PHPackages xkerman/restricted-unserialize - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. xkerman/restricted-unserialize ActiveLibrary[Security](/categories/security) xkerman/restricted-unserialize ============================== provide PHP Object Injection safe unserialize function 1.1.12(6y ago)4569.4k↓25.5%2[3 issues](https://github.com/xKerman/restricted-unserialize/issues)[3 PRs](https://github.com/xKerman/restricted-unserialize/pulls)1MITPHPPHP >=5.2CI failing Since Oct 9Pushed 2y ago1 watchersCompare [ Source](https://github.com/xKerman/restricted-unserialize)[ Packagist](https://packagist.org/packages/xkerman/restricted-unserialize)[ RSS](/packages/xkerman-restricted-unserialize/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (5)Versions (23)Used By (1) restricted-unserialize ====================== [](#restricted-unserialize) [![Build Status](https://camo.githubusercontent.com/25ed53d075f629cfe940db481965ad83d112fb25a7e076729f34e9a6a9cc2701/68747470733a2f2f7472617669732d63692e6f72672f784b65726d616e2f726573747269637465642d756e73657269616c697a652e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/xKerman/restricted-unserialize)[![codecov](https://camo.githubusercontent.com/bf7f6163f9be85d3ec7de17933c24f1156c919c2d05d0444d5cebf793077f7c7/68747470733a2f2f636f6465636f762e696f2f67682f784b65726d616e2f726573747269637465642d756e73657269616c697a652f6272616e63682f6d61737465722f67726170682f62616467652e737667)](https://codecov.io/gh/xKerman/restricted-unserialize)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/295e4f6a6bb5bc6a5570587404cfa09812eff051a2439953fab35d3a3de3bbb3/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f784b65726d616e2f726573747269637465642d756e73657269616c697a652f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/xKerman/restricted-unserialize/?branch=master)[![Latest Stable Version](https://camo.githubusercontent.com/56c5270ce16cf99e8fabded9681809c1c426467ae2d968054b4d47ffb144eba4/68747470733a2f2f706f7365722e707567782e6f72672f786b65726d616e2f726573747269637465642d756e73657269616c697a652f762f737461626c65)](https://packagist.org/packages/xkerman/restricted-unserialize) This composer package provides `unserialize` function that is safe for [PHP Obejct Injection (POI)](https://www.owasp.org/index.php/PHP_Object_Injection). If normal `unserialize` function is used for deserializing user input in your PHP application: 1. Don't use this package, use `json_decode` in order to avoid PHP Object Injection 2. If compatibility matters, first use this function and then try to use `json_decode` in the near future Why POI-safe? ------------- [](#why-poi-safe) `unserialize` function in this package only deserializes boolean, integer, floating point number, string, and array, and not deserializes object instance. Since any instances that has magic method for POP chain (such as `__destruct` or `__toString`) cannot instantiate, any plan to exploit POP chain just fails. ( You can read detailed explanation of POP chain ) Installation ------------ [](#installation) ``` $ composer require xkerman/restricted-unserialize ``` How to use ---------- [](#how-to-use) if your PHP version > 5.5: ``` require 'path/to/vendor/autoload.php'; use function xKerman\Restricted\unserialize; use xKerman\Restricted\UnserializeFailedException; try { var_dump(unserialize($data)); } catch (UnserializeFailedException $e) { echo 'failed to unserialize'; } ``` if your PHP version >= 5.3 and <= 5.5: ``` require 'path/to/vendor/autoload.php'; use xKerman\Restricted; use xKerman\Restricted\UnserializeFailedException; try { var_dump(Restricted\unserialize($data)); } catch (UnserializeFailedException $e) { echo 'failed to unserialize'; } ``` if your PHP version is 5.2: ``` require_once 'path/to/generated/src/xKerman/Restricted/bootstrap.php'; try { var_dump(xKerman_Restricted_unserialize($data)); } catch (xKerman_Restricted_UnserializeFailedException $e) { echo 'failed to unserialize'; } ``` Related other packages ---------------------- [](#related-other-packages) ### mikegarde/unserialize-fix [](#mikegardeunserialize-fix) [mikegarde/unserialize-fix](https://github.com/MikeGarde/unserialize-fix) package provides `\unserialize\fix` function that tries to use `unserialize` function first. So the function is not POI-safe. ### academe/serializeparser [](#academeserializeparser) [academe/serializeparser](https://github.com/academe/SerializeParser) package privides `\Academe\SerializeParser\Parser::parse` method that is PHP-implemented `unserialize`, but doesn't deserialize object instances. So the method seems that POI-safe, but there is no test. ### jeroenvdheuve/serialization [](#jeroenvdheuveserialization) [jeroenvdheuve/serialization](https://github.com/jeroenvdheuvel/serialization) package provides `\jvdh\Serialization\Unserializer\unserialize` method that is also PHP-implemented `unserialize`, and doesn't deserialize object instance. So the method seems that POI-safe. The method can deserialize serialized PHP references, which cannot deserialized by this (xkerman/restricted-unserilize) package. By using PHP reference, we can create cyclic structure, but that makes migration to `json_decode` harder, since JSON doesn't support cyclic structure decode/encode. Development ----------- [](#development) To generate code for PHP 5.2, run `composer run generate`. Generated code will be saved under `genereated/` directory. LICENSE ------- [](#license) MIT License ### Health Score 36 — LowBetter than 82% of packages Maintenance5 Infrequent updates — may be unmaintained Popularity41 Moderate usage in the ecosystem Community13 Small or concentrated contributor base Maturity68 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~54 days Recently: every ~137 days Total 20 Last Release 2473d ago PHP version history (2 changes)1.0.0PHP >=5.3 1.1.4PHP >=5.2 ### Community Maintainers ![](https://www.gravatar.com/avatar/98537798dd0d051e6c7d8df0e9f560b78bed3922d19851445371b86cdb1f6f7b?d=identicon)[xKerman](/maintainers/xKerman) --- Top Contributors [![xKerman](https://avatars.githubusercontent.com/u/789112?v=4)](https://github.com/xKerman "xKerman (304 commits)") --- Tags unserializedeserializePHP Object Injection ### Code Quality TestsPHPUnit Code StylePHP\_CodeSniffer ### Embed Badge ![Health badge](/badges/xkerman-restricted-unserialize/health.svg) ``` [![Health](https://phpackages.com/badges/xkerman-restricted-unserialize/health.svg)](https://phpackages.com/packages/xkerman-restricted-unserialize) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)