PHP has announced the availability of a third Release Candidate (RC3) for PHP 7.2.0. Currently, PHP 7.2.0 is in a development preview stage but is set to be released on November 30, 2017. With the prospect of a new PHP version on the horizon, you may be one of the many users who is wondering: Should I update? What benefits does this version offer? Is my site ready for the update?
Before reading too much further, it’s important to note that 7.2.0 is a minor PHP release, which offers smaller tweaks and improvements. Larger releases include PHP 7.0, which is quickly becoming widely adopted due to the speed gains it offers. Roughly 13 percent of WordPress users are using PHP 7 currently, while over 40 percent of users are still using version 5.6.
Keep in mind: WordPress has officially updated their System Requirements page to strongly recommend PHP 7 at a minimum.
In this article, we will review new features and deprecated functions so you can be prepared when PHP 7.2.0 is released to the public.
Core Changes
With PHP 7.2.0, there are a few more major changes to PHP core code to be aware of:
Type Annotation Changes
It is now possible to remove argument type annotations when overriding an inherited method – This allows developers to both drop a type from a subclass entirely, and also to add types to a method of a class without breaking the class. This change is useful for developers who need to add a new type when other classes extend that class. Before, these new types would potentially break the classes extending the original class as the method signature would then mismatch in instances where the new types were used.
The “object” type annotation is now supported – The primary change here is that PHP core now allows users to specify that an “object” type is expected when declaring what argument “type” to expect in return. The “object” name is now a reserved classname as a result. Below is an example of code from PHP where the “object” parameter type is expected:
function acceptsObject(object $obj) { ... } // This code can be statically analyzed to be correct acceptsObject(json_decode('{}')); // This code can be statically analyzed to be correct acceptsObject(new \MyObject()); // This can be statically analysed to contain an error. // and would throw an TypeError at runtime. acceptsObject("Ceci n'est pas une object.");
Widened Support
It is now allowed to override an abstract method with another abstract method in a child class – This is a pretty minute change as there are very few uses for it, but essentially this change allows for the extension of one abstract method with another abstract method. PHP provides the following example:
<?php abstract class A { abstract function bar(stdClass $x); } abstract class B extends A { abstract function bar($x): stdClass; } class C extends B { function bar($x): stdClass{} } // Fatal error: Can't inherit abstract function A::bar() // (previously declared abstract in B)
Previously saying class C extends B was unsupported because A is already abstract, and C is extending an abstract class (B) which extends another abstract class (A). With PHP 7.2.0 this would be supported.
A trailing comma in group use statements is now allowed – This simply extends the support of trailing commas from arrays to now be supported in all list types. Since arrays have long had the ability to divide lists using commas, this change was to make lists of all types more intuitive. In the following example from PHP, a class member list would support using commas as a divider like so:
const A = 1010, B = 1021, C = 1032, D = 1043, ;
Security Changes
PHP 7.2.0 also involves some neat security improvements, most of which center around new libraries for encryption and passwords.
The Sodium crypto-library has been added to PHP core. Sodium is a cryptographic library for encryption and decryption methods. Libsodium offers cross-platform compatibility and the ability for password hashing, generating random numbers and hashes, and many options for encrypting data both stored in Memory and not. See their FAQ for more information about coding with libsodium.
PHP has also been updated to support Argon2i hashes for passwords when compiled with libargon2. This introduction is a more secure alternative to Bcrypt hashing. The PASSWORD_ARGON2I constant has been introduced for use with password functions as a result of this change, and several cost factors can be set as constraints: Memory, Time, and Threads. By contrast, Bcrypt only accepted one cost factor.
Mcrypt (a file encryption tool using the libmcrypt library) is deprecated as an extension and has been moved to PECL. Users are strongly discouraged from using this extension as it has not been actively maintained since 2007. OpenSSL or libsodium are acceptable alternatives.
New Global Constants
New global constants have been added within PHP 7.2.0, many of which relate to new extensions or features.
Core
PHP_FLOAT_DIG – The number of decimal digits, that can be rounded into a float and back without precision loss
PHP_FLOAT_EPSILON – The smallest representable positive number x, so then x + 1.0 != 1.0
PHP_FLOAT_MIN – The minimum representable float number
PHP_FLOAT_MAX – The maximum representable float number
The above constants relate to the concept of floating point numbers, otherwise known as floats, doubles, or real numbers. These changes come because the pack() and unpack() functions now support float and double in both little and big endian in this release.
