unserialize() Checks The End Of The String

The format used by unserialize() is a closed format: it might be smaller than the string that contains it. Until PHP 8.3, unserialize() stops as soon as it is satisfied, leaving the possible remainder of the string hanging. In PHP 8.3, a warning is raised.

PHP code

<?php

print_r(unserialize('O:1:"a":1:{s:8:"property";s:3:"yes";}  '));

?>

Before

__PHP_Incomplete_Class Object
(
    [__PHP_Incomplete_Class_Name] => a
    [property] => yes
)

After

PHP Warning:  unserialize(): Extra data starting at offset 37 of 39 bytes

Warning: unserialize(): Extra data starting at offset 37 of 39 bytes
__PHP_Incomplete_Class Object
(
    [__PHP_Incomplete_Class_Name] => a
    [property] => yes
)

PHP version change

This behavior changed in 8.3

See Also

• PHP RFC: Make unserialize() emit a warning for trailing bytes

Error Messages

• unserialize(): Extra data starting at offset 37 of 39 bytes