PHP Sérialisé vers YAML

Convertissez les payloads PHP sérialisés en YAML pour configuration lisible

Converting PHP Serialized Data to YAML

PHP's serialize() function produces a compact, type-aware string representation of variables — arrays, objects, integers, floats, booleans, and strings — using a proprietary format that is unreadable to anyone outside the PHP ecosystem. When migrating legacy PHP applications to modern infrastructure, teams frequently need to convert serialized payloads into a human-readable format suitable for configuration management, data auditing, and cross-platform interoperability. YAML (YAML Ain't Markup Language) is an ideal target format because it preserves hierarchical structure while remaining readable, editable, and compatible with tools across every major programming language and DevOps workflow.

This tool parses PHP serialized strings safely — without executing any class methods or triggering deserialization callbacks — and emits clean YAML output that faithfully represents the original data structure. Object instances are rendered as explicit metadata entries rather than instantiated classes, preventing security vulnerabilities while preserving all structural information for inspection, migration, and documentation purposes.

Understanding PHP Serialization Format

PHP serialization encodes data types using single-character prefixes followed by type-specific content. The format supports recursive structures and preserves type information that JSON would lose:

  • s:5:"hello"; — String with byte length prefix
  • i:42; — Integer value
  • d:3.14; — Float (double) value
  • b:1; — Boolean (1 for true, 0 for false)
  • N; — NULL value
  • a:2:{...} — Array with element count
  • O:8:"ClassName":2:{...} — Object with class name and property count

Arrays in PHP serialization include both sequential (indexed) and associative arrays in the same format, distinguished only by their key patterns. Objects carry their class name and may include visibility modifiers encoded into property names — public, protected (prefixed with \0*\0), and private (prefixed with \0ClassName\0) properties all serialize differently, which a safe parser must handle without instantiating the class.

Why YAML Is Ideal for Serialized PHP Data Inspection

When inspecting legacy PHP data, YAML provides several advantages over JSON as a target format:

  • Readability: YAML uses indentation-based nesting without braces or brackets, making deeply nested structures easier to scan visually — especially for the complex nested arrays common in WordPress options tables and Drupal configuration exports.
  • Comments: YAML supports inline comments, allowing teams to annotate converted data with migration notes, deprecation warnings, or field explanations that would be impossible in JSON output.
  • Multi-line strings: YAML's block scalar syntax (| and >) handles long text fields — HTML content, email templates, serialized CSS — without escape character noise that makes JSON output unreadable for human inspection.
  • Configuration compatibility: YAML is the standard format for Kubernetes manifests, Ansible playbooks, Docker Compose files, and CI/CD pipelines. Converting PHP data to YAML enables direct integration with modern DevOps tooling for migration workflows.

For legacy WordPress sites storing serialized arrays in wp_options, converting to YAML enables teams to audit plugin configurations, compare settings across environments, and document the current state before migrating to structured configuration systems.

Safe Parsing Without Object Instantiation

PHP's native unserialize() function is notorious for security vulnerabilities — deserializing untrusted data can trigger __wakeup() and __destruct() magic methods, leading to remote code execution (RCE) attacks. This tool implements a safe parser that reads the serialization format character by character without ever creating object instances or invoking any callbacks.

Object data is preserved as structured metadata in the YAML output:

  • Class name is stored as a __class field for reference
  • Properties are listed with their visibility modifiers decoded
  • No PHP runtime is involved — parsing happens entirely in the browser
  • Circular references are detected and reported as errors rather than causing infinite loops

This approach makes the tool safe for analyzing untrusted serialized data from compromised databases, suspicious user submissions, or third-party plugin exports without risk of triggering embedded exploit chains.

Common Migration Workflows

Teams typically use PHP-to-YAML conversion during these migration scenarios:

  • WordPress to headless CMS: Export serialized option values and widget configurations as YAML for review before rebuilding in a structured CMS with proper schemas.
  • Monolith to microservices: Extract configuration stored in serialized database columns into YAML config files that each service owns independently with version control.
  • Database audit: Dump all serialized columns from a MySQL database, convert to YAML, and use diff tools to compare configurations across staging and production environments.
  • Documentation: Generate readable YAML representations of complex plugin settings for onboarding documentation, making it possible for new team members to understand the current configuration without navigating WordPress admin panels.

Code Examples

PHP Serialized Array Converted to YAML

# Input: a:3:{s:4:"name";s:5:"Alice";s:3:"age";i:30;s:5:"roles";a:2:{i:0;s:5:"admin";i:1;s:6:"editor";}}
# Output YAML:

name: Alice
age: 30
roles:
  - admin
  - editor

Extracting Serialized Data from MySQL for YAML Conversion

# Export serialized options from WordPress database
mysql -u root -p wordpress_db -e "
  SELECT option_name, option_value
  FROM wp_options
  WHERE option_value LIKE 'a:%' OR option_value LIKE 'O:%'
  LIMIT 20;
" --batch --raw > serialized_options.tsv

# Each option_value can be pasted into the converter
# to produce a readable YAML representation for auditing