PHP 7.1 UPGRADE NOTES 1. Backward Incompatible Changes 2. New Features 3. Changes in SAPI modules 4. Deprecated Functionality 5. Changed Functions 6. New Functions 7. New Classes and Interfaces 8. Removed Extensions and SAPIs 9. Other Changes to Extensions 10. New Global Constants 11. Changes to INI File Handling 12. Windows Support 13. Other Changes ======================================== 1. Backward Incompatible Changes ======================================== - Core: . 'void' can no longer be used as the name of a class, interface, or trait. This applies to declarations, class_alias() and use statements. . 'iterable' can no longer be used as the name of a class, interface, or trait. This applies to declarations, class_alias() and use statements. (RFC: https://wiki.php.net/rfc/iterable) . (int), intval() where $base is 10 or unspecified, settype(), decbin(), decoct(), dechex(), integer operators and other conversions now always respect scientific notation in numeric strings. (RFC: https://wiki.php.net/rfc/invalid_strings_in_arithmetic) . The ASCII 0x7F Delete control character is no longer permitted in unquoted identifiers in source code. . The following functions may no longer be called dynamically using $func(), call_user_func(), array_map() or similar: . extract() . compact() . get_defined_vars() . func_get_args() . func_get_arg() . func_num_args() . parse_str() with one argument . mb_parse_str() with one argument . assert() with a string argument (RFC: https://wiki.php.net/rfc/forbid_dynamic_scope_introspection) . If the error_log is set to syslog, the PHP error levels are mapped to the syslog error levels. This brings finer differentiation in the error logs in contrary to the previous approach where all the errors are loggged with the notice level only. . Don't call destructors of incompletely constructed objects, even if they are kept referenced. See bug #29368 and Zend/tests/bug29368_1.phpt. . call_user_func() will now consistently throw a warning if a function with reference arguments is called. However, call_user_func() will no longer abort the call in this case. . rand() and srand() are now aliases of mt_rand() and mt_srand(). Consequently the output of the following functions has changed: . rand() . shuffle() . str_shuffle() . array_rand() . Fixes to random number generators mean that mt_rand() now produces a different sequence of outputs to previous versions. If you relied on mt_srand() to produce a deterministic sequence, it can be called using mt_srand($seed, MT_RAND_PHP) to produce the old sequences. . URL rewriter has been improved. . Use dedicated buffer for Session module rewrite and User rewrite. . Full path URL rewrite is supported. Allowed domain can be specified. $_SERVER['HTTP_HOST'] is allowed by default when host whitelist is empty. . Use session.trans_sid_tags and session.trans_sid_hosts to control session rewrite. . Use url_rewriter.tags and url_rewriter.hosts to control user rewrite. .
's "action" attribute is used to check if URL rewrite is allowed and listed under hosts whitelist. .
is no longer considered as a special tag. is the only tag considered special. . Calling a function with less arguments than mandatory declared ones in signature now issues a Fatal Error (Error Exception) instead of a Warning. (RFC https://wiki.php.net/rfc/too_few_args). . The error message for E_RECOVERABLE errors has been changed from "Catchable fatal error" to "Recoverable fatal error". . The empty index operator (e.g. $str[] = $x) is not supported for strings anymore, and throws a fatal error instead of silently converting to array. . Array elements or object properties that are automatically created during by-reference assignments will now result in a different order. For example $array = []; $array["a"] =& $array["b"]; $array["b"] = 1; var_dump($array); now results in the array ["b" => 1, "a" => 1], while for PHP 7.0 the result was ["a" => 1, "b" => 1]. . The allowed_classes element of the $options parameter of unserialize() is now strictly typed, i.e. if anything other than an array or a boolean is given, unserialize() returns FALSE and issues an E_WARNING. . $this, autoglobals, and variables with the same name as a parameter can no longer be bound to a closure via the use construct. - JSON: . The serialize_precision is used instead of precision when encoding double values. . An empty key is decoded as an empty property name instead of using _empty_ property name when decoding object to stdClass. . When calling json_encode with JSON_UNESCAPED_UNICODE option, U+2028 and U+2029 are escaped. - mbstring: . mb_ereg() and mb_eregi() will now set the $regs argument to an empty array, if nothing matched. Formerly, $regs was not modified in that case. - OpenSSL: . Dropped sslv2 stream. - Session: . Session ID is generated from CSPRNG directly. As a result, Session ID length could be any length between 22 and 256. Note: Max size of session ID depends on save handler you are using. . Following INIs are removed . session.hash_function . session.hash_bits_per_character . session.entropy_file . session.entropy_length . New INIs and defaults . session.sid_length (Number of session ID characters - 22 to 256. php.ini-* default: 26 Compiled default: 32) . session.sid_bits_per_character (Bits used per character - 4 to 6. php.ini-* default: 5 Compiled default: 4) . Length of old session ID string is determined as follows . Used hash function's bits. . session.hash_function=0 - MD5 128 bits (This