{ "slug": "serialize_function", "term": "serialize() / unserialize()", "category": "php", "difficulty": "intermediate", "short": "PHP's native serialisation functions can trigger arbitrary code execution via magic methods when deserialising untrusted data.", "long": "unserialize() reconstructs PHP objects from a string, invoking magic methods like __wakeup() and __destruct() in the process. If the serialised payload is attacker-controlled, they can craft a Property Oriented Programming (POP) chain using classes already loaded in the application to achieve arbitrary code execution — a PHP Object Injection attack. Never call unserialize() on user-supplied input. Use JSON (json_encode/json_decode) for data exchange; if serialisation is required, use authenticated, signed payloads or a safe serialisation library.", "aliases": [ "serialize()", "unserialize()", "PHP object serialization" ], "tags": [ "php", "serialization", "security", "deserialization" ], "misconception": "serialize() is safe to use for caching any PHP object. serialize()/unserialize() on untrusted data triggers PHP object injection. For caching, use json_encode() for data structures or explicitly allowlist trusted classes via unserialize($data, ['allowed_classes' => [SpecificClass::class]]).", "why_it_matters": "serialize() converts PHP values to a storable string representation — passing serialized user input back to unserialize() is one of PHP's most dangerous patterns, enabling object injection attacks.", "common_mistakes": [ "Unserializing any user-controlled data — cookies, URL parameters, database values from untrusted sources.", "Using serialize() for data exchange between systems — use JSON instead; it cannot trigger PHP object instantiation.", "Not using allowed_classes option in unserialize() to restrict which classes can be instantiated.", "Storing serialized data in cookies — the cookie is user-controlled and can be replaced with a crafted payload." ], "when_to_use": [], "avoid_when": [], "related": [ "insecure_deserialization", "eval_injection" ], "prerequisites": [ "insecure_deserialization", "php_object_injection", "phar_injection" ], "refs": [ "https://www.php.net/manual/en/function.unserialize.php", "https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection" ], "bad_code": "$obj = unserialize($_COOKIE['data']); // attacker-controlled", "good_code": "$data = json_decode(base64_decode($_COOKIE['data']), true); // use JSON for simple data", "quick_fix": "Replace serialize()/unserialize() with json_encode()/json_decode() for data persistence — JSON is safer (no object instantiation), human-readable, and language-agnostic", "severity": "critical", "effort": "medium", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/serialize_function", "html_url": "https://codeclaritylab.com/glossary/serialize_function", "json_url": "https://codeclaritylab.com/glossary/serialize_function.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[serialize() / unserialize()](https://codeclaritylab.com/glossary/serialize_function) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/serialize_function" } } } }