This is a library to serialize PHP variables in JSON format. It is similar of the serialize() function in PHP,
but the output is a string JSON encoded. You can also unserialize the JSON generated by this tool and have you
PHP content back.
Supported features:
- Encode/Decode of scalar, null, array
- Encode/Decode of objects
- Encode/Decode of binary data
- Support nested serialization
- Support not declared properties on the original class definition (ie, properties in
stdClass) - Support object recursion
- Closures (via 3rd party library. See details below)
Unsupported serialization content:
- Resource (ie,
fopen()response) - NAN, INF constants
Limitations:
- Binary data containing null bytes (\u0000) as array keys cannot be properly decoded because of a json extension bug:
This project should not be confused with JsonSerializable interface added on PHP 5.4. This interface is used on
json_encode to encode the objects. There is no unserialization with this interface, differently from this project.
Json Serializer requires PHP >= 7.2 and tested until PHP 8.4
Warning Never pass untrusted data (user input, third-party API responses, cookies, etc.) to
unserialize()without first restricting which classes may be instantiated.
The JSON format used by this library embeds a @type key that names the PHP class
to restore. Without restrictions an attacker who controls the JSON payload can
cause any class available in the autoloader to be instantiated, including
classes whose __wakeup() or __destruct() methods execute dangerous operations
(remote code execution, file deletion, etc.).
Use setAllowedClasses() to declare the exact set of classes your application
expects to deserialize:
$serializer = new Zumba\JsonSerializer\JsonSerializer();
$serializer->setAllowedClasses([
MyApp\Model\User::class,
MyApp\Model\Order::class,
]);
// Safe: User and Order are allowed.
$obj = $serializer->unserialize($jsonFromDatabase);
// Throws JsonSerializerException: SomeOtherClass is not in the allowlist.
$obj = $serializer->unserialize($attackerControlledJson);setAllowedClasses() accepts:
| Value | Behaviour |
|---|---|
null (default) |
No restriction — any known class can be instantiated. Keep this only for fully trusted, internally-generated JSON. |
[] (empty array) |
All class instantiation is blocked. |
['Foo', 'Bar'] |
Only Foo and Bar (exact class names) may be instantiated. |
Classes registered via the custom object serializer map are always allowed regardless of this setting, because they are explicitly configured by the developer.
class MyCustomClass {
public $isItAwesome = true;
protected $nice = 'very!';
}
$instance = new MyCustomClass();
$serializer = new Zumba\JsonSerializer\JsonSerializer();
$json = $serializer->serialize($instance);
// $json will contain the content {"@type":"MyCustomClass","isItAwesome":true,"nice":"very!"}
$serializer->setAllowedClasses([MyCustomClass::class]);
$restoredInstance = $serializer->unserialize($json);
// $restoredInstance will be an instance of MyCustomClassIf you are using composer, install the package zumba/json-serializer.
$ composer require zumba/json-serializer
Or add the zumba/json-serializer directly in your composer.json file.
If you are not using composer, you can just copy the files from src folder in your project.
Binary strings introduce two special identifiers in the final json: @utf8encoded and @scalar.
@utf8encoded is an array of keys from the original data which have their value (or the keys themselves)
encoded from 8bit to UTF-8. This is how the serializer knows what to encode back from UTF-8 to 8bit when deserializing.
Example:
$data = ['key' => '<binaryvalue>', 'anotherkey' => 'nonbinaryvalue'];
$serializer = new Zumba\JsonSerializer\JsonSerializer();
$json = $serializer->serialize($data);
// $json will contain the content {"key":"<utf8encodedbinaryvalue>","anotherkey":"nonbinaryvalue","@utf8encoded":{"key":1}}@scalar is used only when the value to be encoded is not an array or an object but a binary string. Example:
$data = '<binaryvalue>';
$serializer = new Zumba\JsonSerializer\JsonSerializer();
$json = $serializer->serialize($data);
// $json will contain the content {"@scalar":"<utf8encodedbinaryvalue>","@utf8encoded":1}For serializing PHP closures you can either use OpisClosure (preferred) or SuperClosure (the project is abandoned, so kept here for backward compatibility).
Closure serialization has some limitations. Please check the OpisClosure or SuperClosure project to check if it fits your needs.
To use the OpisClosure with JsonSerializer, just add it to the closure serializer list. Example:
$toBeSerialized = [
'data' => [1, 2, 3],
'worker' => function ($data) {
$double = [];
foreach ($data as $i => $number) {
$double[$i] = $number * 2;
}
return $double;
}
];
$jsonSerializer = new \Zumba\JsonSerializer\JsonSerializer();
$jsonSerializer->addClosureSerializer(new \Zumba\JsonSerializer\ClosureSerializer\OpisClosureSerializer());
$serialized = $jsonSerializer->serialize($toBeSerialized);You can load multiple closure serializers in case you are migrating from SuperClosure to OpisClosure for example.
PS: JsonSerializer does not have a hard dependency of OpisClosure or SuperClosure. If you want to use both projects
make sure you add both on your composer requirements and load them with addClosureSerializer() method.
Some classes may not be suited to be serialized and unserialized using the default reflection methods.
Custom serializers provide the ability to define serialize and unserialize methods for specific classes.
class MyType {
public $field1;
public $field2;
}
class MyTypeSerializer {
public function serialize(MyType $obj) {
return array('fields' => $obj->field1 . ' ' . $obj->field2);
}
public function unserialize($values) {
list($field1, $field2) = explode(' ', $values['fields']);
$obj = new MyType();
$obj->field1 = $field1;
$obj->field2 = $field2;
return $obj;
}
}
// map of "class name" => Custom serializer
$customObjectSerializers['MyType'] = new MyTypeSerializer();
$jsonSerializer = new Zumba\JsonSerializer\JsonSerializer(null, $customObjectSerializers);
$toBeSerialized = new MyType();
$toBeSerialized->field1 = 'x';
$toBeSerialized->field2 = 'y';
$json = $jsonSerializer->serialize($toBeSerialized);
// $json == {"@type":"Zumba\\\\JsonSerializer\\\\Test\\\\SupportClasses\\\\MyType","fields":"x y"}
$myType = $jsonSerializer->unserialize($json);
// $myType == $toBeSerialized