PHP's native serialization is more suitable for PHP's internal data storage and transmission than JSON, 1. Because it can retain complete data types (such as int, float, bool, etc.); 2. Support private and protected object properties; 3. Can handle recursive references safely; 4. There is no need for manual type conversion when deserializing; 5. It is usually better than JSON in performance; but it should not be used in cross-language scenarios, and unserialize() should never be called for untrusted inputs to avoid triggering remote code execution attacks. It is recommended to use it when it is limited to PHP environment and requires high-fidelity data.

When working with data storage or transmission in PHP, developers often reach for JSON as the default format. It's human-readable, widely supported, and language-agnostic. But PHP has its own native serialization mechanism that's been around longer and offers unique advantages — especially when dealing with complex PHP-specific data types. Let's look beyond JSON and explore PHP's native string serialization.

What Is PHP's Native Serialization?

PHP's serialize() and unserialize() functions convert PHP variables — including arrays, objects, resources (with limitations), and even closings (with workarounds) — into a storage string format. Unlike JSON, which is limited to basic types (strings, numbers, arrays, objects), PHP serialization preserves type information and object structure.

For example:

 $data = [
    'name' => 'Alice',
    'age' => 30,
    'tags' => ['developer', 'php'],
    'active' => true,
    'balance' => 99.99
];

$serialized = serialize($data);
echo $serialized;

Output:

 a:4:{s:4:"name";s:5:"Alice";s:3:"age";i:30;s:4:"tags";a:2:{i:0;s:9:"developer";i:1;s:3:"php";}s:6:"active";b:1;s:7:"balance";d:99.99;}

This string encodes not just structure, but types — strings ( s ), integers ( i ), booleans ( b ), doubles ( d ), and arrays ( a ). JSON would lose some of this fidelity, especially with floats vs ints or complex nested structures.

Key Advantages Over JSON

• Preserves PHP Types : JSON treats everything as a number, string, boolean, etc., without distinguishing between int and float. PHP serialization does.
• Supports Private and Protected Object Properties : When serializing objects, PHP keeps visibility information intact.
• Handles Recursion Safely : If an array or object references itself, serialize() handles it gracefully (marks it as recursive), while json_encode() would fail.
• No Manual Type Casting on Decode : With json_decode() , you often need to manually cast values back because everything comes back as string or float. Native unserialization restores original types automatically.

Example of recursion:

 $arr = [1, 2];
$arr[] = &$arr; // self-reference
echo serialize($arr);
// Output: a:3:{i:0;i:1;i:1;i:1;i:2;i:2;r:2;}

The r:2 means "reference to variable at position 2" — something JSON can't represent.

How It Works Under the Hood

The serialized string uses a compact format where each value is prefixed with:

• A type identifier ( a = array, s = string, i = int, b = bool, d = double, O = object, etc.)
• Length/type metadata
• The actual value

Structure breakdown:

 a:2:{s:3:"foo";s:3:"bar";s:3:"baz";s:5:"quux";}

→ An array of 2 elements:
"foo" => "bar"
"baz" => "quux"

This format is not human-friendly , but it's precise and efficient for PHP-to-PHP communication.

When to Use Native Serialization (and When Not To)

Use PHP serialization when:

• Storing data in a PHP-only environment (eg, session storage, cache backends like APCu or Redis used internally)
• You need to preserve object state, private properties, or exact type fidelity
• Working with recursive data structures
• Performance matters — serialize() is often faster than json_encode() / json_decode() for complex PHP-native data

Avoid it when:

• Sharing data with other languages or APIs — JSON is standard and interoperable
• Security is a concern — unserialize() can be dangerous if used on untrusted input (leads to object injection attacks)
• You need readingability or debugging ease

?? Never use unserialize() on user input. Malicious payloads can instantiate arbitrary objects and trigger destructors, leading to RCE (remote code execution) in vulnerable settings.

Alternatives and Best Practices

If you need more control or security, consider:

• JSON – for interoperability and safety
• igbinary – a binary serializer (alternative to serialize ) that's more compact and faster, but still PHP-only
• MessagePack – a fast, compact binary format with cross-language support
• Custom DTOs with explicit encoding/decoding – for critical systems where prediction matters

For safe storage, always validate and sanitize before serialization, and never trust unserialized data from external sources.

Basically, PHP's native serialization is powerful and underappreciated — especially when you're deep in the PHP ecosystem. While JSON wins for portability, PHP's serialize() gives you richer type fidelity and handles edge cases that JSON can't. Just remember: great power comes with great responsibility, especially around unserialize() .

The above is the detailed content of Beyond JSON: Understanding PHP's Native String Serialization. For more information, please follow other related articles on the PHP Chinese website!