{
    "slug": "json_decode",
    "term": "json_decode()",
    "category": "php",
    "difficulty": "beginner",
    "short": "Parses a JSON string into a PHP value — a safe alternative to unserialize() for structured data exchange.",
    "long": "json_decode($json, true) parses a JSON string, returning an associative array (true) or stdClass object (false/null). Unlike unserialize(), it cannot instantiate arbitrary PHP objects or invoke magic methods, making it safe for untrusted input. Always check json_last_error() === JSON_ERROR_NONE after decoding, or use JSON_THROW_ON_ERROR (PHP 7.3+) to throw a JsonException on malformed input. Use json_encode() with JSON_THROW_ON_ERROR on the output side.",
    "aliases": [
        "json_decode()",
        "PHP JSON parsing",
        "json_encode"
    ],
    "tags": [
        "php",
        "json",
        "data"
    ],
    "misconception": "json_decode() always returns null only when the input is null. It also returns null for malformed JSON, and in PHP < 7.3 gives no indication of why. Always follow json_decode() with a json_last_error() check, or pass JSON_THROW_ON_ERROR in PHP 7.3+ to get an exception instead.",
    "why_it_matters": "json_decode() returns null both for valid JSON null and for invalid JSON — callers who do not check json_last_error() silently process null as if it were valid decoded data.",
    "common_mistakes": [
        "Not checking json_last_error() after decoding — null from a malformed JSON string is indistinguishable from JSON null.",
        "Using the second argument (assoc=true) inconsistently — mixing object and array access patterns.",
        "Not setting JSON_THROW_ON_ERROR flag (PHP 7.3+) — eliminates the need to manually check json_last_error().",
        "Not validating the decoded structure — a valid JSON string may decode to a type or shape the application does not expect."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "insecure_deserialization"
    ],
    "prerequisites": [
        "php_data_types",
        "type_declarations",
        "defensive_programming"
    ],
    "refs": [
        "https://www.php.net/manual/en/function.json-decode.php"
    ],
    "bad_code": "// Silent failure on invalid JSON:\n$data = json_decode($input);\n$name = $data->name; // Fatal error or null — json_last_error() not checked\n\n// Safe:\n$data = json_decode($input, flags: JSON_THROW_ON_ERROR);\n// JsonException thrown on invalid JSON",
    "good_code": "// Always pass true for associative array (avoids stdClass)\n$data = json_decode($json, true);\n\n// Check for errors\nif (json_last_error() !== JSON_ERROR_NONE) {\n    throw new \\InvalidArgumentException('Invalid JSON: ' . json_last_error_msg());\n}\n\n// PHP 7.3+ — throw on error\ntry {\n    $data = json_decode($json, true, 512, JSON_THROW_ON_ERROR);\n} catch (\\JsonException $e) {\n    throw new \\InvalidArgumentException('Invalid JSON', previous: $e);\n}\n\n// Encode with useful flags\n$json = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE | JSON_THROW_ON_ERROR);",
    "quick_fix": "Use json_decode($json, true, 512, JSON_THROW_ON_ERROR) — the flags make it throw JsonException on invalid JSON instead of silently returning null, and associative array mode avoids stdClass surprises",
    "severity": "medium",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/json_decode",
        "html_url": "https://codeclaritylab.com/glossary/json_decode",
        "json_url": "https://codeclaritylab.com/glossary/json_decode.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[json_decode()](https://codeclaritylab.com/glossary/json_decode) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/json_decode"
            }
        }
    }
}