Deserializing objects is security-sensitive. For example, it has led in the past to the following vulnerabilities:
Object deserialization from an untrusted source can lead to unexpected code execution. Deserialization takes a stream of bits and turns it into an
object. If the stream contains the type of object you expect, all is well. But if you're deserializing untrusted input, and an attacker has inserted
some other type of object, you're in trouble. Why? There are a few different attack scenarios, but one widely-documented one goes like this:
Deserialization first instantiates the Object, then PHP will automatically attempt to call the __wakeup() member to
reconstruct any resources that the object may have. If the attacker has overridden __wakeup() then he is entirely in control of what code
executes during that process.
You are at risk if you answered yes to any of those questions.
To prevent insecure deserialization, it is recommended to use a standard data interchange format such as JSON instead of relying on objects serialization.
You should also limit access to the serialized source. For example: