xref: /PHP-7.1/UPGRADING (revision 05782f01) 
1PHP 7.1 UPGRADE NOTES
2
31. Backward Incompatible Changes
42. New Features
53. Changes in SAPI modules
64. Deprecated Functionality
75. Changed Functions
86. New Functions
97. New Classes and Interfaces
108. Removed Extensions and SAPIs
119. Other Changes to Extensions
1210. New Global Constants
1311. Changes to INI File Handling
1412. Windows Support
1513. Other Changes
16
17
18========================================
191. Backward Incompatible Changes
20========================================
21
22- Core:
23  . 'void' can no longer be used as the name of a class, interface, or trait.
24    This applies to declarations, class_alias() and use statements.
25  . 'iterable' can no longer be used as the name of a class, interface, or
26    trait. This applies to declarations, class_alias() and use statements.
27    (RFC: https://wiki.php.net/rfc/iterable)
28  . (int), intval() where $base is 10 or unspecified, settype(), decbin(),
29    decoct(), dechex(), integer operators and other conversions now always
30    respect scientific notation in numeric strings.
31    (RFC: https://wiki.php.net/rfc/invalid_strings_in_arithmetic)
32  . The ASCII 0x7F Delete control character is no longer permitted in unquoted
33    identifiers in source code.
34  . The following functions may no longer be called dynamically using $func(),
35    call_user_func(), array_map() or similar:
36     . extract()
37     . compact()
38     . get_defined_vars()
39     . func_get_args()
40     . func_get_arg()
41     . func_num_args()
42     . parse_str() with one argument
43     . mb_parse_str() with one argument
44     . assert() with a string argument
45    (RFC: https://wiki.php.net/rfc/forbid_dynamic_scope_introspection)
46  . If the error_log is set to syslog, the PHP error levels are mapped to the
47    syslog error levels. This brings finer differentiation in the error logs
48    in contrary to the previous approach where all the errors are loggged with
49    the notice level only.
50  . Don't call destructors of incompletely constructed objects, even if they
51    are kept referenced. See bug #29368 and Zend/tests/bug29368_1.phpt.
52  . call_user_func() will now consistently throw a warning if a function with
53    reference arguments is called. However, call_user_func() will no longer
54    abort the call in this case.
55  . rand() and srand() are now aliases of mt_rand() and mt_srand().
56    Consequently the output of the following functions has changed:
57     . rand()
58     . shuffle()
59     . str_shuffle()
60     . array_rand()
61  . Fixes to random number generators mean that mt_rand() now produces a
62    different sequence of outputs to previous versions. If you relied on
63    mt_srand() to produce a deterministic sequence, it can be called using
64    mt_srand($seed, MT_RAND_PHP) to produce the old sequences.
65  . URL rewriter has been improved.
66     . Use dedicated buffer for Session module rewrite and User rewrite.
67     . Full path URL rewrite is supported. Allowed domain can be specified.
68       $_SERVER['HTTP_HOST'] is allowed by default when host whitelist is empty.
69     . Use session.trans_sid_tags and session.trans_sid_hosts to control
70       session rewrite.
71     . Use url_rewriter.tags and url_rewriter.hosts to control user rewrite.
72     . <form>'s "action" attribute is used to check if URL rewrite is allowed
73       and listed under hosts whitelist.
74     . <fieldset> is no longer considered as a special tag. <form> is the
75       only tag considered special.
76  . Calling a function with less arguments than mandatory declared ones in
77    signature now issues a Fatal Error (Error Exception) instead of a Warning.
78    (RFC https://wiki.php.net/rfc/too_few_args).
79  . The error message for E_RECOVERABLE errors has been changed from "Catchable
80    fatal error" to "Recoverable fatal error".
81  . The empty index operator (e.g. $str[] = $x) is not supported for strings
82    anymore, and throws a fatal error instead of silently converting to array.
83  . Array elements or object properties that are automatically created during
84    by-reference assignments will now result in a different order. For example
85
86        $array = [];
87        $array["a"] =& $array["b"];
88        $array["b"] = 1;
89        var_dump($array);
90
91    now results in the array ["b" => 1, "a" => 1], while for PHP 7.0 the result
92    was ["a" => 1, "b" => 1].
93  . The allowed_classes element of the $options parameter of unserialize() is
94    now strictly typed, i.e. if anything other than an array or a boolean is
95    given, unserialize() returns FALSE and issues an E_WARNING.
96  . $this, autoglobals, and variables with the same name as a parameter can no
97    longer be bound to a closure via the use construct.
98
99- JSON:
100  . The serialize_precision is used instead of precision when encoding double
101    values.
102  . An empty key is decoded as an empty property name instead of using _empty_
103    property name when decoding object to stdClass.
104  . When calling json_encode with JSON_UNESCAPED_UNICODE option, U+2028 and
105    U+2029 are escaped.
106
107- mbstring:
108  . mb_ereg() and mb_eregi() will now set the $regs argument to an empty array,
109    if nothing matched. Formerly, $regs was not modified in that case.
110
111- OpenSSL:
112  . Dropped sslv2 stream.
113
114- Session:
115  . Session ID is generated from CSPRNG directly. As a result, Session ID length
116    could be any length between 22 and 256. Note: Max size of session ID depends
117    on save handler you are using.
118  . Following INIs are removed
119     . session.hash_function
120     . session.hash_bits_per_character
121     . session.entropy_file
122     . session.entropy_length
123  . New INIs and defaults
124     . session.sid_length (Number of session ID characters - 22 to 256.
125       php.ini-* default: 26 Compiled default: 32)
126     . session.sid_bits_per_character (Bits used per character - 4 to 6.
127       php.ini-* default: 5 Compiled default: 4)
128  . Length of old session ID string is determined as follows
129     . Used hash function's bits.
130        . session.hash_function=0 - MD5 128 bits (This was default)
131        . session.hash_function=1 - SHA1 160 bits
132     . Bits per character. (4, 5 or 6 bits per character)
133     . Examples
134         MD5 and 4 bits = 32 chars,  ceil(128/4)=32
135         MD5 and 5 bits = 26 chars,  ceil(128/5)=26
136         MD5 and 6 bits = 22 chars,  ceil(128/6)=22
137         SHA1 and 4 bits = 40 chars, ceil(160/4)=40
138         SHA1 and 5 bits = 32 chars, ceil(160/5)=32
139         SHA1 and 6 bits = 27 chars, ceil(160/6)=27
140         and so on.
141  . session_start() returns FALSE and no longer initializes $_SESSION when
142    it failed to start session.
143
144- Reflection:
145  . The behavior of ReflectionMethod::invoke() and ::invokeArgs() has been
146    aligned, which causes slightly different behavior than before for some
147    pathological cases.
148
149- IMAP:
150  Starting with 7.1.25, rsh/ssh logins are disabled by default. Use
151  imap.enable_insecure_rsh if you want to enable them. Note that the IMAP
152  library does not filter mailbox names before passing them to rsh/ssh
153  command, thus passing untrusted data to this function with rsh/ssh enabled
154  is insecure.
155
156========================================
1572. New Features
158========================================
159- Core
160  . Added void return type, which requires that a function not return a value.
161    (RFC: https://wiki.php.net/rfc/void_return_type)
162  . Added iterable pseudo-type accepting any array or object implementing
163    Traversable.
164    (RFC: https://wiki.php.net/rfc/iterable)
165  . String offset access now supports negative references, which will be
166    counted from the end of the string.
167    (RFC: https://wiki.php.net/rfc/negative-string-offsets)
168  . Added a form of the list() construct where keys can be specified.
169    (RFC: https://wiki.php.net/rfc/list_keys)
170  . Added [] = as alternative construct to list() =.
171    (RFC: https://wiki.php.net/rfc/short_list_syntax)
172  . Number operators taking numeric strings now emit "A non well formed numeric
173    value encountered" E_NOTICEs for leading-numeric strings, and "A
174    non-numeric value encountered" E_WARNINGs for non-numeric strings.
175    This always applies to the +, -, *, /, **, %, << and >> operators, and
176    their assignment counterparts +=, -=, *=, /=, **=, %=, <<= and >>=.
177    For the bitwise operators |, & and ^, and their assignment counterparts
178    |=, &= and ^=, this only applies where only one operand is a string.
179    Note that this never applies to the bitwise NOT operator, ~, which does not
180    handle numeric strings, nor to the increment and decrement operators
181    ++ and --, which have a unique approach to handling numeric strings.
182    (RFC: https://wiki.php.net/rfc/invalid_strings_in_arithmetic)
183  . Closure::fromCallable (RFC: https://wiki.php.net/rfc/closurefromcallable)
184  . Added support for class constant visibility modifiers.
185    (RFC: https://wiki.php.net/rfc/class_const_visibility)
186  . TypeError messages for arg_info type checks will now say "must be ...
187    or null", or "must ... or be null" where the parameter or return type
188    accepts null. arg_info type checks are used by all userland functions with
189    type declarations, and some internal functions. Both nullable type
190    declarations (?int) and parameters with default values of null
191    (int $foo = NULL) are considered to "accept null" for this purpose.
