xref: /PHP-7.2/UPGRADING (revision 7bc112a1) 
1PHP 7.2 UPGRADE NOTES
2
31. Backward Incompatible Changes
42. New Features
53. Changes in SAPI modules
64. Deprecated Functionality
75. Changed Functions
86. New Functions
97. New Classes and Interfaces
108. Removed Extensions and SAPIs
119. Other Changes to Extensions
1210. New Global Constants
1311. Changes to INI File Handling
1412. Windows Support
1513. Other Changes
16
17
18========================================
191. Backward Incompatible Changes
20========================================
21
22- Core:
23  . gettype() will now return "resource (closed)" instead of "unknown type" for
24    closed resources.
25  . is_object() will now return true for objects of class
26    __PHP_Incomplete_Class.
27  . Support for Netware operating systems has been removed.
28  . Casting arrays to objects (with (object) or settype()) will now convert
29    integer keys to string property names. This fixes the behaviour of previous
30    versions, where integer keys would become inaccessible properties with
31    integer names.
32  . Casting objects to arrays (with (array) or settype()), and retrieving
33    object properties in an array with get_object_vars(), will now convert
34    numeric string property names (that is, property names of the format
35    /^(0|(-?[1-9][0-9]*))$/ where PHP_INT_MIN <= n <= PHP_INT_MAX) to integer
36    keys. This fixes the behaviour of previous versions, where numeric string
37    property names would become inaccessible string keys.
38  . Unqualified references to undefined constants now generate a Warning instead
39    of a notice. They will generate an Error in a future version of PHP.
40    (https://wiki.php.net/rfc/deprecate-bareword-strings)
41  . Minimum supported Windows versions are Windows 7/Server 2008 R2.
42  . Initial trait property value compatibility check will no longer perform
43    any casts. (Bug #74269)
44  . "object" (in any case) can no longer be used as a class name.
45
46- BCMath:
47  . The bcmod() function no longer truncates fractional numbers to integers. As
48    such, its behavior now follows fmod() rather than the `%` operator. For
49    example `bcmod('4', '3.5')` now returns '0.5' instead of '1'.
50
51- Hash:
52  . The hash_hmac(), hash_hmac_file(), hash_pbkdf2() and hash_init() (with
53    HASH_HMAC) functions no longer accept non-cryptographic hashes.
54
55- JSON:
56  . The json_decode() option JSON_OBJECT_AS_ARRAY is used if the second
57    parameter (assoc) is null. Previously JSON_OBJECT_AS_ARRAY was always
58    ignored.
59
60- SAPI:
61  . Starting with 7.2.34, incoming cookie names are not url-decoded. This was never
62    required by the standard, outgoing cookie names aren't encoded and this leads
63    to security issues (CVE-2020-7070).
64
65- Session:
66  . Removed register_globals related code and "!" can be used as $_SESSION key name.
67  . Session is made to manage session status correctly and prevents invalid operations.
68    Only inappropriate codes are affected by this change. If you have problems with this,
69    it means you have problem in your code.
70    . Functions are made to set or return correct session status.
71        session_start(), session_status(), session_regenerate_id()
72    . Functions are made to return bool from null. These functions have void parameter
73      and void parameter is checked.
74        session_unset(), session_write_close()/session_commit(), session_abort(),
75        session_reset()
76    . Functions prohibit invalid operations with regard to session status and
77      HTTP header status, return correct bool return value.
78        session_start(), session_set_cookie_params(), session_name(), session_module_name(),
79        session_set_save_handler(), session_regenerate_id(), session_cache_limiter(),
80        session_cache_expire(), session_unset(), session_destroy(),
81        session_write_close()/session_commit(), session_reset()
82    . INI value change by ini_set() returns update status correctly. Invalid INI modifications
83      are checked and made to fail.
84        session.name, session.save_path, session.cookie_lifetime, session.cookie_path,
85        session.cookie_domain, session.cookie_httponly, session.cookie_secure,
86        session.use_cookies, session.use_only_cookies, session.use_strict_mode,
87        session.referer_check, session.cache_limiter, session.cache_expire,
88        session.lazy_write, session.save_handler, session.serialize_handler,
89        session.gc_probability, session.gc_divior, session.gc_maxlifetime,
90    . Some E_ERRORs are changed to E_WARNING since session status is managed correctly.
91        session_start()
92    . Session no longer initialize $_SESSION for invalid and useless session.
93        session_start()
94    . When headers are already sent and try to set new INI values, session_name(),
95      session_module_name(), session_save_path(), session_cache_limiter() and
96      session_cache_expire() no longer work. Older PHPs accept new values even
97      if new values will not be effective.
98      This new corrected behavior may affect command line mode CLI scripts that manage
99      sessions. Use output buffer just like web applications to resolve problems on
100      CLI scripts.
101
102- Standard:
103  . Sequences generated by mt_rand() and rand() for a specific seed may differ
104    from PHP 7.1 on 64-bit machines. This change was necessary to resolve a
105    modulo bias bug in the implementation.
