PHPackages                             lyte/serial - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Parsing &amp; Serialization](/categories/parsing)
4. /
5. lyte/serial

ActiveLibrary[Parsing &amp; Serialization](/categories/parsing)

lyte/serial
===========

A safe unserializer for PHP serialized arrays and scalar types.

1.0.0(3mo ago)129.5k↓66.2%1[1 issues](https://github.com/neerolyte/php-lyte-serial/issues)MITPHPPHP &gt;=7.3

Since Jun 10Pushed 3mo ago1 watchersCompare

[ Source](https://github.com/neerolyte/php-lyte-serial)[ Packagist](https://packagist.org/packages/lyte/serial)[ RSS](/packages/lyte-serial/feed)WikiDiscussions master Synced today

READMEChangelog (3)Dependencies (4)Versions (9)Used By (0)

PHP Lyte Serial
===============

[](#php-lyte-serial)

[![Build Status](https://camo.githubusercontent.com/d033866babb8e2e1162037fff5f6d53b3b808721e80fced29df72081828cb14a/68747470733a2f2f6170692e7472617669732d63692e6f72672f6e6565726f6c7974652f7068702d6c7974652d73657269616c2e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/neerolyte/php-lyte-serial) [![Coverage Status](https://camo.githubusercontent.com/c22a5d1147d1a7a915eb2b8e94532eac07dc988f475481cfa18885b3dd625f07/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f6e6565726f6c7974652f7068702d6c7974652d73657269616c2f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/neerolyte/php-lyte-serial?branch=master)

PHP Serialized string array and scalar unserialization using pure PHP.

Runtime **PHP 7.3+** (aligned with PHPUnit 9 for development). The `composer.lock` is resolved for PHP 7.3 via `config.platform` so installs stay consistent on older runtimes.

Usage
=====

[](#usage)

Install with composer:

```
composer require lyte/serial

```

Serial
------

[](#serial)

`Serial` is a simplified interface that attempts to work well in a legacy code base.

Load the namespace:

```
use Lyte\Serial\Serial;
// unserialize statically
$unserialized = Serial::unserialize($someSerializedString);
// or with an instance
$serial = new Serial;
$unserialized = $serial->unserialize($someSerializedString);

// check if a string appears to be serialized
if (Serial::isSerialized($someUnknownString)) {
	$unserialized = Serial::unserialize($someUnknownString);
}

// or rely on exceptions
try {
	$unserialized = Serial::unserialize($someUnknownString);
} catch (\Exception $e) {
	// ...
}
```

Unserializer
------------

[](#unserializer)

`Unserializer` is the internal work horse.

```
use Lyte\Serial\Unserializer;
$serial = new Unserializer($someSerializedString);
$unserialized = $serial->unserialize();
```

### Wrong `s:` byte lengths (nested payloads)

[](#wrong-s-byte-lengths-nested-payloads)

If a string declares `s:N:` but the next `"` is not exactly *N* bytes later (common when counts used UTF-8 lengths, wrong newlines, or copy-paste errors), strict parsing fails. Enable inference and optional wire repair:

```
$u = new Unserializer($blob, ['repairLengths' => true]);
$data = $u->unserialize();
// $u->lengthIssues lists declared vs actual lengths and digit span offsets

list($fixedBlob, $issues) = Unserializer::repairSerializedString($blob);
// or Serial::repairSerializedString($blob)
```

`repairLengths` is read with `filter_var(..., FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)` and must coerce to **strict** true (e.g. `true`, `1`, `"1"`, `"true"`, `"on"`, `"yes"`). Values such as `false`, `0`, `"0"`, `"false"`, `"no"`, `""`, `null`, or unset leave repair **off** (so string `"false"` from env/JSON does not accidentally enable it).

For values that look like nested PHP serialization (`a:…`, `s:…`, etc.), the actual length is derived by parsing one full value. For other strings, repair uses the first `";` sequence with no `"` inside the payload (unsafe for arbitrary binary that may contain those bytes).

Why?
====

[](#why)

The standard `serialize()` and `unserialize()` calls in PHP are known to be unsafe even if you use the `$allowed_classes` filter in PHP 7 (there are memory corruption bugs).

The standard answer to this is "use JSON" but some applications were using PHP serialized strings for internal storage long before JSON was a thing (well... popular).

In this case it may be useful to have a safer parser that rejects anything that's not an array or scalar type (i.e what you could safely store in JSON) as a middle ground to harden a code base without having to immediately switch out the underlying storage format.

Note: I'm not advocating letting any strings be unserialized that can in anyway be modified by a user, just that if you use a safer parser and someone compromises some other part of your application this *might* at least slow them down.

Why can't I use `$allowed_classes`?
-----------------------------------

[](#why-cant-i-use-allowed_classes)

PHP 7 added the `$allowed_classes` option to the [`unserialize()`](http://php.net/unserialize) function.

In theory you could just set this to `null` (or a safe set of classes), but unfortunately [there's memory corruption bugs](https://media.ccc.de/v/33c3-7858-exploiting_php7_unserialize) meaning if you rely on that behaviour, you **are** vulnerable.

###  Health Score

44

—

FairBetter than 90% of packages

Maintenance60

Regular maintenance activity

Popularity29

Limited adoption so far

Community8

Small or concentrated contributor base

Maturity63

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~1068 days

Total

4

Last Release

105d ago

Major Versions

0.1.0 → 1.0.02026-03-20

PHP version history (2 changes)0.0.0PHP &gt;=5.4

1.0.0PHP &gt;=7.3

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/64971?v=4)[futuristicvlad](/maintainers/lyte)[@lyte](https://github.com/lyte)

---

Top Contributors

[![neerolyte](https://avatars.githubusercontent.com/u/1070702?v=4)](https://github.com/neerolyte "neerolyte (44 commits)")

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/lyte-serial/health.svg)

```
[![Health](https://phpackages.com/badges/lyte-serial/health.svg)](https://phpackages.com/packages/lyte-serial)
```

###  Alternatives

[mck89/peast

Peast is PHP library that generates AST for JavaScript code

19139.2M47](/packages/mck89-peast)[sauladam/shipment-tracker

Parses tracking information for several carriers, like UPS, USPS, DHL and GLS by simply scraping the data. No need for any kind of API access.

9843.5k](/packages/sauladam-shipment-tracker)[jstewmc/rtf

Read and write Rich Text Format (RTF) documents with PHP

45153.1k6](/packages/jstewmc-rtf)[tcds-io/php-jackson

A lightweight, flexible object serializer for PHP, inspired by FasterXML/jackson

113.2k10](/packages/tcds-io-php-jackson)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
