nokitakaze/serializer

Safe serialization

Safe (un-)serialization of any data

Remote code execution via PHP unserialize. Official documentation says, _(*1)

DO NOT pass untrusted user input to unserialize() regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this, _(*2)

But JSON does not implement data as PHP does. I.e. JSON does not support [1=>2,3=>4,"a"=>5,"and"=>"so"]., _(*3)

Current status

General

, _(*4)

Usage

At first, _(*5)

composer require nokitakaze/serializer

And then, _(*6)

require_once 'vendor/autoload.php';
$text = NokitaKaze\Serializer\Serializer::serialize($data);
$data = NokitaKaze\Serializer\Serializer::unserialize($text, $is_valid);