diff options
Diffstat (limited to 'UPGRADING')
-rw-r--r-- | UPGRADING | 1190 |
1 files changed, 433 insertions, 757 deletions
@@ -1,4 +1,4 @@ -PHP 7.0 UPGRADE NOTES +PHP 7.1 UPGRADE NOTES 1. Backward Incompatible Changes 2. New Features @@ -19,832 +19,508 @@ 1. Backward Incompatible Changes ======================================== -Language changes -================ - -Changes to variable handling ----------------------------- - -* Indirect variable, property and method references are now interpreted with - left-to-right semantics. Some examples: - - $$foo['bar']['baz'] // interpreted as ($$foo)['bar']['baz'] - $foo->$bar['baz'] // interpreted as ($foo->$bar)['baz'] - $foo->$bar['baz']() // interpreted as ($foo->$bar)['baz']() - Foo::$bar['baz']() // interpreted as (Foo::$bar)['baz']() - - To restore the previous behavior add explicit curly braces: - - ${$foo['bar']['baz']} - $foo->{$bar['baz']} - $foo->{$bar['baz']}() - Foo::{$bar['baz']}() - -* The global keyword now only accepts simple variables. Instead of - - global $$foo->bar; - - it is now required to write the following: - - global ${$foo->bar}; - -* Parentheses around variables or function calls no longer have any influence - on behavior. For example the following code, where the result of a function - call is passed to a by-reference function - - function getArray() { return [1, 2, 3]; } - - $last = array_pop(getArray()); - // Strict Standards: Only variables should be passed by reference - $last = array_pop((getArray())); - // Strict Standards: Only variables should be passed by reference - - will now throw a strict standards error regardless of whether parentheses - are used. Previously no notice was generated in the second case. - -* Array elements or object properties that are automatically created during - by-reference assignments will now result in a different order. For example - - $array = []; - $array["a"] =& $array["b"]; - $array["b"] = 1; - var_dump($array); - - now results in the array ["a" => 1, "b" => 1], while previously the result - was ["b" => 1, "a" => 1]; - -Relevant RFCs: -* https://wiki.php.net/rfc/uniform_variable_syntax -* https://wiki.php.net/rfc/abstract_syntax_tree - -Changes to list() ------------------ - -* list() will no longer assign variables in reverse order. For example - - list($array[], $array[], $array[]) = [1, 2, 3]; - var_dump($array); - - will now result in $array == [1, 2, 3] rather than [3, 2, 1]. Note that only - the **order** of the assignments changed, but the assigned values stay the - same. E.g. a normal usage like - - list($a, $b, $c) = [1, 2, 3]; - // $a = 1; $b = 2; $c = 3; +- Core: + . 'void' can no longer be used as the name of a class, interface, or trait. + This applies to declarations, class_alias() and use statements. + . 'iterable' can no longer be used as the name of a class, interface, or + trait. This applies to declarations, class_alias() and use statements. + (RFC: https://wiki.php.net/rfc/iterable) + . (int), intval() where $base is 10 or unspecified, settype(), decbin(), + decoct(), dechex(), integer operators and other conversions now always + respect scientific notation in numeric strings. + (RFC: https://wiki.php.net/rfc/invalid_strings_in_arithmetic) + . The ASCII 0x7F Delete control character is no longer permitted in unquoted + identifiers in source code. + . The following functions may no longer be called dynamically using $func(), + call_user_func(), array_map() or similar: + . extract() + . compact() + . get_defined_vars() + . func_get_args() + . func_get_arg() + . func_num_args() + . parse_str() with one argument + . mb_parse_str() with one argument + . assert() with a string argument + (RFC: https://wiki.php.net/rfc/forbid_dynamic_scope_introspection) + . If the error_log is set to syslog, the PHP error levels are mapped to the + syslog error levels. This brings finer differentiation in the error logs + in contrary to the previous approach where all the errors are loggged with + the notice level only. + . Don't call destructors of incompletely constructed objects, even if they + are kept referenced. See bug #29368 and Zend/tests/bug29368_1.phpt. + . call_user_func() will now consistently throw a warning if a function with + reference arguments is called. However, call_user_func() will no longer + abort the call in this case. + . rand() and srand() are now aliases of mt_rand() and mt_srand(). + Consequently the output of the following functions has changed: + . rand() + . shuffle() + . str_shuffle() + . array_rand() + . Fixes