unserialize() on a variable (PHP)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
unserialize() on any variable risks PHP object injection if the value ever reaches user control. Heuristic: verify the source is trusted, or switch to json_decode.
Why it matters
unserialize() on any variable is a PHP object-injection risk if that value ever originates from user input. This is a lower-confidence heuristic than the superglobal case: it is flagged so you can confirm the source is trusted or switch formats.
How to fix it
Trace the variable to its source. If it can carry client data, replace unserialize with json_decode, or pass ["allowed_classes" => false] to restrict what can be instantiated. If the value is provably internal and trusted, document that at the call site.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo