From the comment section of unserialize:
Apparently, unserialize is really picky about anyone messing with the serial string. Just spent an hour debugging why unserialize wasn’t working on a serial string stored in a database where, per client requirement, all inserted data is strtoupper’d.
I hate your client and, depending on whether or not you as a professional programmer expected unserialize() to work in the face of bytes being changed, I may also hate you.
Be aware that if useing serialize/unserialize in a serverfarm with both 32bit and 64bit servers you can get unexpected results. Ex: if you serialize an integer with value of 2147483648 on a 64bit system and then unserialize it on a 32bit system you will get the value -2147483648 instead. This is because an integer on 32bit cannot be above 2147483647 so it wraps.
That sounds like the sort of unintended result that maybe should be freaking documented, and I don’t mean in a user-submitted comment waaaay down at the bottom.
Bonus: people complaining that you cannot unserialize complex objects for which you do not already have the definition declared, because opening arbitrary mystery meat objects is definitely something you should be doing.