Extra data starting at offset %d of %zd bytes¶

Description¶

Some extra data were found while processing the serialized string. They are not needed, so they should not be there. It is recommended to investigate why too much data was provided, as it may devolve in a security issue.

There is no way to check the amount of needed data before unserializing the string.

Example¶

<?php

// 1 3   are too much in this string.
print_r(unserialize('O:1:"a":1:{s:8:"property";s:3:"yes". '1 3';}));

?>

Literal Examples¶

Extra data starting at offset 31 of 3 bytes

Solutions¶

Catch the warning and review the string after execution.
Set up a validation of the incoming string, such as a check sum.