PHPackages lyte/serial - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. lyte/serial ActiveLibrary lyte/serial =========== A safe unserializer for PHP serialized arrays and scalar types. 1.0.0(2mo ago)128.5k↓45.5%[1 issues](https://github.com/neerolyte/php-lyte-serial/issues)MITPHPPHP >=7.3 Since Jun 10Pushed 7y ago1 watchersCompare [ Source](https://github.com/neerolyte/php-lyte-serial)[ Packagist](https://packagist.org/packages/lyte/serial)[ RSS](/packages/lyte-serial/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (2)Dependencies (4)Versions (9)Used By (0) PHP Lyte Serial =============== [](#php-lyte-serial) [![Build Status](https://camo.githubusercontent.com/d033866babb8e2e1162037fff5f6d53b3b808721e80fced29df72081828cb14a/68747470733a2f2f6170692e7472617669732d63692e6f72672f6e6565726f6c7974652f7068702d6c7974652d73657269616c2e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/neerolyte/php-lyte-serial) [![Coverage Status](https://camo.githubusercontent.com/c22a5d1147d1a7a915eb2b8e94532eac07dc988f475481cfa18885b3dd625f07/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f6e6565726f6c7974652f7068702d6c7974652d73657269616c2f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/neerolyte/php-lyte-serial?branch=master) PHP Serialized string array and scalar unserialization using pure PHP. Usage ===== [](#usage) Install with composer: ``` composer require lyte/serial ``` Serial ------ [](#serial) `Serial` is a simplified interface that attempts to work well in a legacy code base. Load the namespace: ``` use Lyte\Serial\Serial; // unserialize statically $unserialized = Serial::unserialize($someSerializedString); // or with an instance $serial = new Serial; $unserialized = $serial->unserialize($someSerializedString); // check if a string appears to be serialized if (Serial::isSerialized($someUnknownString)) { $unserialized = Serial::unserialize($someUnknownString); } // or rely on exceptions try { $unserialized = Serial::unserialize($someUnknownString); } catch (\Exception $e) { // ... } ``` Unserializer ------------ [](#unserializer) `Unserializer` is the internal work horse. ``` use Lyte\Serial\Unserializer; $serial = new Unserializer($someSerializedString); $unserialized = $serial->unserialize(); ``` Why? ==== [](#why) The standard `serialize()` and `unserialize()` calls in PHP are known to be unsafe even if you use the `$allowed_classes` filter in PHP 7 (there are memory corruption bugs). The standard answer to this is "use JSON" but some applications were using PHP serialized strings for internal storage long before JSON was a thing (well... popular). In this case it may be useful to have a safer parser that rejects anything that's not an array or scalar type (i.e what you could safely store in JSON) as a middle ground to harden a code base without having to immediately switch out the underlying storage format. Note: I'm not advocating letting any strings be unserialized that can in anyway be modified by a user, just that if you use a safer parser and someone compromises some other part of your application this *might* at least slow them down. Why can't I use `$allowed_classes`? ----------------------------------- [](#why-cant-i-use-allowed_classes) PHP 7 added the `$allowed_classes` option to the [`unserialize()`](http://php.net/unserialize) function. In theory you could just set this to `null` (or a safe set of classes), but unfortunately [there's memory corruption bugs](https://media.ccc.de/v/33c3-7858-exploiting_php7_unserialize) meaning if you rely on that behaviour, you **are** vulnerable. ### Health Score 36 — LowBetter than 82% of packages Maintenance30 Infrequent updates — may be unmaintained Popularity28 Limited adoption so far Community7 Small or concentrated contributor base Maturity63 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1068 days Total 4 Last Release 60d ago Major Versions 0.1.0 → 1.0.02026-03-20 PHP version history (2 changes)0.0.0PHP >=5.4 1.0.0PHP >=7.3 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/64971?v=4)[futuristicvlad](/maintainers/lyte)[@lyte](https://github.com/lyte) --- Top Contributors [![neerolyte](https://avatars.githubusercontent.com/u/1070702?v=4)](https://github.com/neerolyte "neerolyte (43 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/lyte-serial/health.svg) ``` [![Health](https://phpackages.com/badges/lyte-serial/health.svg)](https://phpackages.com/packages/lyte-serial) ``` PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)