PHP Serialization: Complete Guide to Serialize, Unserialize and Convert Your Data
Master PHP serialization: serialize, unserialize, JSON↔PHP conversion. Practical guide with concrete examples and security best practices.
What is PHP serialization?
PHP serialization turns structures (arrays, objects, scalars) into a textual binary-safe string you can store in a database, write to disk, or move across processes — then <strong>unserialize()</strong> rebuilds the value. This powers native PHP sessions, many app caches, and WordPress-style metadata. To convert or inspect serialized PHP without installing extensions, use our online PHP serialization tool. This guide covers the wire format, how it compares to JSON, why <code>unserialize()</code> on untrusted input is dangerous, and practical notes (WordPress, safer alternatives). For API-style payloads, see our complete JSON minification guide; when you ship compact JS, an online JavaScript minifier helps, and for readability a JavaScript unminifier supports debugging.
Where PHP serialization actually matters
PHP sessions often persist serialized server-side state; frameworks and CMSs serialize options, job payloads, or object snapshots for later hydration. Understanding the format helps you fix corrupted rows or migrate safely to JSON.
Before optimization
After optimization
You will routinely encounter serialized PHP in production environments such as:
Before running SQL find/replace migrations, map nested types and string length segments so you do not break s:n:"…" declarations.
WordPress, migrations, and hygiene
Many meta values are stored serialized. Before bulk SQL replacements (e.g., domain changes), deserialize and reserialize properly — otherwise you break string length prefixes in s:n:"...". Use dedicated tools or PHP scripts, and validate with FastMinify on copies.
Align with OWASP guidance: no deserialization of arbitrary attacker-controlled blobs, log anomalies, rotate secrets if cache poisoning was possible.
serialize(), unserialize(), and reading the format
serialize() emits a typed textual representation; unserialize() restores the value. Minimal associative array example:
Before
<?php
$user = ['id' => 42, 'name' => 'Ada', 'roles' => ['editor', 'reviewer']];
echo serialize($user);After
a:3:{s:2:"id";i:42;s:4:"name";s:3:"Ada";s:5:"roles";a:2:{i:0;s:6:"editor";i:1;s:8:"reviewer";}}Each fragment starts with a type letter and colons. Reading the format helps debugging without executing attacker-controlled payloads.
Serialize, unserialize, and convert with FastMinify
Paste serialized PHP or JSON, pick the operation (beautify, minify, JSON ↔ PHP). Processing stays client-side — handy for WordPress exports or legacy APIs returning PHP-serialized strings.
Paste the payload
Bring the string from the database (postmeta, option row, cache) or JSON to convert.
Choose the action
Serialize, unserialize, or convert to/from JSON for the task at hand.
Validate off production
Compare output with application expectations; never unserialize() untrusted input.
Mixed PHP + frontend teams save time inspecting a blob without bootstrapping a full stack.
JSON, PHP serialize, and security
JSON is universal for HTTP APIs and browsers; PHP serialize is idiomatic for rich internal PHP storage. Prefer JSON at network boundaries; serialize can remain valid for trusted PHP-only storage.
Basic example
<?php
$data = ['ok' => true, 'count' => 3];
$json = json_encode($data, JSON_THROW_ON_ERROR);
// {"ok":true,"count":3}Configuration
<?php
$same = ['ok' => true, 'count' => 3];
$php = serialize($same);
// a:2:{s:2:"ok";b:1;s:5:"count";i:3;}Usage
// Interop: json_decode for API input; unserialize ONLY on signed/controlled data.Never unserialize() raw user input: object injection and magic-method gadget chains are a real risk. Prefer JSON + schema validation, signed formats (HMAC), or strict class allowlists when you must deserialize.
Basic example
<?php
// Dangerous — do not do this on HTTP input
// $obj = unserialize($_POST['payload']);Usage
<?php
$payload = $_POST['json'] ?? '{}';
$safe = json_decode($payload, true, 512, JSON_THROW_ON_ERROR);
// Associative array: no arbitrary object instantiationFor large binary-efficient storage, igbinary or msgpack shrink payloads while staying inside infrastructure you control — complementary to public JSON APIs.
Configuration
// Conceptual (requires igbinary extension)
// $packed = igbinary_serialize($data);Usage
// Rollout: migrate legacy blobs to JSON + schema validation incrementallyConclusion
PHP serialization remains core to internal storage and ecosystems like WordPress, but it demands strict discipline around unserialize(). For quick debugging and JSON conversion, a reliable online tool accelerates triage without touching production. Keep JSON at network edges, PHP serialize in trust zones, and measure impact before any migration.
Related Articles
Learn how to minify XML files to optimize sitemaps, RSS feeds and configuration files. Reduce XML file sizes by 20-50%.
Learn how to optimize and minify SVG files for faster websites. Reduce SVG file sizes by 30-70% without any visual quality loss.
Learn how to minify your HTML code for faster web pages. Remove whitespace, comments and unnecessary attributes to reduce page size by 15-40%.