PHP RFC: Phasing out Serializable
The new custom object serialization mechanism RFC introduced new
__unserialize() magic methods in PHP 7.4, with the intent of replacing the broken
Serializable interface. This RFC finalizes that work by laying out a plan for the eventual removal of
Please see the referenced RFC for a detailed discussion of why the
Serializable interface is broken and needs to be replaced. Since PHP 7.4 a robust alternative mechanism exists, but some of the motivating issues will only be resolved once support for
Serializable is dropped entirely.
A class is “only Serializable” if it is non-abstract, implements
Serializable, and does not implement
- In PHP 8.1, declaring an “only Serializable” class will throw a deprecation warning.
- In PHP 9.0, declaring an “only Serializable” class will generate a compile-time error. All other implementations of
Serializablewill result in a deprecation warning. Additionally, payloads using the
Cserialization format will fail to unserialize.
- In PHP 10.0 the
Serializableinterface will be removed.
The intent behind this deprecation timeline is to remove internal support for Serializable by PHP 9, but do this in a way that allows codebases to support multiple PHP versions easily, even across large ranges.
If a class implements both
__unserialize(), the latter take precedence (on versions that support them), and the
Serializable interface is only used to decode existing serialization payload using the obsolete
C format. To migrate to the new mechanism, it's possible to either replace
Serializable entirely (if support for PHP 7.3 and below is not needed) or to implement both (if it is needed).
From an internal perspective,
Serializable support will be gone in PHP 9.0, and only a stub interface will be retained. PHP 10.0 removes that stub interface entirely. Only at that point will it no longer be trivial to support both PHP < 7.4 and >= 10.0, which should be a more than sufficient grace period.
PDO has a
PDO::FETCH_SERIALIZE flag that can be used in conjunction with
PDO::FETCH_CLASS. This fetch mode is based on the
Serializable interface, and as such it cannot be supported once it is removed. Apparently, the
PDO::FETCH_SERIALIZE mode is not actually usable due to an implementation bug (https://bugs.php.net/bug.php?id=68802) anyway.
In addition to the
Serializable changes, this RFC proposes to deprecate
PDO::FETCH_SERIALIZE in PHP 8.1 and remove it in PHP 9.0.