was default) . session.hash_function=1 - SHA1 160 bits . Bits per character. (4, 5 or 6 bits per character) . Examples MD5 and 4 bits = 32 chars, ceil(128/4)=32 MD5 and 5 bits = 26 chars, ceil(128/5)=26 MD5 and 6 bits = 22 chars, ceil(128/6)=22 SHA1 and 4 bits = 40 chars, ceil(160/4)=40 SHA1 and 5 bits = 32 chars, ceil(160/5)=32 SHA1 and 6 bits = 27 chars, ceil(160/6)=27 and so on. . session_start() returns FALSE and no longer initializes $_SESSION when it failed to start session. - Reflection: . The behavior of ReflectionMethod::invoke() and ::invokeArgs() has been aligned, which causes slightly different behavior than before for some pathological cases. - IMAP: Starting with 7.1.25, rsh/ssh logins are disabled by default. Use imap.enable_insecure_rsh if you want to enable them. Note that the IMAP library does not filter mailbox names before passing them to rsh/ssh command, thus passing untrusted data to this function with rsh/ssh enabled is insecure. ======================================== 2. New Features ======================================== - Core . Added void return type, which requires that a function not return a value. (RFC: https://wiki.php.net/rfc/void_return_type) . Added iterable pseudo-type accepting any array or object implementing Traversable. (RFC: https://wiki.php.net/rfc/iterable) . String offset access now supports negative references, which will be counted from the end of the string. (RFC: https://wiki.php.net/rfc/negative-string-offsets) . Added a form of the list() construct where keys can be specified. (RFC: https://wiki.php.net/rfc/list_keys) . Added [] = as alternative construct to list() =. (RFC: https://wiki.php.net/rfc/short_list_syntax) . Number operators taking numeric strings now emit "A non well formed numeric value encountered" E_NOTICEs for leading-numeric strings, and "A non-numeric value encountered" E_WARNINGs for non-numeric strings. This always applies to the +, -, *, /, **, %, << and >> operators, and their assignment counterparts +=, -=, *=, /=, **=, %=, <<= and >>=. For the bitwise operators |, & and ^, and their assignment counterparts |=, &= and ^=, this only applies where only one operand is a string. Note that this never applies to the bitwise NOT operator, ~, which does not handle numeric strings, nor to the increment and decrement operators ++ and --, which have a unique approach to handling numeric strings. (RFC: https://wiki.php.net/rfc/invalid_strings_in_arithmetic) . Closure::fromCallable (RFC: https://wiki.php.net/rfc/closurefromcallable) . Added support for class constant visibility modifiers. (RFC: https://wiki.php.net/rfc/class_const_visibility) . TypeError messages for arg_info type checks will now say "must be ... or null", or "must ... or be null" where the parameter or return type accepts null. arg_info type checks are used by all userland functions with type declarations, and some internal functions. Both nullable type declarations (?int) and parameters with default values of null (int $foo = NULL) are considered to "accept null" for this purpose. . The simple syntax for variable parsing inside of string literals now supports negative offsets. ======================================== 3. Changes in SAPI modules ======================================== - apache2handler: . Implemented per module logging. . Implemented error level mapping between PHP and Apache for the error logs. ======================================== 4. Deprecated Functionality ======================================== - 'e' option of mb_ereg_replace() and mb_eregi_replace(). - ext/mcrypt is now fully deprecated. ======================================== 5. Changed Functions ======================================== - get_headers() has an extra parameter which allows passing a custom stream context. - The first $varname argument for getenv() is no longer mandatory, the current environment variables will be returned as an associative array when omitted. - json_encode() accepts new option JSON_UNESCAPED_LINE_TERMINATORS that disables escaping of U+2028 and U+2029 characters when JSON_UNESCAPED_UNICODE is supplied. - long2ip() accepts integer as parameter now - openssl_encrypt and openssl_decrypt have extra parameters for handling authenticated encryption (tag, aad, tag_length) and decryption (tag, aad). - pg_last_notice() accepts optional long parameter to specify operation. PGSQL_NOTICE_LAST - Get last notice (Default) PGSQL_NOTICE_ALL - Get all stored notices PGSQL_NOTICE_CLEAR - Remove all stored notices It returns empty string or array on successful PGSQL_NOTICE_LAST/ALL calls. It returned FALSE for empty notice previously. - pg_fetch_all() accepts 2nd optional result type parameter like pg_fetch_row(). - pg_select() accepts 4th optional result type parameter like pg_fetch_row(). - parse_url() is more restrictive now and supports RFC3986. - unpack() accepts an additional optional $offset argument. '@' format code (that specifes an absolute position) is applyed to input data after the $offset argument. - strpos(), stripos(), substr_count(), grapheme_strpos(), grapheme_stripos(), grapheme_extract(), iconv_strpos(), mb_strimwidth(), mb_ereg_search_setpos(), mb_strpos() and mb_stripos() now accept negative string offsets. - substr_count() and mb_strimwidth() additionally also accept negative length. - file_get_contents() accepts a negative seek offset if the stream is seekable. - tempnam() throws a notice when failing back to the system temp dir. - getopt() has an