unserialize() max_depth Option

unserialize() has now an option to limit the depth of nesting in the decoded structure. When that limit is reached, serialize() emits a warning, and stops processing the string. This is a security option, that prevents deep nested structure to be created and consume a lot of memory and processing power.

PHP code

<?php

$a = [[[[]]]];

$b = serialize($a);

print_r(unserialize($b, ['max_depth' => 2]));

Before

Array
(
    [0] => Array
        (
            [0] => Array
                (
                    [0] => Array
                        (
                        )

                )

        )

)

After

PHP Warning:  unserialize(): Maximum depth of 2 exceeded. The depth limit can be changed using the max_depth unserialize() option or the unserialize_max_depth ini setting in /codes/unserialize_max_depth.php on line 7

Warning: unserialize(): Maximum depth of 2 exceeded. The depth limit can be changed using the max_depth unserialize() option or the unserialize_max_depth ini setting in /codes/unserialize_max_depth.php on line 7
PHP Warning:  unserialize(): Error at offset 23 of 36 bytes in /codes/unserialize_max_depth.php on line 7

Warning: unserialize(): Error at offset 23 of 36 bytes in /codes/unserialize_max_depth.php on line 7

PHP version change

This behavior changed in 7.4

See Also