to random number generators mean that mt_rand() now produces a + different sequence of outputs to previous versions. If you relied on + mt_srand() to produce a deterministic sequence, it can be called using + mt_srand($seed, MT_RAND_PHP) to produce the old sequences. + . URL rewriter has been improved. + . Use dedicated buffer for Session module rewrite and User rewrite. + . Full path URL rewrite is supported. Allowed domain can be specified. + $_SERVER['HTTP_HOST'] is allowed by default when host whitelist is empty. + . Use session.trans_sid_tags and session.trans_sid_hosts to control + session rewrite. + . Use url_rewriter.tags and url_rewriter.hosts to control user rewrite. + . <form>'s "action" attribute is used to check if URL rewrite is allowed + and listed under hosts whitelist. + . <fieldset> is no longer considered as a special tag. <form> is the + only tag considered special. + . Calling a function with less arguments than mandatory declared ones in + signature now issues a Fatal Error (Error Exception) instead of a Warning. + (RFC https://wiki.php.net/rfc/too_few_args). + . The error message for E_RECOVERABLE errors has been changed from "Catchable + fatal error" to "Recoverable fatal error". + . The empty index operator (e.g. $str[] = $x) is not supported for strings + anymore, and throws a fatal error instead of silently converting to array. + . Array elements or object properties that are automatically created during + by-reference assignments will now result in a different order. For example - will retain its current behavior. - -* Empty list() assignments are no longer allowed. As such all of the following - are invalid: - - list() = $a; - list(,,) = $a; - list($x, list(), $y) = $a; - -* list() no longer supports unpacking strings (while previously this was only - supported in some cases). The code - - $string = "xy"; - list($x, $y) = $string; - - will now result in $x == null and $y == null (without notices) instead of - $x == "x" and $y == "y". Furthermore list() is now always guaranteed to - work with objects implementing ArrayAccess, e.g. - - list($a, $b) = (object) new ArrayObject([0, 1]); - - will now result in $a == 0 and $b == 1. Previously both $a and $b were null. - -Relevant RFCs: -* https://wiki.php.net/rfc/abstract_syntax_tree#changes_to_list -* https://wiki.php.net/rfc/fix_list_behavior_inconsistency - -Changes to foreach ------------------- - -* Iteration with foreach() no longer has any effect on the internal array - pointer, which can be accessed through the current()/next()/etc family of - functions. For example - - $array = [0, 1, 2]; - foreach ($array as &$val) { - var_dump(current($array)); - } - - will now print the value int(0) three times. Previously the output was int(1), - int(2) and bool(false). - -* When iterating arrays by-value, foreach will now always operate on a copy of - the array, as such changes to the array during iteration will not influence - iteration behavior. For example - - $array = [0, 1, 2]; - $ref =& $array; // Necessary to trigger the old behavior - foreach ($array as $val) { - var_dump($val); - unset($array[1]); - } - - will now print all three elements (0 1 2), while previously the second element - 1 was skipped (0 2). - -* When iterating arrays by-reference, modifications to the array will continue - to influence the iteration. However PHP will now do a better job of - maintaining a correct position in a number of cases. E.g. appending to an - array during by-reference iteration - - $array = [0]; - foreach ($array as &$val) { - var_dump($val); - $array[1] = 1; - } - - will now iterate over the appended element as well. As such the output of this - example will now be "int(0) int(1)", while previously it was only "int(0)". - -* Iteration of plain (non-Traversable) objects by-value or by-reference will - behave like by-reference iteration of arrays. This matches the previous - behavior apart from the more accurate position management mentioned in the - previous point. - -* Iteration of Traversable objects remains unchanged. - -Relevant RFC: https://wiki.php.net/rfc/php7_foreach - -Changes to parameter handling ------------------------------ - -* It is no longer possible to define two function parameters with the same name. - For example, the following method will trigger a compile-time error: - - public function foo($a, $b, $unused, $unused) { - // ... - } - - Code like this should be changed to use distinct parameter names, for example: - - public function