Structure of a Serialized PHP string

string php serialization

The basic structure is as follows:

Scalar types:

  1. Booleans are serialized as: 

    b:<i>;

    where <i> is an integer with a value of either 0 (false) or 1 (true).

  2. Integers are serialized as:

    i:<i>;

    where <i> is the integer value.

  3. Floats are serialized as (with d meaning double):

    d:<f>;

    where <f> is the float value.

  4. Strings are serialized as:

    s:<i>:"<s>";

    where <i> is an integer representing the string length of <s>, and <s> is the string value.

Special types:

  1. null is simply serialized as:

    N;

Compound types:

  1. Arrays are serialized as:

    a:<i>:{<elements>}

    where <i> is an integer representing the number of elements in the array, and <elements> zero or more serialized key value pairs:

    <key><value>

    where <key> represents a serialized scalar type, and <value> any value that is serializable.

  2. Objects are serialized as:

    O:<i>:"<s>":<i>:{<properties>}

    where the first <i> is an integer representing the string length of <s>, and <s> is the fully qualified class name (class name prepended with full namespace). The second <i> is an integer representing the number of object properties. <properties> are zero or more serialized name value pairs:

    <name><value>

    where <name> is a serialized string representing the property name, and <value> any value that is serializable.

    There's a catch with <name> though:

    <name> is represented as

    s:<i>:"<s>";

    where <i> is an integer representing the string length of <s>. But the values of <s> differs per visibility of properties:

    a. With public properties <s> is the simple name of the property.

    b. With protected properties, however, <s> is the simple name of the property, prepended with \0*\0 — an asterix, enclosed in two NUL characters (i.e. chr(0)).

    c. And with private properties, <s> is the simple name of the property, prepended with \0<s>\0<s>, enclosed in two NUL characters, where <s> is the fully qualified class name.

There are a few other cases, such as R:<i>;, that represents references, that I haven't mentioned here (because I honestly haven't figured out the exact workings of it yet), but this should give you a decent idea about PHP's serializing mechanism.


I've found this page at phpinternalsbook quite complete. It also shows the alternative serialization format for classes implementing Serializable interface, as well as the meaning of R format specifier.

Related

Rails 3 - select with Include?
Pytest fixture for a class through self not as method argument
Avoiding all DI antipatterns for types requiring asynchronous initialization
Fastest function to generate Excel column letters in C#
JPA 2.0: Adding entity classes to PersistenceUnit *from different jar* automatically
Primitive or wrapper for hibernate primary keys
Receiving Push Notifications while in background
Is there a way to cancel/detach a future in C++11?
pass function in json and execute
How to put text in a drawable?
Python "is" statement: what is happening? [duplicate]
.NET DateTime.Now returns incorrect time when time zone is changed