====== PHP RFC: Phasing out Serializable ======
  * Date: 2020-12-07
  * Author: Nikita Popov <nikic@php.net>
  * Status: Implemented
  * Target Version: PHP 8.1
  * Implementation: https://github.com/php/php-src/pull/6494

===== Introduction =====

The [[rfc:custom_object_serialization|new custom object serialization mechanism]] RFC introduced new ''%%__serialize()%%'' and ''%%__unserialize()%%'' magic methods in PHP 7.4, with the intent of replacing the broken ''Serializable'' interface. This RFC finalizes that work by laying out a plan for the eventual removal of ''Serializable''.

Please see the referenced RFC for a detailed discussion of why the ''Serializable'' interface is broken and needs to be replaced. Since PHP 7.4 a robust alternative mechanism exists, but some of the motivating issues will only be resolved once support for ''Serializable'' is dropped entirely.

===== Proposal =====

==== Serializable ====

A class is "only Serializable" if it is non-abstract, implements ''Serializable'', and does not implement ''%%__serialize()%%'' and ''%%__unserialize()%%''. Then:

  * In PHP 8.1, declaring an "only Serializable" class will throw a deprecation warning. Other implementations of ''Serializable'' will be accepted without a deprecation warning, because libraries supporting PHP < 7.4 will generally need to implement both the old and new mechanisms.
  * In PHP 9.0 the ''Serializable'' interface will be removed and ''unserialize()'' will reject payloads using the ''C'' serialization format. Code needing to support both PHP < 7.4 and PHP >= 9.0 may polyfill the ''Serializable'' interface, though it will have no effect on serialization.

If a class implements both ''Serializable'' and ''%%__serialize()%%''/''%%__unserialize()%%'', the latter take precedence (on versions that support them), and the ''Serializable'' interface is only used to decode existing serialization payload using the obsolete ''C'' format. To migrate to the new mechanism, it's possible to either replace ''Serializable'' entirely (if support for PHP 7.3 and below is not needed) or to implement both (if it is needed).

An earlier version of this RFC proposed an additional step: PHP 9.0 would deprecate all uses of Serializable (including those that are not "only Serializable") and only remove the interface in PHP 10.0. However, this approach was deemed too complicated.

==== PDO::FETCH_SERIALIZE ====

PDO has a ''PDO::FETCH_SERIALIZE'' flag that can be used in conjunction with ''PDO::FETCH_CLASS''. This fetch mode is based on the ''Serializable'' interface, and as such it cannot be supported once it is removed. Apparently, the ''PDO::FETCH_SERIALIZE'' mode is not actually usable due to an implementation bug (https://bugs.php.net/bug.php?id=68802) anyway.

In addition to the ''Serializable'' changes, this RFC proposes to deprecate ''PDO::FETCH_SERIALIZE'' in PHP 8.1 and remove it in PHP 9.0.

===== Vote =====

Voting started 2021-04-14 and ended 2021-04-28.

<doodle title="Phase out Serializable as proposed?" auth="nikic" voteType="single" closed="true">
   * Yes
   * No
</doodle>