106
107- IMAP:
108  Starting with 7.2.13, rsh/ssh logins are disabled by default. Use
109  imap.enable_insecure_rsh if you want to enable them. Note that the IMAP
110  library does not filter mailbox names before passing them to rsh/ssh
111  command, thus passing untrusted data to this function with rsh/ssh enabled
112  is insecure.
113
114========================================
1152. New Features
116========================================
117
118- Core:
119  . It is now possible to remove argument type annotations when overriding an
120    inherited method. This complies with contravariance of method argument types
121    under the Liskov Substitution Principle.
122    (https://wiki.php.net/rfc/parameter-no-type-variance)
123  . It is now allowed to override an abstract method with another abstract
124    method in a child class.
125    (https://wiki.php.net/rfc/allow-abstract-function-override)
126  . A trailing comma in group use statements is now allowed.
127    (https://wiki.php.net/rfc/list-syntax-trailing-commas)
128  . The "object" type annotation is now supported.
129    (https://wiki.php.net/rfc/object-typehint)
130
131- DBA:
132  . Implemented support for the LMDB backend.
133
134- JSON:
135  . Added JSON_INVALID_UTF8_IGNORE and JSON_INVALID_UTF8_SUBSTITUTE options for
136    json_encode() and json_decode() to ignore and replace invalid UTF-8 byte
137    sequences, respectively.
138
139- OCI8:
140  . Added Oracle Database Transparent Application Failover (TAF) callback support.
141
142- PCRE:
143  . Added `J` modifier for setting PCRE_DUPNAMES.
144  . Added `PREG_UNMATCHED_AS_NULL` flag to allow distinguish between unmatched
145    subpatterns and empty matches by reporting NULL and "" (empty string),
146    respectively.
147
148- Sodium
149  . New cryptographic extension
150
151- SQLite3:
152  . Implemented writing to BLOBs.
153
154- Standard:
155  . Simplified password hashing API updated to support Argon2i hashes when PHP is compiled with libargon2
156    (https://wiki.php.net/rfc/argon2_password_hash).
157  . proc_nice() is now supported on Windows platforms.
158
159- Zip:
160  . read/write encrypted archive, relying on libzip 1.2.0,
161    using new methods:
162      ZipArchive::setEncryptionName($name, $method [, $password]);
163      ZipArchive::setEncryptionIndex($index, $method [, $password]);
164    and new constants:
165      ZipArchive::EM_NONE
166      ZipArchive::EM_AES_128
167      ZipArchive::EM_AES_192
168      ZipArchive::EM_AES_256
169  . accept 'password' from zip stream context
170  . ZipArchive implements countable, added ZipArchive::count() method.
171
172
173========================================
1743. Changes in SAPI modules
175========================================
176
177========================================
1784. Deprecated Functionality
179========================================
180
181All the deprecated functionality listed in the following will be removed in
182PHP 8.0.
183
184- Core:
185  . The track_errors ini directive has been deprecated.
186  . The __autoload() mechanism has been deprecated, use spl_autoload_register()
187    instead.
188  . The (unset) cast has been deprecated. This does not affect the unset($var)
189    language construct.
190  . The create_function() function has been deprecated, use anonymous functions
191    instead.
192  . The each() function has been deprecated, use a foreach loop instead.
193  . The $errcontext error handler argument has been deprecated. However, using
194    it does not trigger a deprecation warning for technical reasons.
195
196- EXIF:
197  . The read_exif_data() alias has been deprecated, use exif_read_data() instead.
198
199- GD:
200  . png2wbmp() and jpeg2wbmp() have been deprecated.
201
202- GMP:
203  . The gmp_random() function has been deprecated, use gmp_random_bits() or
204    gmp_random_range() instead.
205
206- Intl:
207  . INTL_IDNA_VARIANT_2003 has been deprecated; use INTL_IDNA_VARIANT_UTS46
208    instead.
209
210- Mbstring:
211  . The mbstring.func_overload ini directive has been deprecated.
212
213- Standard:
214  . Calling parse_str() without the result argument has been deprecated.
215  . Calling assert() with a string argument has been deprecated, use an ordinary
216    expression instead.
217
218See also: https://wiki.php.net/rfc/deprecations_php_7_2
219
220========================================
2215. Changed Functions
222========================================
223
224- Standard:
225  . password_hash() can generate Argon2i hashes when the algorithm is set to PASSWORD_ARGON2I.
226    When using PASSWORD_ARGON2I, the following cost factors may be set: 'memory_cost', 'time_cost',
227    and 'threads'. These cost factors will default to 'PASSWORD_ARGON2_DEFAULT_MEMORY_COST',
228    'PASSWORD_ARGON2_DEFAULT_TIME_COST', and 'PASSWORD_ARGON2_DEFAULT_THREADS' respectively if not set.
229  . password_verify() can verify Argon2i hashes.
230  . password_get_info() and password_needs_rehash() can accept Argon2i hashes.
231  . mail()/mb_send_mail() accept array $extra_header. Array parameter is checked against RFC 2822.
232    Array format is
233    $extra_headers = [
234      'Header-Name' => 'Header value',
235      'Multiple' => ['One header', 'Another header'],
236      'Multiline' = "FirstLine\r\n SecondLine",
237    ];
238  . count() now raises a warning when an invalid parameter is passed.
