38

I was wondering if anyone could point me to a resource where the details of a serialized php string is documented. I would basically like to know the format/structure so I can write a function in VB.NET to serialize/deserialize it back.

Thanks!

urbanspr1nter
  • 1,347
  • 2
  • 16
  • 25
  • 8
    Use JSON instead (`echo json_encode($arr);`). The PHP native serializer is weird, in my opinion, and JSON is heavily supported and easier to work with. [VB JSON parser class.](http://www.ediy.co.nz/vbjson-json-parser-library-in-vb6-xidc55680.html) – Jared Farrish Jan 12 '13 at 21:05
  • 8
    @JaredF An unhelpful comment as the questioner doesn't specify a use-case that indicates a change in format would be possible or even desirable. JSON is wholly orthogonal to the question being asked. In addition, there are many use-cases for which JSON is an inappropriate serialisation format, e.g. if there is recursion or if the ordering of array keys matters. JSON should not be considered a default go-to format without understanding these restrictions. – HappyDog Jun 15 '17 at 14:07

2 Answers2

74

The basic structure is as follows:

Scalar types:

  1. Booleans are serialized as: 

    b:<i>;

    where <i> is an integer with a value of either 0 (false) or 1 (true).

  2. Integers are serialized as:

    i:<i>;

    where <i> is the integer value.

  3. Floats are serialized as (with d meaning double):

    d:<f>;

    where <f> is the float value.

  4. Strings are serialized as:

    s:<i>:"<s>";

    where <i> is an integer representing the string length of <s>, and <s> is the string value.

Special types:

  1. null is simply serialized as:

    N;

Compound types:

  1. Arrays are serialized as:

    a:<i>:{<elements>}

    where <i> is an integer representing the number of elements in the array, and <elements> zero or more serialized key value pairs:

    <key><value>

    where <key> represents a serialized scalar type, and <value> any value that is serializable.

  2. Objects are serialized as:

    O:<i>:"<s>":<i>:{<properties>}

    where the first <i> is an integer representing the string length of <s>, and <s> is the fully qualified class name (class name prepended with full namespace). The second <i> is an integer representing the number of object properties. <properties> are zero or more serialized name value pairs:

    <name><value>

    where <name> is a serialized string representing the property name, and <value> any value that is serializable.

    There's a catch with <name> though:

    <name> is represented as

    s:<i>:"<s>";

    where <i> is an integer representing the string length of <s>. But the values of <s> differs per visibility of properties:

    a. With public properties <s> is the simple name of the property.

    b. With protected properties, however, <s> is the simple name of the property, prepended with \0*\0 — an asterix, enclosed in two NUL characters (i.e. chr(0)).

    c. And with private properties, <s> is the simple name of the property, prepended with \0<s>\0<s>, enclosed in two NUL characters, where <s> is the fully qualified class name.

There are a few other cases, such as R:<i>;, that represents references, that I haven't mentioned here (because I honestly haven't figured out the exact workings of it yet), but this should give you a decent idea about PHP's serializing mechanism.

Decent Dabbler
  • 22,532
  • 8
  • 74
  • 106
  • Nice info about the _public_ and _protected_ properties names! I couldn't find it in the PHP serialize documentation. – Leopoldo Sanczyk Jan 09 '17 at 22:34
  • @Danogentili Thank you for the suggested edit. Looks good. However before approving it, could you perhaps provide a test case for the uppercase R scenario? I haven't been able to reproduce that in PHP 5.5.9. Is this PHP 5.6 or PHP 7 behavior, perhaps? Thank you in advance. – Decent Dabbler Apr 19 '17 at 11:45
  • I can reproduce this even on PHP 4.4.9: http://sandbox.onlinephpfunctions.com/code/cdb72b06c99e525b2bf4627ced0a0973bc3c3191 – Danogentili Apr 30 '17 at 11:52
  • Missing information: how some special characters in strings are escaped (and in particular double quotes). – dolmen Nov 29 '17 at 21:42
13

I've found this page at phpinternalsbook quite complete. It also shows the alternative serialization format for classes implementing Serializable interface, as well as the meaning of R format specifier.

superjos
  • 12,189
  • 6
  • 89
  • 134