PHP_OS_FAMILY – The current operating system family
Filesystem
FILEINFO_EXTENSION – This constant defines a list of possible file extensions
GD
IMG_EFFECT_MULTIPLY – Overlays with a “multiply” effect.
IMG_BMP – Allows for .bmp (bitmap) file formats to be defined
PCRE
PREG_UNMATCHED_AS_NULL – Distinguish between unmatched subpatterns and empty matches by reporting NULL and “” (empty string), respectively.
Standard
PASSWORD_ARGON2_DEFAULT_MEMORY_COST – Defines the number of KiB that should be consumed or used in the hashing process
PASSWORD_ARGON2_DEFAULT_TIME_COST – Defines the number of iterations the hashing algorithm should take
PASSWORD_ARGON2_DEFAULT_THREADS – Defines the number of parallel threads the hashing algorithm should use in the hashing process
PASSWORD_ARGON2I – password_hash() can be set to the PASSWORD_ARGON2I algorithm to generate Argon2i hashes.
The new constants above relate to the addition of the Argon2i hashes in this PHP release. They are used as “cost factors” which allow constraints around usage. See the Security Changes section above for more information.
Deprecated Functions
With PHP 7.2.0 there are a few functions to be fully deprecated as well. If you want to use PHP 7.2.0 on your sites, you should search through PHP code in your plugins and theme to ensure none of these deprecated functions are called:
Core
__autoload – as of PHP 5.1, this function has been replaced by spl_autoload_register. The newer spl_autoload_register function allows for multiple autoloaded functions and will loop through these functions in whatever order they are defined in the code.
$php_errormsg – The php_errormsg function is intended to be used whenever a non-fatal error is produced, and when track_errors is enabled. This function has been deprecated in favor of error_get_last and error_clear_last instead, which offers a cleaner way of printing these errors and cover all use cases.
create_function() – In most cases, create_function() is used as a wrapper for eval() functions which are known to be security concerns. Additionally, create_function() tends to have poor performance implications. The use of closures is highly preferable, which were introduced in PHP 5.3.
(unset) cast – The (unset) cast will change a value to null. In truth (unset) expr just always returns null. However, the existence of this cast is confusing for developers as it doesn’t function the same as unset().
each() – The foreach() construct is highly preferable to the use of each() in coding, as the newer foreach() construct is about ten times faster. A deprecation notice will appear on the first iteration of each() only, since it is used most often in loops.
$errcontext argument of error handler – The last argument of set_error_handler() was “$errcontext” which provided the variables present when the error happened. Using an object debugger is preferable. Currently this argument does not trigger a deprecation warning.
EXIF
read_exif_data() alias – Has been deprecated. Use the exif_read_data() function instead.
GD
png2wbmp() and jpeg2wbmp() – Both functions have been deprecated, as WBMP file formats are no longer commonly used. Most mobile devices are fully capable of handling full-color images and videos.
GMP
gmp_random() – The gmp_random_bits function generates a random number between 0 and (2 ** bits) – 1 and the gmp_random_range function generates a random number between the set min and max. Together, these two functions replace the gmp_random() function which had to guess at the proper limb size and had platform incompatibilities.
Intl
INTL_IDNA_VARIANT_2003 – Deprecated in favor of INTL_IDNA_VARIANT_UTS46. Used for the variant parameter in the idn_to_utf8() function, which converts domain names from IDNA ASCII to Unicode.
Mbstring
mbstring.func_overload – This function was originally introduced to replace strings generated by functions with analog values instead. For instance, returning values in code points rather than bytes. This function is highly incompatible with almost all other code and the original creator has agreed it should be deprecated.
Standard
parse_str() without second argument – The default behavior of parse_str() is to translate a query string into an array when a second argument is present. The deprecated functionality is the action that previously happened when a second argument was not present: to parse the first (only) argument into the local symbols article. This was left over from very old register_globals functionality and has been deprecated.
assert() with string argument – Because the default functionality of assert() with a string argument is to run the string through eval(), using assert() with a string argument has now been deprecated. There is now an option to enable the zend.assertions ini option instead of evaluating the assertion expression.
What is your favorite feature of the new update? Let us know in the comments below.
2 Comments