Function epl_unserialize
Safely unserialize base64 encoded data.
This helper decodes a base64 encoded string and attempts to unserialize it while applying several validation steps to reduce security risks.
Security improvements:
- Uses strict base64 decoding to prevent malformed input.
- Validates that the decoded value is actually a serialized string before attempting to unserialize it.
- Prevents object injection by disabling object instantiation via the allowed_classes => false option.
If the input cannot be decoded or is not a valid serialized value, the function safely returns false instead of attempting to unserialize it.
Package: EPL\Admin\Functions
Copyright: Copyright (c) 2020, Merv Barrett
License: GNU Public License
Since: 3.3.0
Since: 3.5.21 Hardened unserialize handling by enforcing strict base64 decoding, validating serialized input, and disabling object instantiation.
Located at lib/includes/admin/admin-functions.php
Copyright: Copyright (c) 2020, Merv Barrett
License: GNU Public License
Since: 3.3.0
Since: 3.5.21 Hardened unserialize handling by enforcing strict base64 decoding, validating serialized input, and disabling object instantiation.
Located at lib/includes/admin/admin-functions.php
Parameters summary
string |
$data |
Base64 encoded serialized data. |
Return value summary
mixed|false
|
Returns the unserialized value on success, or false if the input is invalid or cannot be safely unserialized. |