unserialize - PHP code example

PHP Function Unserialize

php function unserialize converts serialized data back into a normal PHP value. It accepts only one parameter that is the serialized string and in case the passed string is not unserializeable, it returns a false value or issues E_NOTICE notice.

Before php version 5.1, the unserialize function did not save all methods of a class into its string representation. This was a security issue because an attacker can manipulate user-controlled input to pass values to automatically executed methods like __wakeup() or __destruct(). Such an attack is referred to as a PHP object injection and can lead to code execution, SQL injection or path traversal.

Luckily, since PHP 6.1, the unserialize function preserves all methods of a class into its serialized string. This makes the function a lot safer to use.

Another great feature added to unserialize is that it can now handle arrays and dicts and return real array objects instead of the json_encoded arrays from php serialize. This is an important improvement because it reduces the size of the resulting unserialized string, making it much more convenient to work with.

There is also a minor bug in the unserialize function that can cause an error if the string contains a foreign character. This happens when the string is serialized and stored in a MySQL database that is not formatted for UTF-8. For example, if the string is serialized to UTF-8 and then written into a MySQL table, the '?' will be converted to 'c3 86'. The same happens with other special characters.

unserialize example

public function encode(Field $field, EntityExistence $existence, KeyValuePair $data, WriteParameterBag $parameters): \Generator
    {
        throw new \RuntimeException('Serialized fields can only be written by an indexer');
    }

    public function decode(Field $field, mixed $value): mixed
    {
        if ($value === null) {
            return null;
        }

        return unserialize($value);
    }
}

        return new \ArrayIterator($this->profiles);
    }

    public function serialize(): string
    {
        return serialize($this->__serialize());
    }

    public function unserialize($data): void
    {
        $this->__unserialize(unserialize($data));
    }

    /** * @internal */
    public function __serialize(): array
    {
        return [$this->template, $this->name, $this->type, $this->starts, $this->ends, $this->profiles];
    }

    /** * @internal */

        return parent::get($name);
    }

    /** * Gets the common env placeholder prefix for env vars created by this bag. */
    public function getEnvPlaceholderUniquePrefix(): string
    {
        if (!isset($this->envPlaceholderUniquePrefix)) {
            $reproducibleEntropy = unserialize(serialize($this->parameters));
            array_walk_recursive($reproducibleEntropy, function D&$v) { $v = null; });
            $this->envPlaceholderUniquePrefix = 'env_'.substr(hash('xxh128', serialize($reproducibleEntropy)), -16);
        }

        return $this->envPlaceholderUniquePrefix;
    }

    /** * Returns the map of env vars used in the resolved parameter values to their placeholders. * * @return string[][] A map of env var names to their placeholders */

/** @var SplFileInfo $headerFile */
        foreach ($this->createRecursiveFileIterator($headerDir) as $headerFile) {
            if (!$headerFile->isFile()) {
                continue;
            }

            $headerData = file_get_contents($headerFile->getPathname());
            if (!\is_string($headerData)) {
                continue;
            }
            $headerData = unserialize($headerData, ['allowed_classes' => false]);

            $changed = false;
            foreach ($headerData as $headerIndex => $header) {
                if (!isset($header[1][$name])) {
                    continue;
                }

                $headerValue = implode(';', $header[1][$name]);

                if (isset($value) && strpos($headerValue, $value) === false) {
                    continue;
                }

$e = new Email();
        $e->from('fabien@symfony.com');
        $e->to('you@example.com');
        $e->text($r);
        $e->html($r);
        $name = __DIR__.'/Fixtures/mimetypes/test';
        $file = fopen($name, 'r');
        $e->addPart(new DataPart($file, 'test'));
        $e->attachFromPath($name, 'same_test');
        $expected = clone $e;
        $n = unserialize(serialize($e));
        $this->assertEquals($expected->getHeaders(), $n->getHeaders());
        $a = preg_replace(["{boundary=.+\r\n}", "{^\-\-.+\r\n}m"], ['boundary=x', '--x'], $e->getBody()->toString());
        $b = preg_replace(["{boundary=.+\r\n}", "{^\-\-.+\r\n}m"], ['boundary=x', '--x'], $n->getBody()->toString());
        $this->assertSame($a, $b);
    }

