While WordPress still supports PHP5, the PHP project continues to evolve. PHP 7.2 was recently released and while it is not a huge update like PHP 7.0 was, but there are some interesting new features and there are some important deprecations you should be aware of.
In this article, I will share some important highlights of what is new, and what to look out for when you update your sites and code to PHP 7.2. If you’re still on PHP 5.6 or PHP 7.0, you will want to do so before the end of the year, when security support for both ends.
Improved Performance
We’ve been hearing since PHP7 came out about how much faster it is than PHP5. PHP7 tends to run WordPress 200 percent – 500 percent times faster than PHP5.
We know moving away from PHP5 makes sense for performance reasons, it’s a no-brainer, but are there any improvements in performance upgrading from an older version of PHP7 to the latest? Yes, there are. Initial tests on PHP 7.2 alpha showed 18-22 percent improvements in performance vs PHP 7.1.
Cryptography
PHP is the first programming language to have a full-featured cryptography system included in its standard library. This is a really big deal. Encryption and security, in general, are becoming more and more important. As data breaches become more common and their impacts increase, we need to take great care to secure the information we entrust to our databases, especially when it is sensitive personal information.
Cryptography is not easy and is best left to specialists. Having a standard toolset should make it easier for us to do cryptography right. The PHP extension Libsodium has become that standard and is now being added to PHP itself. Having this as part of PHP has already led to increased scrutiny of the code, which is what you want with an encryption library, and will lead to more.
Libsodium is fairly easy to use, yet very powerful. Here is a simple example, adapted from the documentation for Libsodium –
<?php $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $ciphertext = sodium_crypto_secretbox("Hi Roy", $nonce, $key); $plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $key); if ($plaintext === false) { throw new Exception("Bad ciphertext"); } echo $plaintext; // "Hi Roy"
Yes, there are PHP packages that provide encryption and decryption. But, a standard library function will beat that on performance.
Deprecations To Be Aware Of
PHP 7.2 has deprecated a few functions. You can read the details here, but there are two changes that caught my eye in regards to WordPress.
First, the function create_function() has been deprecated. This function is pretty useless in modern PHP. It does something similar to what a closure does, creates a function without a name that is limited in its use, but with a lot less power and increased security concerns.
Using create_function() when you can use an anonymous function, which we’ve had since 2009, instead doesn’t make much sense. If you’re maintaining a public theme or plugin that supports PHP 5.2 because WordPress and using this function, you might want to move to something like this, to avoid deprecation warnings:
<?php if ( ! version_compare( PHP_VERSION, '5.3.0', '>=' ) ) { $value = create_function( $args, $function ); }else{ $value = function() use( $args, $function ){ return $function( $args ); }; }
The other one to look out for is that _autoload() has been deprecated. I do see this used sometimes in WordPress code. The better autoload function spl_register_autoload() supports PHP 5.1 or later, and so there is no reason not to use spl_register_autoload() instead.
Also, beware of how PHP is changing its behavior in regards to unquoted strings that are not defined constants. In the past, PHP raised a notice. Now a warning will be raised that informs you that PHP8 will cause an error. I think this change is good and reflects a transition away from the more mistake-friendly PHP of the past that did its best to just keep compiling, no matter what, to a less forgiving, but higher performance tool.
Other Small Things
PHP7 improved type hinting by adding scalar type hints. Also, return types for functions were added. This is a great improvement and makes interfaces a lot more explicit in what they do.
This new version of PHP adds a generic object type hint and return type. Any object will pass this test. I don’t love this feature. It makes sense since other basic types are supported. I just feel like you should be more a little bit more specific. Which is fine, if it’s a stdClass object. But there was already a type hint for that.
Speaking of not in love. You can now put a comma after the last function argument. This could make for cleaner git diffs if you always put arguments on their own line.
The small thing that I am actually really happy about is a change in how closely a method overriding a method of its parent class signature must match.
This makes it easier to extend classes from other libraries that were written with older versions of PHP in mind. It fixes problems I’ve run into before and had to make some compromises that didn’t help my code in order to resolve.
Not Huge, But Better And More Secure
PHP 7.2 is an improvement, but not groundbreaking. That said, having encryption as part of the standard library in PHP is pretty exciting. As PHP7 evolves, we as developers, get more interesting tools to work with and the reasons for ending PHP5 support in WordPress grows.
8 Comments