192  . The simple syntax for variable parsing inside of string literals now
193    supports negative offsets.
194
195========================================
1963. Changes in SAPI modules
197========================================
198- apache2handler:
199  . Implemented per module logging.
200  . Implemented error level mapping between PHP and Apache for the error logs.
201
202========================================
2034. Deprecated Functionality
204========================================
205
206- 'e' option of mb_ereg_replace() and mb_eregi_replace().
207- ext/mcrypt is now fully deprecated.
208
209========================================
2105. Changed Functions
211========================================
212- get_headers() has an extra parameter which allows passing a custom stream
213  context.
214- The first $varname argument for getenv() is no longer mandatory, the
215  current environment variables will be returned as an associative array
216  when omitted.
217- json_encode() accepts new option JSON_UNESCAPED_LINE_TERMINATORS that
218  disables escaping of U+2028 and U+2029 characters when
219  JSON_UNESCAPED_UNICODE is supplied.
220- long2ip() accepts integer as parameter now
221- openssl_encrypt and openssl_decrypt have extra parameters for handling
222  authenticated encryption (tag, aad, tag_length) and decryption (tag, aad).
223- pg_last_notice() accepts optional long parameter to specify operation.
224  PGSQL_NOTICE_LAST - Get last notice (Default)
225  PGSQL_NOTICE_ALL - Get all stored notices
226  PGSQL_NOTICE_CLEAR - Remove all stored notices
227  It returns empty string or array on successful PGSQL_NOTICE_LAST/ALL calls.
228  It returned FALSE for empty notice previously.
229- pg_fetch_all() accepts 2nd optional result type parameter like
230  pg_fetch_row().
231- pg_select() accepts 4th optional result type parameter like pg_fetch_row().
232- parse_url() is more restrictive now and supports RFC3986.
233- unpack() accepts an additional optional $offset argument. '@' format code
234  (that specifes an absolute position) is applyed to input data after
235  the $offset argument.
236- strpos(), stripos(), substr_count(), grapheme_strpos(), grapheme_stripos(),
237  grapheme_extract(), iconv_strpos(), mb_strimwidth(), mb_ereg_search_setpos(),
238  mb_strpos() and mb_stripos() now accept negative string offsets.
239- substr_count() and mb_strimwidth() additionally also accept negative length.
240- file_get_contents() accepts a negative seek offset if the stream is seekable.
241- tempnam() throws a notice when failing back to the system temp dir.
242- getopt() has an extra by-ref parameter : optind
243- mb_ereg() and mb_ereg_replace() reject illegal byte sequences.
244- FILTER_FLAG_EMAIL_UNICODE can be used with filter_var() for email validation
245  according to RFC 6531.
246- output_reset_rewrite_vars() no longer reset session URL rewrite vars.
247- the lasinsertid() in pdo_pgsql extension triggers an error, when no nextval()
248  were called in in the current session.
249- fopen()
250  Since 7.1.2, mode 'e' was added, which sets the close-on-exec flag
251  on the opened file descriptor. This mode is only available in PHP compiled on
252  POSIX.1-2008 conform systems.
253
254
255========================================
2566. New Functions
257========================================
258- Core:
259  . Added sapi_windows_cp_set(), sapi_windows_cp_get(), sapi_windows_cp_is_utf8(),
260    sapi_windows_cp_conv() for codepage handling.
261
262- cURL:
263  . Added curl_multi_errno() and curl_share_errno() to return the last error
264    number of curl_multi and curl_share resources.
265  . Added curl_share_strerror() to convert error code to error message text
266    describing the error.
267
268- Hash:
269  . In PHP 7.1.2: Added hash_hkdf() function, which implements the HMAC-based
270    Key Derivation Function (HKDF) algorithm according to RFC 5869. The
271    implementation combines the Extract and Expand steps.
272
273- pcntl:
274  . Added pcntl_signal_get_handler() that returns the current signal handler
275    for a particular signal.
276
277- Session:
278  . Added session_gc() that performs session data garbage collection.
279    https://wiki.php.net/rfc/session-gc
280  . Added session_create_id() for creating custom session ID.
281    https://wiki.php.net/rfc/session-create-id
282
283- Standard:
284  . Added is_iterable() that determines if a value will be accepted by the new
285    iterable pseudo-type.
286
287========================================
2887. New Classes and Interfaces
289========================================
290
291========================================
2928. Removed Extensions and SAPIs
293========================================
294
295========================================
2969. Other Changes to Extensions
297========================================
298
299- Date:
300  . Invalid serialization data for a DateTime or DatePeriod object will now
301    throw an instance of Error from __wakeup() or __set_state() instead of
302    resulting in a fatal error.
303  . Timezone initialization failure from serialized data will now throw an
304    instance of Error from __wakeup() or __set_state() instead of resulting in
305    a fatal error.
306  . DateTime and DateTimeImmutable now properly incorporate microseconds when
307    constructed from the current time, either explicitly or with a relative
308    string (e.g. "first day of next month"). This means that naive comparisons
309    of two newly created instances will now more likely return FALSE instead of
310    TRUE:
311      new DateTime() == new DateTime();
312
313- DBA:
314  . Data modification functions (e.g.: dba_insert()) now throw an instance of
315    Error instead of triggering a catchable fatal error if the key does not
316    contain exactly two elements.
317
318- DOM:
319  . Invalid schema or RelaxNG validation contexts will throw an instance of
320    Error instead of resulting in a fatal error.
321  . Attempting to register a node class that does not extend the appropriate
322    base class will now throw an instance of Error instead of resulting in a
323    fatal error.
324  . Attempting to read an invalid or write to a readonly property will throw
325    an instance of Error instead of resulting in a fatal error.
326
327- GD:
328  . Changed the default of the ini setting gd.jpeg_ignore_warning to 1.
329
330- IMAP:
331  . An email address longer than 16385 bytes will throw an instance of Error
332    instead of resulting in a fatal error.
333
334- Intl:
335  . Failure to call the parent constructor in a class extending Collator
336    before invoking the parent methods will throw an instance of Error
337    instead of resulting in a recoverable fatal error.
338  . Cloning a Transliterator object may will now throw an instance of Error
339    instead of resulting in a fatal error if cloning the internal
340    transliterator fails.
341
342- LDAP:
343  . Providing an unknown modification type to ldap_batch_modify() will now
344    throw an instance of Error instead of resulting in a fatal error.
345
346- Mbstring:
347  . mb_ereg() and mb_eregi() will now throw an instance of ParseError if an
348    invalid PHP expression is provided and the 'e' option is used.
349
350- Mcrypt:
351  . mcrypt_encrypt() and mcrypt_decrypt() will throw an instance of Error
352    instead of resulting in a fatal error if mcrypt cannot be initialized.
353
354- Mysqli:
355  . Attempting to read an invalid or write to a readonly property will throw
356    an instance of Error instead of resulting in a fatal error.
357
358- PDO_Firebird
359  As of PHP 7.1.2, the fetched data for integer fields is aware of the Firebird
360  datatypes. Previously all integers was fetched as strings, starting with
361  aforementioned PHP version integer fields are translated to the PHP integer
362  datatype. The 64-bit integers are still fetched as strings in 32-bit PHP
363  builds.
364
365- Reflection:
366  . Failure to retrieve a reflection object or retrieve an object property
367    will now throw an instance of Error instead of resulting in a fatal error.
368
369- Session:
370  . Custom session handlers that do not return strings for session IDs will
371    now throw an instance of Error instead of resulting in a fatal error
372    when a function is called that must generate a session ID.
373  . Only CSPRNG is used to generate session ID.
374
375- SimpleXML:
376  . Creating an unnamed or duplicate attribute will throw an instance of Error
377    instead of resulting in a fatal error.
378
379- SPL:
380  . Attempting to clone an SplDirectory object will throw an instance of Error
381    instead of resulting in a fatal error.
382  . Calling ArrayIterator::append() when iterating over an object will throw an
383    instance of Error instead of resulting in a fatal error.
384
385- SQLite3:
386  . Upgraded bundled SQLite lib to 3.13.0
387
388- Standard:
389  . assert() will throw a ParseError when evaluating a string given as the first
390    argument if the PHP code is invalid instead of resulting in a catchable
391    fatal error.
392  . Calling forward_static_call() outside of a class scope will now throw an
393    instance of Error instead of resulting in a fatal error.
394
395- Tidy:
396  . Creating a tidyNode manually will now throw an instance of Error instead of
397    resulting in a fatal error.
398
399- WDDX:
400  . A circular reference when serializing will now throw an instance of Error
401    instead of resulting in a fatal error.
402
403- XML-RPC:
404  . A circular reference when serializing will now throw an instance of Error
405    instead of resulting in a fatal error.
406
407- Zip:
408  . ZipArchive::addGlob() will throw an instance of Error instead of resulting
409    in a fatal error if glob support is not available.
