Skip to content
/ json-serializer Public

Serialize PHP variables, including objects, in JSON format. Support to unserialize it too.

tech.zumba.com/2014/01/06/json-serializer/

License

MIT license
124 stars 24 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

zumba/json-serializer

BranchesTags

Repository files navigation

Json Serializer for PHP

Software License Build Status Total Downloads Latest Stable Version

This is a library to serialize PHP variables in JSON format. It is similar of the serialize() function in PHP, but the output is a string JSON encoded. You can also unserialize the JSON generated by this tool and have you PHP content back.

Supported features:

  • Encode/Decode of scalar, null, array
  • Encode/Decode of objects
  • Encode/Decode of binary data
  • Support nested serialization
  • Support not declared properties on the original class definition (ie, properties in stdClass)
  • Support object recursion
  • Closures (via 3rd party library. See details below)

Unsupported serialization content:

  • Resource (ie, fopen() response)
  • NAN, INF constants

Limitations:

This project should not be confused with JsonSerializable interface added on PHP 5.4. This interface is used on json_encode to encode the objects. There is no unserialization with this interface, differently from this project.

Json Serializer requires PHP >= 7.2 and tested until PHP 8.4

Security: do not unserialize untrusted input

Warning Never pass untrusted data (user input, third-party API responses, cookies, etc.) to unserialize() without first restricting which classes may be instantiated.

The JSON format used by this library embeds a @type key that names the PHP class to restore. Without restrictions an attacker who controls the JSON payload can cause any class available in the autoloader to be instantiated, including classes whose __wakeup() or __destruct() methods execute dangerous operations (remote code execution, file deletion, etc.).

Use setAllowedClasses() to declare the exact set of classes your application expects to deserialize:

$serializer = new Zumba\JsonSerializer\JsonSerializer();
$serializer->setAllowedClasses([
    MyApp\Model\User::class,
    MyApp\Model\Order::class,
]);

// Safe: User and Order are allowed.
$obj = $serializer->unserialize($jsonFromDatabase);

// Throws JsonSerializerException: SomeOtherClass is not in the allowlist.
$obj = $serializer->unserialize($attackerControlledJson);

setAllowedClasses() accepts:

Value Behaviour
null (default) No restriction — any known class can be instantiated. Keep this only for fully trusted, internally-generated JSON.
[] (empty array) All class instantiation is blocked.
['Foo', 'Bar'] Only Foo and Bar (exact class names) may be instantiated.

Classes registered via the custom object serializer map are always allowed regardless of this setting, because they are explicitly configured by the developer.

Example

class MyCustomClass {
	public $isItAwesome = true;
	protected $nice = 'very!';
}

$instance = new MyCustomClass();

$serializer = new Zumba\JsonSerializer\JsonSerializer();
$json = $serializer->serialize($instance);
// $json will contain the content {"@type":"MyCustomClass","isItAwesome":true,"nice":"very!"}

$serializer->setAllowedClasses([MyCustomClass::class]);
$restoredInstance = $serializer->unserialize($json);
// $restoredInstance will be an instance of MyCustomClass

How to Install

If you are using composer, install the package zumba/json-serializer.

$ composer require zumba/json-serializer

Or add the zumba/json-serializer directly in your composer.json file.

If you are not using composer, you can just copy the files from src folder in your project.

Serializing Binary Strings

Binary strings introduce two special identifiers in the final json: @utf8encoded and @scalar. @utf8encoded is an array of keys from the original data which have their value (or the keys themselves) encoded from 8bit to UTF-8. This is how the serializer knows what to encode back from UTF-8 to 8bit when deserializing. Example:

$data = ['key' => '<binaryvalue>', 'anotherkey' => 'nonbinaryvalue'];
$serializer = new Zumba\JsonSerializer\JsonSerializer();
$json = $serializer->serialize($data);
// $json will contain the content {"key":"<utf8encodedbinaryvalue>","anotherkey":"nonbinaryvalue","@utf8encoded":{"key":1}}

@scalar is used only when the value to be encoded is not an array or an object but a binary string. Example:

$data = '<binaryvalue>';
$serializer = new Zumba\JsonSerializer\JsonSerializer();
$json = $serializer->serialize($data);
// $json will contain the content {"@scalar":"<utf8encodedbinaryvalue>","@utf8encoded":1}

Serializing Closure

For serializing PHP closures you can either use OpisClosure (preferred) or SuperClosure (the project is abandoned, so kept here for backward compatibility).

Closure serialization has some limitations. Please check the OpisClosure or SuperClosure project to check if it fits your needs.

To use the OpisClosure with JsonSerializer, just add it to the closure serializer list. Example:

$toBeSerialized = [
	'data' => [1, 2, 3],
	'worker' => function ($data) {
		$double = [];
		foreach ($data as $i => $number) {
			$double[$i] = $number * 2;
		}
		return $double;
	}
];

$jsonSerializer = new \Zumba\JsonSerializer\JsonSerializer();
$jsonSerializer->addClosureSerializer(new \Zumba\JsonSerializer\ClosureSerializer\OpisClosureSerializer());
$serialized = $jsonSerializer->serialize($toBeSerialized);

You can load multiple closure serializers in case you are migrating from SuperClosure to OpisClosure for example.

PS: JsonSerializer does not have a hard dependency of OpisClosure or SuperClosure. If you want to use both projects make sure you add both on your composer requirements and load them with addClosureSerializer() method.

Custom Serializers

Some classes may not be suited to be serialized and unserialized using the default reflection methods.

Custom serializers provide the ability to define serialize and unserialize methods for specific classes.

class MyType {
    public $field1;
    public $field2;
}

class MyTypeSerializer {
    public function serialize(MyType $obj) {
        return array('fields' => $obj->field1 . ' ' . $obj->field2);
    }

    public function unserialize($values) {
        list($field1, $field2) = explode(' ', $values['fields']);
        $obj = new MyType();
        $obj->field1 = $field1;
        $obj->field2 = $field2;
        return $obj;
    }
}

// map of "class name" => Custom serializer
$customObjectSerializers['MyType'] = new MyTypeSerializer();
$jsonSerializer = new Zumba\JsonSerializer\JsonSerializer(null, $customObjectSerializers);

$toBeSerialized = new MyType();
$toBeSerialized->field1 = 'x';
$toBeSerialized->field2 = 'y';
$json = $jsonSerializer->serialize($toBeSerialized);
// $json == {"@type":"Zumba\\\\JsonSerializer\\\\Test\\\\SupportClasses\\\\MyType","fields":"x y"}

$myType = $jsonSerializer->unserialize($json);
// $myType == $toBeSerialized

About

Serialize PHP variables, including objects, in JSON format. Support to unserialize it too.

tech.zumba.com/2014/01/06/json-serializer/

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

124 stars

Watchers

14 watching

Forks

24 forks
Report repository

Releases 13

3.2.3 Latest
Feb 19, 2026
+ 12 releases

Packages

No packages published

Used by 105

  • @MauricioFauth
  • @TavaoBR
  • @SDPM-lab
  • @TavaoBR
  • @kielmarj
  • @dreamdev123
  • @gordon81
+ 97

Contributors 11

Languages