    public function testSymfonySerialize()
    {
        // we don't add from/sender to check that validation is not triggered to serialize an email         $e = new Email();
        $e->to('you@example.com');

protected function saveTranslation(array $data)
    {
        $existing = $this->getObjectTranslation(
            $data['type'], // Translation object type             $data['key'], // Identifier of the translatable entity (s_articles.id)             $data['shopId'] // Identifier of the shop object         );

        if (!\is_array($existing)) {
            $existing = [];
        } else {
            $existing['data'] = unserialize($existing['data'], ['allowed_classes' => false]);
        }

        $data = array_replace_recursive(
            $existing,
            $data
        );

        $this->getTranslationComponent()->write(
            $data['shopId'],
            $data['type'],
            $data['key'],

$fileIcon = '';
        if (file_exists($iconPath)) {
            $fileIcon = \file_get_contents($iconPath);
        }

        $appFlowAction->setIconRaw($fileIcon !== false ? $fileIcon : null);

        $subscriber = new AppFlowActionLoadedSubscriber();
        $event = new EntityLoadedEvent(new AppFlowActionDefinition(), [$appFlowAction], Context::createDefaultContext());

        $subscriber->unserialize($event);
        static::assertNotFalse($fileIcon);

        static::assertEquals(
            base64_encode($fileIcon),
            $appFlowAction->getIcon()
        );
    }
}

if (!isset($this->buckets[$limiterStateId])) {
            return null;
        }

        [$expireAt, $limiterState] = $this->buckets[$limiterStateId];
        if (null !== $expireAt && $expireAt <= microtime(true)) {
            unset($this->buckets[$limiterStateId]);

            return null;
        }

        return unserialize($limiterState);
    }

    public function delete(string $limiterStateId): void
    {
        if (!isset($this->buckets[$limiterStateId])) {
            return;
        }

        unset($this->buckets[$limiterStateId]);
    }

'action_text' => 'Bar',
            'action_url' => 'http://example.com/',
            'markdown' => true,
            'raw' => false,
            'a' => 'b',
            'footer_text' => 'Notification email sent by Symfony',
        ], $email->getContext());
    }

    public function testSerialize()
    {
        $email = unserialize(serialize((new NotificationEmail())
            ->content('Foo', true)
            ->exception(new \Exception())
            ->importance(NotificationEmail::IMPORTANCE_HIGH)
            ->action('Bar', 'http://example.com/')
            ->context(['a' => 'b'])
            ->theme('example')
        ));
        $this->assertEquals([
            'importance' => NotificationEmail::IMPORTANCE_HIGH,
            'content' => 'Foo',
            'exception' => true,

  protected function prepareOutput(array $migration_state) {
    $output = [];
    foreach ($migration_state as $source_machine_name => $destination_modules) {
      $data = NULL;
      if (isset($this->systemData['module'][$source_machine_name]['info'])) {
        $data = unserialize($this->systemData['module'][$source_machine_name]['info']);
      }
      $source_module_name = $data['name'] ?? $source_machine_name;
      // Get the names of all the destination modules.       $destination_module_names = [];
      if (!empty($destination_modules)) {
        $destination_modules = explode(', ', $destination_modules);
        foreach ($destination_modules as $destination_module) {
          if ($destination_module === 'core') {
            $destination_module_names[] = 'Core';
          }
          else {

$name" SQL;

        $translation = $this->connection->query($sql)->fetch();
        if (!$translation) {
            return;
        }

        $id = $translation['id'];
        $data = unserialize($translation['objectdata']);

        $data['contentHtml'] = stripslashes($content);

        $data = serialize($data);

        $sql = <<<SQL UPDATE `s_core_translations` SET `objectdata`= '$data' WHERE `id` = $id AND dirty = 0 SQL;

