API returns serialized php object

Just came across something interesting.
This is the first time I see an API that offers a serialized php object as one of the possible formats in which it returnes data.


How would you use this data?
I don’t think calling unserialize($string) will create an object.
You need to have a class, but where is it?

Can anyone offer any use cases?

$strData = 'a:2:{s:6:"status";s:7:"success";s:5:"story";a:8:{s:5:"title";s:38:"Tweetmeme - Hottest Stories on Twitter";s:3:"url";s:25:"http://www.tweetmeme.com/";s:10:"media_type";s:4:"news";s:10:"created_at";s:19:"2009-02-19 13:06:36";s:9:"url_count";i:3141;s:7:"tm_link";s:35:"http://tweetmeme.com/story/26054116";s:13:"comment_count";i:115;s:7:"excerpt";s:73:"RT @tweetmeme Tweetmeme - Hottest Stories on Twitter http://bit.ly/151Dl1";}}';
$arrData = unserialize($strData);

echo '<pre>',print_r($arrData),'</pre>';
echo '<p>',$arrData['story']['title'],'</p>';

I get it now. It’s just an array. They call it serialized php object, but it’s just a serialized array. Now bad, I’ve never seen APIs that return pure raw php data, but why not - JSON is just a pure javascript object, so why not return php.

Look like a good idea.

I’d fear unserializing untrusted data. unserialize() can have side effects. They have the power to make you create objects, and objects can have behavior. __wakeup(), and the other functions that might get executed if the class is undefined. Not to mention the possible errors that can result.