diff --git a/reference/var/functions/unserialize.xml b/reference/var/functions/unserialize.xml index 7eb2541b79..f0d8710145 100644 --- a/reference/var/functions/unserialize.xml +++ b/reference/var/functions/unserialize.xml @@ -158,6 +158,16 @@ function mycallback($classname) E_NOTICE. + + + Do not pass untrusted user input to unserialize. + Unserialization can result in code being loaded and executed due to object + instantiation and autoloading, and a malicious user may be able to exploit + this. Use a safe, standard data interchange format such as JSON (via + json_decode and json_encode) if + you need to pass serialized data to the user. + +