extra by-ref parameter : optind - mb_ereg() and mb_ereg_replace() reject illegal byte sequences. - FILTER_FLAG_EMAIL_UNICODE can be used with filter_var() for email validation according to RFC 6531. - output_reset_rewrite_vars() no longer reset session URL rewrite vars. - the lasinsertid() in pdo_pgsql extension triggers an error, when no nextval() were called in in the current session. - fopen() Since 7.1.2, mode 'e' was added, which sets the close-on-exec flag on the opened file descriptor. This mode is only available in PHP compiled on POSIX.1-2008 conform systems. ======================================== 6. New Functions ======================================== - Core: . Added sapi_windows_cp_set(), sapi_windows_cp_get(), sapi_windows_cp_is_utf8(), sapi_windows_cp_conv() for codepage handling. - cURL: . Added curl_multi_errno() and curl_share_errno() to return the last error number of curl_multi and curl_share resources. . Added curl_share_strerror() to convert error code to error message text describing the error. - Hash: . In PHP 7.1.2: Added hash_hkdf() function, which implements the HMAC-based Key Derivation Function (HKDF) algorithm according to RFC 5869. The implementation combines the Extract and Expand steps. - pcntl: . Added pcntl_signal_get_handler() that returns the current signal handler for a particular signal. - Session: . Added session_gc() that performs session data garbage collection. https://wiki.php.net/rfc/session-gc . Added session_create_id() for creating custom session ID. https://wiki.php.net/rfc/session-create-id - Standard: . Added is_iterable() that determines if a value will be accepted by the new iterable pseudo-type. ======================================== 7. New Classes and Interfaces ======================================== ======================================== 8. Removed Extensions and SAPIs ======================================== ======================================== 9. Other Changes to Extensions ======================================== - Date: . Invalid serialization data for a DateTime or DatePeriod object will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error. . Timezone initialization failure from serialized data will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error. . DateTime and DateTimeImmutable now properly incorporate microseconds when constructed from the current time, either explicitly or with a relative string (e.g. "first day of next month"). This means that naive comparisons of two newly created instances will now more likely return FALSE instead of TRUE: new DateTime() == new DateTime(); - DBA: . Data modification functions (e.g.: dba_insert()) now throw an instance of Error instead of triggering a catchable fatal error if the key does not contain exactly two elements. - DOM: . Invalid schema or RelaxNG validation contexts will throw an instance of Error instead of resulting in a fatal error. . Attempting to register a node class that does not extend the appropriate base class will now throw an instance of Error instead of resulting in a fatal error. . Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error. - GD: . Changed the default of the ini setting gd.jpeg_ignore_warning to 1. - IMAP: . An email address longer than 16385 bytes will throw an instance of Error instead of resulting in a fatal error. - Intl: . Failure to call the parent constructor in a class extending Collator before invoking the parent methods will throw an instance of Error instead of resulting in a recoverable fatal error. . Cloning a Transliterator object may will now throw an instance of Error instead of resulting in a fatal error if cloning the internal transliterator fails. - LDAP: . Providing an unknown modification type to ldap_batch_modify() will now throw an instance of Error instead of resulting in a fatal error. - Mbstring: . mb_ereg() and mb_eregi() will now throw an instance of ParseError if an invalid PHP expression is provided and the 'e' option is used. - Mcrypt: . mcrypt_encrypt() and mcrypt_decrypt() will throw an instance of Error instead of resulting in a fatal error if mcrypt cannot be initialized. - Mysqli: . Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error. - PDO_Firebird As of PHP 7.1.2, the fetched data for integer fields is aware of the Firebird datatypes. Previously all integers was fetched as strings, starting with aforementioned PHP version integer fields are translated to the PHP integer datatype. The 64-bit integers are still fetched as strings in 32-bit PHP builds. - Reflection: . Failure to retrieve a reflection object or retrieve an object property will now throw an instance of Error instead of resulting in a fatal error. - Session: . Custom session handlers that do not return strings for session IDs will now throw an instance of Error instead of resulting in a fatal error when a function is called that must generate a session ID. . Only CSPRNG is used to generate session ID. - SimpleXML: . Creating an unnamed or duplicate attribute will throw an instance of Error instead of resulting in a fatal error. - SPL: . Attempting to clone an SplDirectory object will throw an instance of Error instead of resulting in a fatal error. . Calling ArrayIterator::append() when iterating over an object will throw an instance of Error instead of resulting in a fatal error. - SQLite3: . Upgraded bundled SQLite lib to 3.13.0 - Standard: . assert() will throw a ParseError when evaluating a string given as the first