Securing PHP Applications Against Insecure Deserialization Vulnerabilities

By Alessandro D.P.4 min readFebruary 18, 2026

Insecure deserialization occurs when untrusted data is used to create objects or data structures without proper validation. Attackers can exploit this flaw to manipulate serialized data, leading to unauthorized actions or system compromise. This tutorial will provide practical examples and best practices for securing your PHP applications against these vulnerabilities.

Understanding Serialization in PHP

Serialization in PHP is the process of converting an object into a storable format, typically a string. This is often used for data storage or transmission. The serialize() function converts an object to a string, while unserialize() reconstructs the object from the string.

Example of Serialization

class User {
    public $name;
    public $email;

    public function __construct($name, $email) {
        $this->name = $name;
        $this->email = $email;
    }
}

$user = new User("John Doe", "[email protected]");
$serializedUser = serialize($user);
echo $serializedUser; // Outputs serialized string

Example of Deserialization

$serializedUser = 'O:4:"User":2:{s:4:"name";s:8:"John Doe";s:5:"email";s:15:"[email protected]";}';
$user = unserialize($serializedUser);
echo $user->name; // Outputs: John Doe

Risks of Insecure Deserialization

When deserializing data from untrusted sources, an attacker can craft a malicious payload to manipulate the application’s behavior. This can lead to:

Code Execution: Executing arbitrary code on the server.
Data Manipulation: Changing application state or user data.
Denial of Service: Causing the application to crash or become unresponsive.

Example of an Insecure Deserialization Attack

$payload = 'O:4:"User":2:{s:4:"name";s:8:"attacker";s:5:"email";s:15:"[email protected]";}';
$user = unserialize($payload);

In this example, an attacker could modify the serialized string to create a User object with malicious data.

Best Practices to Secure Against Insecure Deserialization

1. Avoid Unserialize with Untrusted Data

The simplest and most effective way to prevent insecure deserialization is to avoid using unserialize() with untrusted data. Instead, consider using JSON or other safer serialization formats.

Example of Using JSON

// Encoding
$userData = ['name' => 'John Doe', 'email' => '[email protected]'];
$jsonData = json_encode($userData);

// Decoding
$userData = json_decode($jsonData, true);
echo $userData['name']; // Outputs: John Doe

2. Validate and Sanitize Input

If you must use unserialize(), ensure that the input is validated and sanitized. You can use a whitelist approach to allow only specific classes.

Example of Whitelisting Classes

$allowedClasses = ['User'];
$data = '...'; // Input data

$object = unserialize($data, ['allowed_classes' => $allowedClasses]);

3. Use Serialization Libraries

Consider using libraries that provide safer serialization methods, such as Symfony Serializer or Laravel Eloquent. These libraries often include built-in protections against insecure deserialization.

Example with Symfony Serializer

use Symfony\Component\Serializer\Serializer;
use Symfony\Component\Serializer\Encoder\JsonEncoder;
use Symfony\Component\Serializer\Normalizer\ObjectNormalizer;

$serializer = new Serializer([new ObjectNormalizer()], [new JsonEncoder()]);
$jsonData = $serializer->serialize($user, 'json');
$user = $serializer->deserialize($jsonData, User::class, 'json');

4. Implement Security Controls

Implement security measures such as:

Input Validation: Ensure that all input data conforms to expected formats.
Error Handling: Avoid revealing sensitive information in error messages.
Logging: Log deserialization attempts and monitor for anomalies.

Summary of Best Practices

Practice	Description
Avoid `unserialize()` with untrusted data	Use safer alternatives like JSON serialization.
Validate and sanitize input	Ensure input conforms to expected formats.
Use serialization libraries	Leverage libraries that provide safer serialization.
Implement security controls	Use input validation, error handling, and logging.

Conclusion

Insecure deserialization can lead to severe vulnerabilities in PHP applications. By following the best practices outlined in this tutorial, you can significantly reduce the risk of these vulnerabilities in your applications. Always prioritize secure coding practices and regularly review your code for potential security issues.

Learn more with useful resources: