PHP 7.3 reaches end of support in December 2021 and Adobe Commerce 2.3.x reaches end of support in April 2022. You may want to consider planning your upgrade now to Adobe Commerce 2.4.x and PHP 7.4.x to help maintain PCI compliance.

Serialize Library

Overview

This library provides a secure way of serializing and unserializing strings, integers, floats, booleans, and arrays.

Magento’s Serialize library provides the Magento\Framework\Serialize\SerializerInterface and the Json and Serialize implementations for serializing data.

Serialization

The main purpose of data serialization is to convert data into a string using serialize() to store in a database, a cache, or pass onto another layer in the application.

The other half of this process uses the unserialize() function to reverse the process and convert a serialized string back into string, integer, float, boolean, or array data.

For security reasons, SerializerInterface implementations, such as the Json and Serialize classes, should not serialize and unserialize objects.

Implementations

Json (default)

The Magento\Framework\Serialize\Serializer\Json class serializes and unserializes data using the JSON format.

JsonHexTag

The Magento\Framework\Serialize\Serializer\JsonHexTag class serializes and unserializes data using the JSON format using the JSON_HEX_TAG option enabled.

Base64Json

The Magento\Framework\Serialize\Serializer\Base64Json class serializes and encodes in the base64 format, and decodes the base64 encoded string and unserializes data using the JSON format.

Serialize

The Magento\Framework\Serialize\Serializer\Serialize class is less secure than the Json implementation but provides better performance on large arrays.

FormData

The Magento\Framework\Serialize\Serializer\FormData class unserializes the form data using the JSON format. This class does not serialize objects to a form data format.

Magento discourages using the Serialize implementation directly because it can lead to security vulnerabilities. Always use the SerializerInterface for serializing and unserializing.

Usage

Declare SerializerInterface as a constructor dependency to get an instance of a serializer class.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
use Magento\Framework\Serialize\SerializerInterface;

...

/**
 * @var SerializerInterface
 */
private $serializer;

...

public function __construct(SerializerInterface $serializer) {
  $this->serializer = $serializer;
}


The following example shows how to use a serializer’s serialize() and unserialize() functions to store and retrieve array data from a cache:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
...

/**
 * @var string
 */
private $cacheId = 'mySerializedData';

...

/**
 * Save data to cache
 * @param array $data
 *
 * @return bool
 */
public function saveDataToCache($data)
{
  return $this->getCache()->save($this->serializer->serialize($data), $this->cacheId);
}

...

/**
 * Load data from cache
 *
 * @return array
 */
public function loadDataFromCache()
{
  $data = $this->getCache()->load($this->cacheId);
  if (false !== $data) {
    $data = $this->serializer->unserialize($data);
  }
  return $data;
}
...

Backward Compatibility Note

The SerializerInterface interface and its implementations only exist since Magento version 2.2. Because of this, it is not possible to use these classes in code that has to be compatible with Magento 2.1 or 2.0.

In code that is compatible with earlier versions of Magento 2, constructor dependency injection can not be used to get an instance of SerializerInterface. Instead, a runtime check if the SerializerInterface definition exists can made, and if it does, it can be instantiated by directly accessing the object manager using a static method. Alternatively a check against the Magento 2 version or the magento/framework composer package version would work, too. If the interface does not exist or an earlier version of Magento 2 is being executed, the appropriate native PHP serialization function has to be called, e.g. \serialize() or \json_encode(), depending on the usercase.

Here is an example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
...
/**
 * @param mixed $data
 * @return string
 */
 private function serialize($data)
 {
    if (class_exists(\Magento\Framework\Serialize\SerializerInterface::class)) {
        $objectManager = \Magento\Framework\App\ObjectManager::getInstance();
        $serializer = $objectManager->create(\Magento\Framework\Serialize\SerializerInterface::class);
        return $serializer->serialize($data);
    }
    return \serialize($data);
}
...