Diving into unserialize()

How PHP’s unserialize() works, and why it leads to vulnerabilities

Vickie Li
The Startup
Published in
5 min readSep 19, 2019


Photo by Kobu Agency on Unsplash

Read more about unserialize vulnerabilities found in the wild here:

PHP’s unserialize() function

In a nutshell, PHP’s unserialize() function takes a string (representing a serialized object) and converts it back to a PHP object.

Basically, when you need to store a PHP object or transfer it over the network, you first use serialize() to pack it up.

serialize(): PHP object -> plain old string that represents the obj

Then when you need to use that data again, you use unserialize() to unpack and get the data that you want. Neato, am I right?

unserialize(): string containing object data -> original object

The details

According to PHP docs, unserialize() “creates a PHP value from a stored representation”, and ”takes a single serialized variable and converts it back into a PHP value”.

It takes two parameters: str and options. str is the parameter containing the serialized string waiting to be deserialized. options is the array containing the options that control certain function behaviors. In unserialize() particularly, the only valid user-defined option is allowed_classes. allowed_classes specify the class names that should be accepted.

We’ll dive into allowed_classes further, but essentially, when unserialize() encounters an object of a class that isn’t to be accepted, then the object will be instantiated as __PHP_Incomplete_Class instead.

How it works

unserialize() in a (very big) nutshell.

Step 0: What are PHP magic methods?

PHP magic methods are function names in PHP that have “magical” properties. Learn more about them…



Vickie Li
The Startup

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7