Loading PHP Serialize Tool...
Decode PHP serialized data into readable JSON, or encode JSON back into a PHP serialized string. Handy for sessions, cookies and object-injection testing. Runs in your browser.
String lengths use byte counts, so multibyte UTF-8 is handled correctly. PHP objects (O:...) decode to JSON with a __class field. When encoding, JSON objects become PHP associative arrays and JSON arrays become indexed arrays.
Decode PHP serialized data into readable JSON, or encode JSON back into a PHP serialized string. Runs entirely in your browser.
PHP's serialize() turns values into a compact text format like a:1:{s:4:"name";s:3:"bob";} that shows up in sessions, cookies, database columns and caches. Reading it by hand is awkward, and crafting it is central to PHP object-injection (insecure deserialization) testing. This tool converts PHP serialized data into clean JSON, and converts JSON back into a valid serialized string.
Input:
a:1:{s:4:"name";s:3:"bob";}Output:
{ "name": "bob" }Why does decoding show __class?
PHP objects serialize as O:len:"ClassName":.... The decoder keeps the class name in a __class field so you can see which class the data instantiates, which matters for object-injection analysis.
Does it handle multibyte strings?
Yes. Lengths are byte counts, and the parser works over UTF-8 bytes, so emoji and accented characters round-trip correctly.
Can I craft a payload with it?
You can build arrays and objects from JSON. For authorised testing, encode the structure you need; private/protected property names with null bytes can be entered directly in the JSON keys.
Is anything uploaded?
No. Both directions run entirely in your browser.