The PHP functions serialize() and unserialize() are used to convert complex data structures into storable strings and back again. 1. serialize() converts data like arrays or objects into a string containing type and structure information. 2. unserialize() reconstructs the original data from a serialized string. 3. Serialization is useful for session handling, caching, and storing structured data in databases. 4. It should not be used for cross-language communication, large datasets, or untrusted data. 5. Serialized strings include class names, so changes to class definitions can cause issues during unserialization.

When you need to store or transfer complex PHP data structures—like arrays or objects—you can't just use them directly in a string format. That's where data serialization comes in. In PHP, serialize() and unserialize() are built-in functions that help convert these complex data types into storable strings and back again.

What does serialize() do?

serialize() takes a PHP value (like an array or object) and converts it into a string representation that holds all the necessary information about the original data, including type and structure.

For example:

$data = ['name' => 'John', 'age' => 30];
$serialized = serialize($data);
// Outputs: a:2:{s:4:"name";s:4:"John";s:3:"age";i:30;}

This string isn’t meant for humans to read—it’s designed for PHP to understand later when needed. You’ll often see this used when saving session data, caching results, or storing complex values in a database.

• Use serialize() when:
  • You want to save an object/array state for later.
  • You're working with PHP-specific data and plan to unserialize it eventually.
  • You don't need cross-language compatibility.

Keep in mind that serialized strings are PHP-specific, so if you need to share data with another system (like JavaScript), JSON might be a better choice.

How does unserialize() work?

Once you’ve stored or transferred a serialized string, unserialize() helps you get your original data back.

Here's how you reverse the earlier example:

$originalData = unserialize($serialized);
// $originalData now matches the original $data array

As long as the serialized string is valid and the class definitions exist (for objects), PHP will reconstruct the data exactly as it was before serialization.

But there are a few gotchas:

• If you serialize an object from a custom class, you must include that class definition before unserializing, or you’ll end up with an incomplete object.
• Serialized data may contain references to resources or other internal pointers, which won’t survive the process. Those parts usually become null.

So always test after serializing and unserializing to make sure everything behaves as expected.

When should you use serialization?

There are specific cases where using serialize() makes sense in PHP applications:

• Session handling: PHP automatically uses serialization when storing session data.
• Caching complex data: Instead of rebuilding heavy arrays or objects every time, store them in a cache file or memory store like Redis using serialized strings.
• Storing structured data in databases: Sometimes it's easier to store an array of settings as a single field instead of normalizing them into separate columns.

However, avoid overusing it:

• Don’t serialize data that needs to be readable or editable outside PHP.
• Avoid serializing large datasets frequently—it can affect performance.
• Never trust user-provided serialized strings without validation; they can be vectors for attacks.

A few important notes

One thing people often forget: the serialized string includes the class name for objects. So if you rename or remove a class, trying to unserialize old data will fail or result in an unexpected object.

Also, while serialize() and unserialize() are convenient, they’re not the only way to handle data interchange. For APIs or front-end communication, json_encode() and json_decode() are more common and portable.

If you're going to use serialization, keep it internal and controlled.

That’s basically how serialize() and unserialize() work in PHP. It’s a handy feature once you understand its purpose and limitations.

The above is the detailed content of What is data serialization in PHP (serialize(), unserialize())?. For more information, please follow other related articles on the PHP Chinese website!