php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #79759 Cannot unserialize payloads from PHP 7.4 on 7.3 if __serialize() is used
Submitted: 2020-06-29 20:02 UTC Modified: 2021-07-30 14:25 UTC
Votes:5
Avg. Score:5.0 ± 0.0
Reproduced:5 of 5 (100.0%)
Same Version:4 (80.0%)
Same OS:4 (80.0%)
From: upyx dot 00 at gmail dot com Assigned: cmb (profile)
Status: Wont fix Package: *General Issues
PHP Version: 7.4.7 OS: any
Private report: No CVE-ID: None
View Developer Edit
 [2020-06-29 20:02 UTC] upyx dot 00 at gmail dot com 
Description:
------------
Hello!

In PHP 7.4 serialization mechanism has been changed in a backward-incompatible way. So it is (sometimes) not possible to serialize data in PHP 7.4 and deserialize them in PHP 7.3. The serialization is widely used to storing data in sessions, transfer data through message brokers, etc.

Our site works on many servers, and the business has got to work 24/7. So we cannot upgrade all nodes at once. When we upgrade some node to PHP 7.4, it becomes to produce serialized data to a network that unsupported by other nodes. So we cannot update the nodes one by one. We've stuck here.

I've asked the community how they upgraded, and a lot of them answered some like "through pain and disgrace" because they didn't expect the problem and had to solve it when they ran into it. After some investigation, we realize that the problem, not PHP itself but in the many open source libraries which declare support of PHP prior to 7.4 but use new "__serialize()/__unserialize()"  methods.

However, there is a problem, and we need a way to solve it. It is hardly possible to downgrade libraries because of the complicated dependency graph between them. It is barely possible to convince libraries' authors to make necessary changes because of the number of them. I propose two variants:
a) backport "new" deserialization (but not serialization) to the next PHP 7.3 minor version;
b) add an option to force "legacy" serialization to the next PHP 7.4 minor release.

The first variant is the easiest to use. The second variant is the easiest to implement.

By the way, we solved *our* problem with migration. It took a while, so I want to help others.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-06-29 20:27 UTC] nikic@php.net
-Summary: Impossible to use PHP 7.3 and 7.4 together and smoothly migrate between them +Summary: Cannot unserialize payloads from PHP 7.4 on 7.3 if __serialize() is used
 [2020-07-26 14:36 UTC] fortemppp at gmail dot com 
unserialize is not working properly in 7.3 and 7.4 but the same code works in 7.2 or earlier versions. I found a solution for my code like this to resolve the issue and then unserialize.
$data = preg_replace_callback('!s:\d+:"(.*?)";!s', function($m) { return "s:" . strlen($m[1]) . ':"'.$m[1].'";'; }, $data);
 [2021-07-30 14:25 UTC] cmb@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb
 [2021-07-30 14:25 UTC] cmb@php.net 
Not quite sure what to do with this request.  Backporting anything
but security fixes to PHP-7.3 is off the table.  Adding a new
feature to PHP-7.4 is highly unlikely to happen at this point in
time.

> After some investigation, we realize that the problem, not PHP
> itself but in the many open source libraries which declare support
> of PHP prior to 7.4 but use new "__serialize()/__unserialize()"
> methods.

Well, this is clearly a downstream issue.  Guess this is a WONTFIX.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 09:01:34 2025 UTC