This keeps unapproved classes from getting restored, allowing unserialization more secure.

<?php
   class Animal {
      public $type;
      public function __construct($type) {
         $this->type = $type;
      }
   }

   // Create an object and serialize it
   $animal = new Animal("Dog");
   $serializedAnimal = serialize($animal);

   // Unserialize with class restriction
   $unserializedAnimal = unserialize($serializedAnimal, ["allowed_classes" => ["Animal"]]);

   // Display the object
   print_r($unserializedAnimal);
?>

Output

This will create the below output − 

Animal Object
(
   [type] => Dog
)

Example 4

In the following example, we are using the unserialize() function to convert the serialized string back into an object. We have given the class TestClass a name attribute. To reuse an object of this class, we construct it, serialize it, store it to a file, read the file, and unserialize it.

<?php
   class TestClass{
      private $name;
      function __construct($arg){
         $this->name=$arg;
      }
      function getname(){
         return $this->name;
      }
   }
   $obj1=new TestClass("Tutorialspoint");
   //first serialize the object and save to a file test,txt
   $string=serialize($obj1); 
   $fd=fopen("test.txt","w");
   fwrite($fd, $string);
   fclose($fd);

   $filename="/PHP/PhpProjects/test.txt";
   $fd=fopen("/PHP/PhpProjects/test.txt","r");
   $string=fread($fd, filesize($filename));
   $obj=unserialize($string);
   echo "name: ". $obj->getname();
?>

Output

Following is the output of the above code − 

name: tutorialspoint
php_variable_handling_functions.htm
Print Page
Previous
Next
Advertisements