        $this->addSql($sql);
    }
}

        $key  = static::validateKey($key, $this->prefix);
        $data = $this->redis->hMGet($key, ['__ci_type', '__ci_value']);

        if (! isset($data['__ci_type'], $data['__ci_value']) || $data['__ci_value'] === false) {
            return null;
        }

        switch ($data['__ci_type']) {
            case 'array':
            case 'object':
                return unserialize($data['__ci_value']);

            case 'boolean':
            case 'integer':
            case 'double': // Yes, 'double' is returned and NOT 'float'             case 'string':
            case 'NULL':
                return settype($data['__ci_value'], $data['__ci_type']) ? $data['__ci_value'] : null;

            case 'resource':
            default:
                return null;
        }

'widget_module' => $this->t('Module that implements widget.'),
      'widget_active' => $this->t('Status of widget'),
      'module' => $this->t('The module that provides the field.'),
    ];
  }

  /** * {@inheritdoc} */
  public function prepareRow(Row $row) {
    // Unserialize data.     $widget_settings = unserialize($row->getSourceProperty('widget_settings'));
    $display_settings = unserialize($row->getSourceProperty('display_settings'));
    $global_settings = unserialize($row->getSourceProperty('global_settings'));
    $row->setSourceProperty('widget_settings', $widget_settings);
    $row->setSourceProperty('display_settings', $display_settings);
    $row->setSourceProperty('global_settings', $global_settings);

    // Determine the translatable setting.     $translatable = TRUE;
    $synchronized_fields = $this->variableGet('i18nsync_nodeapi_' . $row->getSourceProperty('type_name'), NULL);
    if ($synchronized_fields) {
      if (in_array($row->getSourceProperty('field_name'), $synchronized_fields)) {

<?php
return \Symfony\Component\VarExporter\Internal\Hydrator::hydrate(
    $o = \Symfony\Component\VarExporter\Internal\Registry::unserialize([
        clone (($p = &\Symfony\Component\VarExporter\Internal\Registry::$prototypes)['DateTime'] ?? \Symfony\Component\VarExporter\Internal\Registry::p('DateTime')),
        clone ($p['DateTimeImmutable'] ?? \Symfony\Component\VarExporter\Internal\Registry::p('DateTimeImmutable')),
        clone ($p['DateTimeZone'] ?? \Symfony\Component\VarExporter\Internal\Registry::p('DateTimeZone')),
        clone ($p['DateInterval'] ?? \Symfony\Component\VarExporter\Internal\Registry::p('DateInterval')),
    ], [
        4 => 'O:10:"DatePeriod":6:{s:5:"start";O:17:"DateTimeImmutable":3:{s:4:"date";s:26:"2009-10-11 00:00:00.000000";s:13:"timezone_type";i:3;s:8:"timezone";s:12:"Europe/Paris";}s:7:"current";N;s:3:"end";N;s:8:"interval";O:12:"DateInterval":16:{s:1:"y";i:0;s:1:"m";i:0;s:1:"d";i:7;s:1:"h";i:0;s:1:"i";i:0;s:1:"s";i:0;s:1:"f";d:0;s:7:"weekday";i:0;s:16:"weekday_behavior";i:0;s:17:"first_last_day_of";i:0;s:6:"invert";i:0;s:4:"days";i:7;s:12:"special_type";i:0;s:14:"special_amount";i:0;s:21:"have_weekday_relative";i:0;s:21:"have_special_relative";i:0;}s:11:"recurrences";i:5;s:18:"include_start_date";b:1;}',
    ]),
    null,
    [
        'stdClass' => [
            'date' => [

class FieldInstanceOptionTranslation extends ProcessPluginBase {

  /** * {@inheritdoc} */
  public function transform($value, MigrateExecutableInterface $migrate_executable, Row $row, $destination_property) {
    [$type, $data] = $value;

    $data = unserialize($data);
    $property = $row->getSourceProperty('property');
    $option_key = ($property == 0) ? 'off_label' : 'on_label';
    $translation = '';
    if (isset($data['settings']['allowed_values'])) {
      $allowed_values = $data['settings']['allowed_values'];
      switch ($type) {
        case 'boolean';
          if (isset($allowed_values[$property])) {
            $translation = $row->getSourceProperty('translation');
            break;
          }