unserialize() on request input (PHP)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
unserialize() on a superglobal ($_GET/$_POST/$_REQUEST/$_COOKIE) can trigger PHP object-injection gadget chains. Use json_decode for client data instead.
Why it matters
unserialize() on a superglobal reconstructs PHP objects from client-supplied data, which can trigger object-injection gadget chains that reach dangerous magic methods (__wakeup, __destruct). This is a direct path from request input to code execution.
How to fix it
Never unserialize client data. Use json_decode for structured input from clients. If you must accept serialized PHP, pass the allowed_classes option to unserialize to restrict it, and sign the payload so it cannot be tampered with. Prefer a signed JSON token over PHP serialization entirely.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo