UNSERIALIZE(3) 1 UNSERIALIZE(3)
unserialize - Creates a PHP value from a stored representation
SYNOPSIS
mixed unserialize (string $str)
DESCRIPTION
unserialize(3) takes a single serialized variable and converts it back into a PHP value.
PARAMETERS
o $str
- The serialized string. If the variable being unserialized is an object, after successfully reconstructing the object PHP will
automatically attempt to call the __wakeup() member function (if it exists).
Note
unserialize_callback_func directive
It's possible to set a callback-function which will be called, if an undefined class should be instantiated during unserial-
izing. (to prevent getting an incomplete object "__PHP_Incomplete_Class".) Use your php.ini, ini_set(3) or .htaccess to
define ' unserialize_callback_func'. Everytime an undefined class should be instantiated, it'll be called. To disable this
feature just empty this setting.
RETURN VALUES
The converted value is returned, and can be a boolean, integer, float, string, array or object.
In case the passed string is not unserializeable, FALSE is returned and E_NOTICE is issued.
CHANGELOG
+--------+---------------------------------------------------+
|Version | |
| | |
| | Description |
| | |
+--------+---------------------------------------------------+
| 5.6.0 | |
| | |
| | Manipulating the serialised data by replacing C: |
| | with O: to force object instantiation without |
| | calling the constructor will now fail. |
| | |
+--------+---------------------------------------------------+
EXAMPLES
Example #1
unserialize(3) example
<?php
// Here, we use unserialize() to load session data to the
// $session_data array from the string selected from a database.
// This example complements the one described with serialize().
$conn = odbc_connect("webdb", "php", "chicken");
$stmt = odbc_prepare($conn, "SELECT data FROM sessions WHERE id = ?");
$sqldata = array($_SERVER['PHP_AUTH_USER']);
if (!odbc_execute($stmt, $sqldata) || !odbc_fetch_into($stmt, $tmp)) {
// if the execute or fetch fails, initialize to empty array
$session_data = array();
} else {
// we should now have the serialized data in $tmp[0].
$session_data = unserialize($tmp[0]);
if (!is_array($session_data)) {
// something went wrong, initialize to empty array
$session_data = array();
}
}
?>
Example #2
unserialize_callback_func example
<?php
$serialized_object='O:1:"a":1:{s:5:"value";s:3:"100";}';
// unserialize_callback_func directive available as of PHP 4.2.0
ini_set('unserialize_callback_func', 'mycallback'); // set your callback_function
function mycallback($classname)
{
// just include a file containing your classdefinition
// you get $classname to figure out which classdefinition is required
}
?>
NOTES
Warning
FALSE is returned both in the case of an error and if unserializing the serialized FALSE value. It is possible to catch this special
case by comparing $str with serialize(false) or by catching the issued E_NOTICE.
Warning
Do not pass untrusted user input to unserialize(3). Unserialization can result in code being loaded and executed due to object
instantiation and autoloading, and a malicious user may be able to exploit this. Use a safe, standard data interchange format such
as JSON (via json_decode(3) and json_encode(3)) if you need to pass serialized data to the user.
SEE ALSO
serialize(3), Autoloading Objects, unserialize_callback_func, __wakeup().
PHP Documentation Group UNSERIALIZE(3)