239    Only arrays and objects implementing the Countable interface should be passed.
240  . pack() and unpack() now support float and double in both little and big endian.
241  . number_format() ensures zero values never contain a negative sign.
242
243- XML:
244  . utf8_encode() and utf8_decode() have been moved to the Standard extension
245    as string functions.
246
247========================================
2486. New Functions
249========================================
250
251- Core:
252  . Added stream_isatty().
253  . Added sapi_windows_vt100_support().
254
255- DOM:
256  . DomNodeList implements Countable, added DomNodeList::count().
257  . DOMNamedNodeMap implements Countable, added DOMNamedNodeMap::count().
258
259- FTP:
260  . Added ftp_append().
261
262- GD:
263  . Added imagesetclip() and imagegetclip().
264  . Added imageopenpolygon().
265  . Added imageresolution().
266  . Added imagecreatefrombmp() and imagebmp().
267
268- Hash:
269  . Added hash_hmac_algos().
270
271- Mbstring:
272  . Added mb_chr() and mb_ord().
273  . Added mb_scrub() that scrubs broken multibyte strings.
274
275- OCI8:
276  . Added oci_register_taf_callback() and oci_unregister_taf_callback() for
277    Oracle Database TAF callback support.
278
279- Sockets:
280  . Added socket_addrinfo_lookup(), socket_addrinfo_connect(),
281    socket_addrinfo_bind() and socket_addrinfo_explain().
282
283- SPL:
284  . Added spl_object_id().
285
286========================================
2877. New Classes and Interfaces
288========================================
289
290========================================
2918. Removed Extensions and SAPIs
292========================================
293
294- Mcrypt:
295  . The deprecated mcrypt extension has been moved to PECL.
296  . libmcrypt has not been maintained since 2007 and the continued use of this
297    extension is strongly discouraged.
298  . Users are advised to use alternatives such as OpenSSL or libsodium.
299
300========================================
3019. Other Changes to Extensions
302========================================
303
304- EXIF:
305   . Added extended exif tag support for the following formats:
306     Samsung, DJI, Panasonic, Sony, Pentax, Minolta, Sigma/Foveon,
307	 AGFA, Kyocera, Ricoh & Epson.
308   . exif_read_data() and exif_thumbnail() now supports a passed streams as their
309     first parameter.
310
311- GD:
312  . Removed --enable-gd-native-ttf configuration option which was unused as
313    of PHP 5.5.0 anyway.
314  . imagegd() stores truecolor images as real truecolor images. Formerly, they
315    have been converted to palette.
316  . imageantialias() is now also available if compiled with a system libgd.
317
318- Mbstring
319  . mb_check_encoding() accepts array parameter. Both key and value
320    encodings are checked recursively.
321  . mb_convert_encoding() accepts array parameter. Only value encodings
322    are converted recursively.
323
324- PDO_OCI:
325  . The '--with-pdo-oci' configure syntax no longer needs the vesion number of the
326    Oracle Instant Client.
327
328- pdo_sqlite
329  . Use sqlite3_prepare_v2() and sqlite3_close_v2() functions instead of their
330    legacy counterparts.
331
332========================================
33310. New Global Constants
334========================================
335
336- Core:
337  . PHP_FLOAT_DIG     number of decimal digits, that can be rounded into a
338                      float and back without precision loss
339  . PHP_FLOAT_EPSILON smallest representable positive number x, so then
340                      x + 1.0 != 1.0
341  . PHP_FLOAT_MIN     min representable float number
342  . PHP_FLOAT_MAX     max representable float number
343  . PHP_OS_FAMILY     current operating system family
344
345- Fileinfo:
346  . FILEINFO_EXTENSION include list of possible file extensions
347
348- GD:
349  . IMG_EFFECT_MULTIPLY
350  . IMG_BMP
351
352- PCRE
353  . PREG_UNMATCHED_AS_NULL
354
355- Standard:
356  . PASSWORD_ARGON2_DEFAULT_MEMORY_COST
357  . PASSWORD_ARGON2_DEFAULT_TIME_COST
358  . PASSWORD_ARGON2_DEFAULT_THREADS
359  . PASSWORD_ARGON2I
360
361========================================
36211. Changes to INI File Handling
363========================================
364
365- sql.safe_mode
366  . This INI directive has been removed.
367
368- realpath_cache_size
369  . Set to 4096k by default
370
371- opcache.fast_shutdown
372  . This INI directive has been removed. A variant of the fast_shutdown
373    process has been integrated into PHP core and is always enabled for
374    production builds if possible.
375
376========================================
37712. Windows Support
378========================================
379
380- Support for VT100 console mode
381
382  On systems starting with 10.0.10586, cmd.exe supports ANSI escape sequences.
383  The corresponding console mode is enabled by default on CLI on suitable
384  systems. As well, the function sapi_windows_vt100_support() is provided,
385  to control and query the corresponding information in the scripts.
386
387========================================
38813. Other Changes
389========================================
390
391- Build system
392
393  Autoconf minimal version is now 2.64.
394