lyte/serial

A safe unserializer for PHP serialized arrays and scalar types.

PHP Lyte Serial

, _(*1)

PHP Serialized string array and scalar unserialization using pure PHP., _(*2)

Usage

Install with composer:, _(*3)

composer require lyte/serial

Serial

Serial is a simplified interface that attempts to work well in a legacy code base., _(*4)

Load the namespace:, _(*5)

use Lyte\Serial\Serial;
// unserialize statically
$unserialized = Serial::unserialize($someSerializedString);
// or with an instance
$serial = new Serial;
$unserialized = $serial->unserialize($someSerializedString);

// check if a string appears to be serialized
if (Serial::isSerialized($someUnknownString)) {
    $unserialized = Serial::unserialize($someUnknownString);
}

// or rely on exceptions
try {
    $unserialized = Serial::unserialize($someUnknownString);
} catch (\Exception $e) {
    // ...
}

Unserializer

Unserializer is the internal work horse., _(*6)

use Lyte\Serial\Unserializer;
$serial = new Unserializer($someSerializedString);
$unserialized = $serial->unserialize();

Why?

The standard serialize() and unserialize() calls in PHP are known to be unsafe even if you use the $allowed_classes filter in PHP 7 (there are memory corruption bugs)., _(*7)

The standard answer to this is "use JSON" but some applications were using PHP serialized strings for internal storage long before JSON was a thing (well... popular)., _(*8)

In this case it may be useful to have a safer parser that rejects anything that's not an array or scalar type (i.e what you could safely store in JSON) as a middle ground to harden a code base without having to immediately switch out the underlying storage format., _(*9)

Note: I'm not advocating letting any strings be unserialized that can in anyway be modified by a user, just that if you use a safer parser and someone compromises some other part of your application this might at least slow them down., _(*10)

Why can't I use $allowed_classes?

PHP 7 added the $allowed_classes option to the unserialize() function., _(*11)

In theory you could just set this to null (or a safe set of classes), but unfortunately there's memory corruption bugs meaning if you rely on that behaviour, you are vulnerable., _(*12)