PHPackages                             xkerman/restricted-unserialize - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. xkerman/restricted-unserialize

ActiveLibrary[Security](/categories/security)

xkerman/restricted-unserialize
==============================

provide PHP Object Injection safe unserialize function

1.1.12(6y ago)4623.5k↓18.8%2[3 issues](https://github.com/xKerman/restricted-unserialize/issues)[3 PRs](https://github.com/xKerman/restricted-unserialize/pulls)1MITPHPPHP &gt;=5.2CI failing

Since Oct 9Pushed 2y ago1 watchersCompare

[ Source](https://github.com/xKerman/restricted-unserialize)[ Packagist](https://packagist.org/packages/xkerman/restricted-unserialize)[ RSS](/packages/xkerman-restricted-unserialize/feed)WikiDiscussions master Synced yesterday

READMEChangelogDependencies (5)Versions (23)Used By (1)

restricted-unserialize
======================

[](#restricted-unserialize)

[![Build Status](https://camo.githubusercontent.com/25ed53d075f629cfe940db481965ad83d112fb25a7e076729f34e9a6a9cc2701/68747470733a2f2f7472617669732d63692e6f72672f784b65726d616e2f726573747269637465642d756e73657269616c697a652e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/xKerman/restricted-unserialize)[![codecov](https://camo.githubusercontent.com/bf7f6163f9be85d3ec7de17933c24f1156c919c2d05d0444d5cebf793077f7c7/68747470733a2f2f636f6465636f762e696f2f67682f784b65726d616e2f726573747269637465642d756e73657269616c697a652f6272616e63682f6d61737465722f67726170682f62616467652e737667)](https://codecov.io/gh/xKerman/restricted-unserialize)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/295e4f6a6bb5bc6a5570587404cfa09812eff051a2439953fab35d3a3de3bbb3/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f784b65726d616e2f726573747269637465642d756e73657269616c697a652f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/xKerman/restricted-unserialize/?branch=master)[![Latest Stable Version](https://camo.githubusercontent.com/56c5270ce16cf99e8fabded9681809c1c426467ae2d968054b4d47ffb144eba4/68747470733a2f2f706f7365722e707567782e6f72672f786b65726d616e2f726573747269637465642d756e73657269616c697a652f762f737461626c65)](https://packagist.org/packages/xkerman/restricted-unserialize)

This composer package provides `unserialize` function that is safe for [PHP Obejct Injection (POI)](https://www.owasp.org/index.php/PHP_Object_Injection).

If normal `unserialize` function is used for deserializing user input in your PHP application:

1. Don't use this package, use `json_decode` in order to avoid PHP Object Injection
2. If compatibility matters, first use this function and then try to use `json_decode` in the near future

Why POI-safe?
-------------

[](#why-poi-safe)

`unserialize` function in this package only deserializes boolean, integer, floating point number, string, and array, and not deserializes object instance. Since any instances that has magic method for POP chain (such as `__destruct` or `__toString`) cannot instantiate, any plan to exploit POP chain just fails. ( You can read detailed explanation of POP chain  )

Installation
------------

[](#installation)

```
$ composer require xkerman/restricted-unserialize

```

How to use
----------

[](#how-to-use)

if your PHP version &gt; 5.5:

```
require 'path/to/vendor/autoload.php';

use function xKerman\Restricted\unserialize;
use xKerman\Restricted\UnserializeFailedException;

try {
    var_dump(unserialize($data));
} catch (UnserializeFailedException $e) {
    echo 'failed to unserialize';
}

```

if your PHP version &gt;= 5.3 and &lt;= 5.5:

```
require 'path/to/vendor/autoload.php';

use xKerman\Restricted;
use xKerman\Restricted\UnserializeFailedException;

try {
    var_dump(Restricted\unserialize($data));
} catch (UnserializeFailedException $e) {
    echo 'failed to unserialize';
}

```

if your PHP version is 5.2:

```
require_once 'path/to/generated/src/xKerman/Restricted/bootstrap.php';

try {
    var_dump(xKerman_Restricted_unserialize($data));
} catch (xKerman_Restricted_UnserializeFailedException $e) {
    echo 'failed to unserialize';
}

```

Related other packages
----------------------

[](#related-other-packages)

### mikegarde/unserialize-fix

[](#mikegardeunserialize-fix)

[mikegarde/unserialize-fix](https://github.com/MikeGarde/unserialize-fix) package provides `\unserialize\fix` function that tries to use `unserialize` function first. So the function is not POI-safe.

### academe/serializeparser

[](#academeserializeparser)

[academe/serializeparser](https://github.com/academe/SerializeParser) package privides `\Academe\SerializeParser\Parser::parse` method that is PHP-implemented `unserialize`, but doesn't deserialize object instances. So the method seems that POI-safe, but there is no test.

### jeroenvdheuve/serialization

[](#jeroenvdheuveserialization)

[jeroenvdheuve/serialization](https://github.com/jeroenvdheuvel/serialization) package provides `\jvdh\Serialization\Unserializer\unserialize` method that is also PHP-implemented `unserialize`, and doesn't deserialize object instance. So the method seems that POI-safe. The method can deserialize serialized PHP references, which cannot deserialized by this (xkerman/restricted-unserilize) package. By using PHP reference, we can create cyclic structure, but that makes migration to `json_decode` harder, since JSON doesn't support cyclic structure decode/encode.

Development
-----------

[](#development)

To generate code for PHP 5.2, run `composer run generate`. Generated code will be saved under `genereated/` directory.

LICENSE
-------

[](#license)

MIT License

###  Health Score

37

—

LowBetter than 81% of packages

Maintenance5

Infrequent updates — may be unmaintained

Popularity42

Moderate usage in the ecosystem

Community15

Small or concentrated contributor base

Maturity68

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~54 days

Recently: every ~137 days

Total

20

Last Release

2518d ago

PHP version history (2 changes)1.0.0PHP &gt;=5.3

1.1.4PHP &gt;=5.2

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/789112?v=4)[xKerman](/maintainers/xKerman)[@xKerman](https://github.com/xKerman)

---

Top Contributors

[![xKerman](https://avatars.githubusercontent.com/u/789112?v=4)](https://github.com/xKerman "xKerman (304 commits)")

---

Tags

unserializedeserializePHP Object Injection

###  Code Quality

TestsPHPUnit

Code StylePHP\_CodeSniffer

### Embed Badge

![Health badge](/badges/xkerman-restricted-unserialize/health.svg)

```
[![Health](https://phpackages.com/badges/xkerman-restricted-unserialize/health.svg)](https://phpackages.com/packages/xkerman-restricted-unserialize)
```

###  Alternatives

[mews/purifier

Laravel 5/6/7/8/9/10 HtmlPurifier Package

2.0k18.7M142](/packages/mews-purifier)[paragonie/ecc

PHP Elliptic Curve Cryptography library

24820.0k37](/packages/paragonie-ecc)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