410
411========================================
41210. New Global Constants
413========================================
414
415- Core:
416  . PHP_FD_SETSIZE
417
418- JSON:
419  . JSON_UNESCAPED_LINE_TERMINATORS
420
421- Pgsql:
422  PGSQL_NOTICE_LAST
423  PGSQL_NOTICE_ALL
424  PGSQL_NOTICE_CLEAR
425
426- Standard:
427  . IMAGETYPE_WEBP
428
429========================================
43011. Changes to INI File Handling
431========================================
432
433- serialize_precision
434  . If the value is set to -1, then the dtoa mode 0 is used. The value -1
435    is now used by default.
436
437- precision
438  . If the value is set to -1, then the dtoa mode 0 is used. No changes
439    in default value which is still 14.
440
441- realpath_cache_size
442  . Set to 4096k by default
443
444========================================
44512. Windows Support
446========================================
447
448- Core:
449  . Support for long and UTF-8 path;
450
451    If a web application is UTF-8 conform, no further action is required. For
452    applications depending on paths in non UTF-8 encodings for I/O, an explicit
453    INI directive has to be set. The encoding INI settings check relies on the
454    order in the core:
455      - internal_encoding
456      - default_charset
457      - zend.multibyte
458
459    Several functions for codepage handling were itroduced:
460      - sapi_windows_cp_set() to set the default codepage
461      - sapi_windows_cp_get() to retrieve the current codepage
462      - sapi_windows_cp_is_utf8()
463      - sapi_windows_cp_conv() to convert between codepages, using iconv()
464        compatible signature
465    These functions are thread safe.
466
467    The console output codepage is adjusted depending on the encoding used in
468    PHP. Depending on the concrete system OEM codepage, the visible output
469    might or might be not correct. For example, in the default cmd.exe and on
470    a system with the OEM codepage 437, outputs in codepages 1251, 1252, 1253
471    and some others can be shown correctly when using UTF-8. On the same system,
472    chars in codepage like 20932 probably won't be shown correctly. This refers
473    to the particular system rules for codepage, font compatibility and the
474    particular console program used. PHP automatically sets the console codepage
475    according to the encoding rules from php.ini. Using alternative consoles
476    instead of cmd.exe directly might bring better experience in some cases.
477
478    Nevertheless be aware, runtime codepage switch after the request start
479    might bring unexpected side effects on CLI. The preferrable way is php.ini,
480    When PHP CLI is used in a console emulator, that doesn't support Unicode,
481    it might possibly be required, to avoid changing the console codepage. The
482    best way to achieve it is by setting the default or internal encoding to
483    correspond the ANSI codepage. Another method is to set the INI directives
484    output_encoding and input_encoding to the required codepage, in which case
485    however the difference between internal and I/O codepage is likely to cause
486    mojibake. In rare cases, if PHP happens to crash gracefully, the original
487    console codepage might be not restored. In this case, the chcp command
488    can be used, to restore it manually.
489
490    Special awareness for the DBCS systems - the codepage switch on runtime
491    using ini_set() is likely to cause display issues. The difference to the
492    non DBCS systems is, that the extended characters require two console cells
493    to be displayed. In certain case, only the mapping of the characters into
494    the glyph set of the font could happen, no actual font change. This is the
495    nature of DBCS systems, the most simple way to prevent display issues is
496    to avoid usage of ini_set() for the codepage change.
497
498    As a result of UTF-8 support in the streams, PHP scripts are not limited
499    to ASCII or ANSI filenames anymore. This is supported out of the box on
500    CLI. For other SAPI, the documentation for the corresponding server
501    is useful.
502
503    Long paths support is transparent. Paths longer than 260 bytes get
504    automatically prefixed with \\?\. The max path length is limited to
505    2048 bytes. Be aware, that the path segment limit (basename length) still
506    persists.
507
508    For the best portability, it is strongely recommended to handle filenames,
509    I/O and other related topics UTF-8. Additionally, for the console applications,
510    the usage of a TrueType font is preferrable and the usage of ini_set() for
511    the codepage change is discouraged.
512
513  . Support for ftok()
514
515- FCGI
516  . PHP_FCGI_CHILDREN is respected. If this environment variable is defined,
517    the first php-fcgi.exe process will exec the specified number of children.
518    Those will share the same TCP socket.
519
520- readline:
521  . The readline extension is supported through the WinEditLine library
522    (http://mingweditline.sourceforge.net/). Thereby, the interactive CLI
523    shell is supported as well (php.exe -a).
524
525    It is well known, but nevertheless is worth mentioning again, that
526    the readline extension is not thread safe and will never be. Thus,
527    the usage of it with any true thread safe SAPI (like Apache mod_winnt) is
528    strongely discouraged.
529
530========================================
53113. Other Changes
532========================================
533