PHP Function Unserialize
php function unserialize converts serialized data back into a normal PHP value. It accepts only one parameter that is the serialized string and in case the passed string is not unserializeable, it returns a false value or issues E_NOTICE notice.
Before php version 5.1, the unserialize function did not save all methods of a class into its string representation. This was a security issue because an attacker can manipulate user-controlled input to pass values to automatically executed methods like __wakeup() or __destruct(). Such an attack is referred to as a PHP object injection and can lead to code execution, SQL injection or path traversal.
Luckily, since PHP 6.1, the unserialize function preserves all methods of a class into its serialized string. This makes the function a lot safer to use.
Another great feature added to unserialize is that it can now handle arrays and dicts and return real array objects instead of the json_encoded arrays from php serialize. This is an important improvement because it reduces the size of the resulting unserialized string, making it much more convenient to work with.
There is also a minor bug in the unserialize function that can cause an error if the string contains a foreign character. This happens when the string is serialized and stored in a MySQL database that is not formatted for UTF-8. For example, if the string is serialized to UTF-8 and then written into a MySQL table, the '?' will be converted to 'c3 86'. The same happens with other special characters.