argument if the PHP code is invalid instead of resulting in a catchable fatal error. . Calling forward_static_call() outside of a class scope will now throw an instance of Error instead of resulting in a fatal error. - Tidy: . Creating a tidyNode manually will now throw an instance of Error instead of resulting in a fatal error. - WDDX: . A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error. - XML-RPC: . A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error. - Zip: . ZipArchive::addGlob() will throw an instance of Error instead of resulting in a fatal error if glob support is not available. ======================================== 10. New Global Constants ======================================== - Core: . PHP_FD_SETSIZE - JSON: . JSON_UNESCAPED_LINE_TERMINATORS - Pgsql: PGSQL_NOTICE_LAST PGSQL_NOTICE_ALL PGSQL_NOTICE_CLEAR - Standard: . IMAGETYPE_WEBP ======================================== 11. Changes to INI File Handling ======================================== - serialize_precision . If the value is set to -1, then the dtoa mode 0 is used. The value -1 is now used by default. - precision . If the value is set to -1, then the dtoa mode 0 is used. No changes in default value which is still 14. - realpath_cache_size . Set to 4096k by default ======================================== 12. Windows Support ======================================== - Core: . Support for long and UTF-8 path; If a web application is UTF-8 conform, no further action is required. For applications depending on paths in non UTF-8 encodings for I/O, an explicit INI directive has to be set. The encoding INI settings check relies on the order in the core: - internal_encoding - default_charset - zend.multibyte Several functions for codepage handling were itroduced: - sapi_windows_cp_set() to set the default codepage - sapi_windows_cp_get() to retrieve the current codepage - sapi_windows_cp_is_utf8() - sapi_windows_cp_conv() to convert between codepages, using iconv() compatible signature These functions are thread safe. The console output codepage is adjusted depending on the encoding used in PHP. Depending on the concrete system OEM codepage, the visible output might or might be not correct. For example, in the default cmd.exe and on a system with the OEM codepage 437, outputs in codepages 1251, 1252, 1253 and some others can be shown correctly when using UTF-8. On the same system, chars in codepage like 20932 probably won't be shown correctly. This refers to the particular system rules for codepage, font compatibility and the particular console program used. PHP automatically sets the console codepage according to the encoding rules from php.ini. Using alternative consoles instead of cmd.exe directly might bring better experience in some cases. Nevertheless be aware, runtime codepage switch after the request start might bring unexpected side effects on CLI. The preferrable way is php.ini, When PHP CLI is used in a console emulator, that doesn't support Unicode, it might possibly be required, to avoid changing the console codepage. The best way to achieve it is by setting the default or internal encoding to correspond the ANSI codepage. Another method is to set the INI directives output_encoding and input_encoding to the required codepage, in which case however the difference between internal and I/O codepage is likely to cause mojibake. In rare cases, if PHP happens to crash gracefully, the original console codepage might be not restored. In this case, the chcp command can be used, to restore it manually. Special awareness for the DBCS systems - the codepage switch on runtime using ini_set() is likely to cause display issues. The difference to the non DBCS systems is, that the extended characters require two console cells to be displayed. In certain case, only the mapping of the characters into the glyph set of the font could happen, no actual font change. This is the nature of DBCS systems, the most simple way to prevent display issues is to avoid usage of ini_set() for the codepage change. As a result of UTF-8 support in the streams, PHP scripts are not limited to ASCII or ANSI filenames anymore. This is supported out of the box on CLI. For other SAPI, the documentation for the corresponding server is useful. Long paths support is transparent. Paths longer than 260 bytes get automatically prefixed with \\?\. The max path length is limited to 2048 bytes. Be aware, that the path segment limit (basename length) still persists. For the best portability, it is strongely recommended to handle filenames, I/O and other related topics UTF-8. Additionally, for the console applications, the usage of a TrueType font is preferrable and the usage of ini_set() for the codepage change is discouraged. . Support for ftok() - FCGI . PHP_FCGI_CHILDREN is respected. If this environment variable is defined, the first php-fcgi.exe process will exec the specified number of children. Those will share the same TCP socket. - readline: . The readline extension is supported through the WinEditLine library (http://mingweditline.sourceforge.net/). Thereby, the interactive CLI shell is supported as well (php.exe -a). It is well known, but nevertheless is worth mentioning again, that the readline extension is not thread safe and will never be. Thus, the usage of it with any true thread safe SAPI (like Apache mod_winnt) is strongely discouraged. ======================================== 13. Other Changes ========================================