Comments on: PHP Serialize, What’s it Do? What’s it For?

By: Jules Manson

Jules Manson — Wed, 25 Aug 2010 05:58:24 +0000

Thank y0u anyway and i figured it out myself. I loved your article and I now know what serialize is for. By the way the reason I am now responding is because once in a while I will google my name and survey past comments I have made at other sites. Its kind of neat to see one’s own web history.

By: Terri Ann

Terri Ann — Thu, 03 Jun 2010 20:23:32 +0000

To be honest Jules you kind of lost me there. But even if you didn’t lose me on it I don’t think I have the answer to that question.

By: Jules Manson

Jules Manson — Sun, 23 May 2010 17:51:48 +0000

Please bare with me. This will only take one minute.

I created my own PHP template parser whereby my site uses one HTML template sprinkled with {TAGNAME} where tagname is actually different tag names that the parser will replace with functions or strings that I supply elsewhere or substitute data from MySQL database. This keeps my PHP completely separated from the HTML. All parser tags are also associated array elements. For example on my HTML template I have a tag {CRUMBS}. In a controller class I define this $tags['CRUMBS'] = "[php] return Breadcrumbs::inst();"; the inst() function simply instantiates my Breadcrumbs class. The "[php]" tells my template parser class to use the eval() function in order to treat the string as a PHP function. The end product of the function is to create a string that browsers recognize as several links of places visited on my site. My question is this: Could I have simply serialized the function instead of using eval()?

I hope I didn't lose you.

By: danilo di moia

danilo di moia — Thu, 08 Apr 2010 09:08:59 +0000

thanks for very clear explanation :)

By: Enigma415

Enigma415 — Wed, 10 Mar 2010 07:18:00 +0000

I may add: if you wish to use these functions with client data ($GET & $POST, etc), preg_replace('/[^a-zA-Z0-9]', '', $clientdata). That -should- make the sent string(s) safe for programmical use. Use that before you serialize() the data.

By: dreftymac

dreftymac — Tue, 23 Feb 2010 01:31:24 +0000

another alternative is to use base64 encoding to encode/decode the serialized data if you are worried about messing up your database values or transmitting the serialized data over the wire. disgustsuncoverakin_umbriel

By: Marc

Marc — Sun, 21 Feb 2010 20:45:42 +0000

well explained !

here is a tool I often use in my job… to decode quickly serialized data… Indeed, serialised datas are good for system, but uneasy for us to read..

http://unserialize.net

Thanks again !

By: Mark Shercliff

Mark Shercliff — Wed, 03 Feb 2010 11:23:04 +0000

Best explanation I’ve read – thank you!

By: sickbro

sickbro — Thu, 05 Nov 2009 13:44:50 +0000

Mate, this was just the information I was after. Thanks very much for your time writing this.

As a side note, unserialize() should NEVER be used on user input, as the security implications can be very serious. See SyScan / Blackhat USA 2009 and "Month of PHP Bugs"

Wow... I'm writing back to a 1 year old blog post lol

By: Anders

Anders — Tue, 07 Jul 2009 20:45:13 +0000

Thanks for explaining this.