myPHP Unserializer
Decode PHP serialized strings, JSON, and Base64-encoded data. Runs entirely in your browser — nothing is sent to any server.
About the PHP Unserializer
PHP's serialize() function converts variables into a storable string representation. This is a common format in PHP applications — you'll encounter it in database rows, session files, cookies, cache stores, and log files. Manually reading a serialized string is tedious; this tool parses it instantly and displays the data in a clean, readable tree.
Supported input formats
- PHP serialize — The native PHP format:
a:2:{i:0;s:5:"hello";i:1;b:1;} - JSON — Standard JSON objects and arrays
- Base64 — Automatically detected and decoded before parsing, handling the common pattern of Base64-encoded PHP or JSON strings
PHP serialization format reference
s:N:"value";— String of length Ni:N;— Integerd:N;— Float (double)b:0;/b:1;— Boolean false / trueN;— Nulla:N:{...}— Array with N elementsO:N:"ClassName":M:{...}— Object of class ClassName with M properties
Privacy
All parsing runs locally in your browser using JavaScript. No data is transmitted to any server — safe to use with production database dumps, session data, or any sensitive content.
PHP serialization and security
PHP's serialize() function produces a string representation of PHP data structures. Unserializing untrusted data is a critical security vulnerability — PHP's unserialize() can trigger destructors and magic methods (__wakeup, __destruct) during deserialization, making it a common vector for remote code execution. Never unserialize data from untrusted sources; use JSON instead for data interchange.
- serialize() output —
s:5:"hello"(string),i:42(integer),a:2:{...}(array) - Security risk — unserializing untrusted data can execute arbitrary code via PHP object injection
- Alternatives — JSON is safer and more portable for data interchange; use for all new code
- Legitimate uses — reading legacy session data, cache files, or database fields stored by older PHP applications