How to Use PHP serialize() and unserialize() Functions?

In PHP, the serialize() and unserialize() functions are used to convert data into a storable format and to recreate that data from its serialized form.

Serialization is often used for data storage, data transfer, and caching, allowing complex data structures to be easily saved and restored.

In this article, we'll explore how to use these two functions in PHP.

serialize() Function

The serialize() function is used to convert a PHP variable into a storable string representation.

This string can be saved in a file, a database, or transmitted over a network, and it can later be converted back into its original form using unserialize().

Here's a basic example of how to use serialize():

$data = [
    'name' => 'John',
    'age' => 30,
    'city' => 'New York',

$serializedData = serialize($data);
echo $serializedData;

In this example, we have an associative array called $data, and we use serialize($data) to convert it into a serialized string.

unserialize() Function

The unserialize() function is used to reverse the process performed by serialize().

It takes a serialized string as input and returns the original data structure.

Here's an example of how to use unserialize():

$serializedData = 'a:3:{s:4:"name";s:4:"John";s:3:"age";i:30;s:4:"city";s:8:"New York";}';

$originalData = unserialize($serializedData);

In this example, we provide the serialized data string to unserialize(), and it returns the original data structure.

Combining serialize() and unserialize()

The true power of serialize() and unserialize() is seen when you use them together to store and retrieve complex data structures.

// Serialize an array
$data = [
    'name' => 'John',
    'age' => 30,
    'city' => 'New York',

$serializedData = serialize($data);

// Store the serialized data (e.g., in a file or database)

// Later, retrieve the serialized data

// Unserialize the data
$originalData = unserialize($serializedData);

In this workflow, you can store the serialized data in a file or database and then, at a later time, retrieve and unserialize it to recover the original data structure.

This is commonly used for tasks like storing user session data, caching, or storing configuration settings.

Complex Data Structures

serialize() and unserialize() can handle complex data structures, including arrays, objects, and nested data. Here's an example with an object:

class Person {
    public $name;
    public $age;
    public $city;

    public function __construct($name, $age, $city) {
        $this->name = $name;
        $this->age = $age;
        $this->city = $city;

$person = new Person('Alice', 25, 'Los Angeles');
$serializedPerson = serialize($person);
echo $serializedPerson;

$unserializedPerson = unserialize($serializedPerson);
echo "\n";

In this example, we define a Person class, create an instance of it, and then use serialize() to convert it into a serialized string. We can later use unserialize() to recreate the object.

Error Handling

When working with unserialize(), you should be aware of potential errors.

If the serialized data is corrupted or tampered with, unserialize() may throw an error.

To handle these errors gracefully, you can use a try...catch block.

$serializedData = 'corrupted data';

try {
    $originalData = unserialize($serializedData);
} catch (Exception $e) {
    echo "Error: " . $e->getMessage();

Security Considerations

Keep in mind that unserialize() can introduce security risks if you unserialize data from untrusted sources.

Maliciously crafted serialized data can execute code or cause unexpected behavior.

It's recommended to validate and sanitize serialized data to mitigate these risks.


PHP's serialize() and unserialize() functions are powerful tools for converting data into a storable format and then restoring it to its original state.

These functions are widely used for tasks such as caching, data storage, and preserving complex data structures.

When using them, be aware of security considerations and handle errors gracefully, especially when unserializing data from untrusted sources.