PHP 8.1: Serializable interface deprecated

Version8.1
TypeDeprecation

PHP supports serialize and unserialize functions used converting class objects, arrays, and other scalar data to a serialized string form, and recreating them from the serialized string.

PHP classes can provide their own serialization implementations. For example, a class can exclude certain sensitive data from being added to the serialized string, or a class can reestablish a connection to a remote server from the server URL taken from the serialized text.

There are three approaches to provide custom serialization logic for PHP classes:

  • __sleep and __wakeup magic methods
  • The Serializable interface and Serializable::serialize and Serializable::unserialize methods (since PHP 5.1)
  • __serialize and __unserialize magic methods (since PHP 7.4)

Implementing __serialize and __unserialize methods is the recommend way, as it avoids some of the pitfalls with the __sleep/__wakeup approach and the Serializable interface.

In PHP 8.1, implementing the Serializable interface without implementing __serialize and __unserialize methods is deprecated.

class Test implements Serializable{
    public function serialize() {}
    public function unserialize($data) {}
}
Deprecated: The Serializable interface is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in ... on line ...


Back in 2019, it was proposed to add the two new magic methods __serialize and __unserialize because both __wakeup + __sleep and the Serializable interface approaches were not ideal due to implementation complexity and their buggy behavior.

This deprecation in PHP 8.1 is a continuation of that change, to deprecate implementing Serializable interface without the new magic methods, and to eventually remove the Serializable interface in PHP 9.0.

If a class implements both Serializable interface methods and magic methods, magic methods take precedence, and a deprecation notice is not emitted.

In PHP 7.4 and later, the __serialize and __unserialize methods are executed during serialize()/unserialize calls, not the serialize/unserialize methods from the Serializable interface. There will be no deprecation notice in PHP 8.1 either.

class Test implements Serializable{

    public function __serialize(): array {}
    public function __unserialize(array $date): void {}

    public function serialize(): array {}
    public function unserialize(string $data): void {}

}

Backwards Compatibility Impact

Note that the deprecation notice is not emitted if the class also implements __serialize and __unserialize methods.

If a class implements both Serializable interface methods and magic methods, magic methods take precedence.

On applications with PHP 7.4 as the minimum version, it is safe to drop the Serializable interface implementation and implement the new __serialize and __unserialize methods.

On applications that must support PHP versions older than PHP 7.4, implement both Serializable interface (that will be used on PHP <=7.3) and __serialize/__unserialize methods (for PHP 7.4, 8.0, and later)


RFC Discussion Implementation