CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

json_decode()

php PHP 7.3+ Beginner

Also Known As

json_decode() PHP JSON parsing json_encode

TL;DR

Parses a JSON string into a PHP value — a safe alternative to unserialize() for structured data exchange.

Explanation

json_decode($json, true) parses a JSON string, returning an associative array (true) or stdClass object (false/null). Unlike unserialize(), it cannot instantiate arbitrary PHP objects or invoke magic methods, making it safe for untrusted input. Always check json_last_error() === JSON_ERROR_NONE after decoding, or use JSON_THROW_ON_ERROR (PHP 7.3+) to throw a JsonException on malformed input. Use json_encode() with JSON_THROW_ON_ERROR on the output side.

Common Misconception

json_decode() always returns null only when the input is null. It also returns null for malformed JSON, and in PHP < 7.3 gives no indication of why. Always follow json_decode() with a json_last_error() check, or pass JSON_THROW_ON_ERROR in PHP 7.3+ to get an exception instead.

Why It Matters

json_decode() returns null both for valid JSON null and for invalid JSON — callers who do not check json_last_error() silently process null as if it were valid decoded data.

Common Mistakes

  • Not checking json_last_error() after decoding — null from a malformed JSON string is indistinguishable from JSON null.
  • Using the second argument (assoc=true) inconsistently — mixing object and array access patterns.
  • Not setting JSON_THROW_ON_ERROR flag (PHP 7.3+) — eliminates the need to manually check json_last_error().
  • Not validating the decoded structure — a valid JSON string may decode to a type or shape the application does not expect.

Code Examples

✗ Vulnerable 
// Silent failure on invalid JSON:
$data = json_decode($input);
$name = $data->name; // Fatal error or null — json_last_error() not checked

// Safe:
$data = json_decode($input, flags: JSON_THROW_ON_ERROR);
// JsonException thrown on invalid JSON
✓ Fixed 
// Always pass true for associative array (avoids stdClass)
$data = json_decode($json, true);

// Check for errors
if (json_last_error() !== JSON_ERROR_NONE) {
    throw new \InvalidArgumentException('Invalid JSON: ' . json_last_error_msg());
}

// PHP 7.3+ — throw on error
try {
    $data = json_decode($json, true, 512, JSON_THROW_ON_ERROR);
} catch (\JsonException $e) {
    throw new \InvalidArgumentException('Invalid JSON', previous: $e);
}

// Encode with useful flags
$json = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE | JSON_THROW_ON_ERROR);

Tags

php json data
Added 15 Mar 2026
Edited 22 Mar 2026
Views 29

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 2 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 0 pings S
Agents 0
No pings yet today
Amazonbot 7 Perplexity 6 Unknown AI 3 Ahrefs 2 SEMrush 2 ChatGPT 2 Majestic 1 Google 1
Also referenced
Insecure Deserialization 34
How they use it
crawler 22 crawler_json 1 pre-tracking 1
Related categories
php 6.6k security 4.2k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Use json_decode($json, true, 512, JSON_THROW_ON_ERROR) — the flags make it throw JsonException on invalid JSON instead of silently returning null, and associative array mode avoids stdClass surprises
📦 Applies To
PHP 7.3+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
json_decode without JSON_THROW_ON_ERROR; checking json_last_error() after decode; accessing properties on potentially null decode result
Auto-detectable: ✓ Yes phpstan rector
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✓ Auto-fixable Fix: Low Context: Line
CWE-20
✓ schema.org compliant