foo($a, $b, $unused1, $unused2) { - // ... - } - -* The func_get_arg() and func_get_args() functions will no longer return the - original value that was passed to a parameter and will instead provide the - current value (which might have been modified). For example - - function foo($x) { - $x++; - var_dump(func_get_arg(0)); - } - foo(1); - - will now print "2" instead of "1". This code should be changed to either - perform modifications only after calling func_get_arg(s) - - function foo($x) { - var_dump(func_get_arg(0)); - $x++; - } - - or avoid modifying the parameters altogether: - - function foo($x) { - $newX = $x + 1; - var_dump(func_get_arg(0)); - } - -* Similarly exception backtraces will no longer display the original value that - was passed to a function and show the modified value instead. For example - - function foo($x) { - $x = 42; - throw new Exception; - } - foo("string"); - - will now result in the stack trace - - Stack trace: - #0 file.php(4): foo(42) - #1 {main} - - while previously it was: - - Stack trace: - #0 file.php(4): foo('string') - #1 {main} - - While this should not impact runtime behavior of your code, it is worthwhile - to be aware of this difference for debugging purposes. - - The same limitation also applies to debug_backtrace() and other functions - inspecting function arguments. - -Relevant RFC: https://wiki.php.net/phpng - -Changes to integer handling ---------------------------- - -* Invalid octal literals (containing digits larger than 7) now produce compile - errors. For example, the following is no longer valid: + $array = []; + $array["a"] =& $array["b"]; + $array["b"] = 1; + var_dump($array); - $i = 0781; // 8 is not a valid octal digit! - - Previously the invalid digits (and any following valid digits) were simply - ignored. As such $i previously held the value 7, because the last two digits - were silently discarded. - -* Bitwise shifts by negative numbers will now throw an ArithmeticError: - - var_dump(1 >> -1); - // ArithmeticError: Bit shift by negative number - -* Left bitwise shifts by a number of bits beyond the bit width of an integer - will always result in 0: - - var_dump(1 << 64); // int(0) - - Previously the behavior of this code was dependent on the used CPU - architecture. For example on x86 (including x86-64) the result was int(1), - because the shift operand was wrapped. - -* Similarly right bitwise shifts by a number of bits beyond the bit width of an - integer will always result in 0 or -1 (depending on sign): - - var_dump(1 >> 64); // int(0) - var_dump(-1 >> 64); // int(-1) - -Relevant RFC: https://wiki.php.net/rfc/integer_semantics - -Changes to string handling --------------------------- - -* Strings that contain hexadecimal numbers are no longer considered to be - numeric and don't receive special treatment anymore. Some examples of the - new behavior: - - var_dump("0x123" == "291"); // bool(false) (previously true) - var_dump(is_numeric("0x123")); // bool(false) (previously true) - var_dump("0xe" + "0x1"); // int(0) (previously 16) - - var_dump(substr("foo", "0x1")); // string(3) "foo" (previously "oo") - // Notice: A non well formed numeric value encountered - - filter_var() can be used to check if a string contains a hexadecimal number - or convert such a string into an integer: - - $str = "0xffff"; - $int = filter_var($str, FILTER_VALIDATE_INT, FILTER_FLAG_ALLOW_HEX); - if (false === $int) { - throw new Exception("Invalid integer!"); - } - var_dump($int); // int(65535) - -* Due to the addition of the Unicode Codepoint Escape Syntax for double-quoted - strings and heredocs, "\u{" followed by an invalid sequence will now result in - an error: - - $str = "\u{xyz}"; // Fatal error: Invalid UTF-8 codepoint escape sequence - - To avoid this the leading backslash should be escaped: - - $str = "\\u{xyz}"; // Works fine - - However, "\u" without a following { is unaffected. As such the following code - won't error and will work the same as before: - - $str = "\u202e"; // Works fine - -Relevant RFCs: -* https://wiki.php.net/rfc/remove_hex_support_in_numeric_strings -* https://wiki.php.net/rfc/unicode_escape - -Changes to error handling -------------------------- - -* There are now two exception classes: Exception and Error. Both classes - implement a new interface Throwable. Type hints in exception handling code - may need to be changed to account for this. - -* Some fatal errors and recoverable fatal errors now throw an Error instead. - As Error is a separate class from Exception, these exceptions will not be - caught by existing try/catch blocks. - - For the recoverable fatal errors which have been converted into an exception, - it is no longer possible to silently ignore the error from an error handler. - In particular, it is no longer possible to ignore type hint failures. - -* Parser errors now generate a ParseError that extends Error. Error - handling for eval()s on potentially invalid code should be changed to catch - ParseError in addition to the previous return value / error_get_last() - based handling. - -* Constructors of internal classes will now always throw an exception on - failure. Previously some constructors returned NULL or an unusable object. - -* The error level of some E_STRICT notices has been changed. - -Relevant RFCs: -* https://wiki.php.net/rfc/engine_exceptions_for_php7 -* https://wiki.php.net/rfc/throwable-interface -* https://wiki.php.net/rfc/internal_constructor_behaviour -* https://wiki.php.net/rfc/reclassify_e_strict - -Other language changes ----------------------- - -* Removed support for static calls to non-static methods from an incompatible - $this context. In this case $this will not be defined, but the call will be - allowed with a deprecation notice. An example: - - class A { - public function test() { var_dump($this); } - } - - // Note: Does NOT extend A - class B { - public function callNonStaticMethodOfA() { A::test(); } - } - - (new B)->callNonStaticMethodOfA(); - - // Deprecated: Non-static method A::test() should not be called statically - // Notice: Undefined variable $this - NULL - - Note that this only applies to calls from an incompatible context. If class B - extended from A the call would be allowed without any notices. - -* It is no longer possible to use the following class, interface and trait names - (case-insensitive): - - bool - int - float - string - null - false - true - - This applies to class/interface/trait declarations, class_alias() and use - statements. - - Furthermore the following class, interface and trait names are now reserved - for future use, but do not yet throw an error when used: - - resource - object - mixed - numeric - -* The yield language construct no longer requires parentheses when used in an - expression context. It is now a right-associative operator with precedence - between the "print" and "=>" operators. This can result in different behavior - in some cases, for example: - - echo yield -1; - // Was previously interpreted as - echo (yield) - 1; - // And is now interpreted as - echo yield (-1); - - yield $foo or die; - // Was previously interpreted as - yield ($foo or die); - // And is now interpreted as - (yield $foo) or die; - - Such cases can always be resolved by adding additional parentheses. - - . Removed ASP (<%) and script (<script language=php>) tags. - (RFC: https://wiki.php.net/rfc/remove_alternative_php_tags) - . Removed support for assigning the result of new by reference. - . Removed support for scoped calls to non-static methods from an incompatible - $this context. See details in https://wiki.php.net/rfc/incompat_ctx. - . Removed support for #-style comments in ini files. Use ;-style comments - instead. - . $HTTP_RAW_POST_DATA is no longer available. Use the php://input stream instead. - -Standard library changes -======================== - - . substr() now returns an empty string instead of FALSE when the truncation happens on boundaries. - . call_user_method() and call_user_method_array() no longer exists. - . ob_start() no longer issues an E_ERROR, but instead an E_RECOVERABLE_ERROR in case an - output buffer is created in an output buffer handler. - . The internal sorting algorithm has been improved, what may result in - different sort order of elements that compare as equal. - . Removed dl() function on fpm-fcgi. - . setcookie() with an empty cookie name now issues a WARNING and doesn't send an empty set-cookie header line anymore. - -Other -===== - -- Curl: - . Removed support for disabling the CURLOPT_SAFE_UPLOAD option. All curl file - uploads must use the curl_file / CURLFile APIs. - . curl_getinfo($ch, CURLINFO_CERTINFO) returns certificate Subject and Issuer - as a string (PHP >= 5.6.25) - -- Date: - . Removed $is_dst parameter from mktime() and gmmktime(). - -- DBA - . dba_delete() now returns false if the key was not found for the inifile - handler, too. - -- GMP - . Requires libgmp version 4.2 or newer now. - . gmp_setbit() and gmp_clrbit() now return FALSE for negative indices, making - them consistent with other GMP functions. - -- Intl: - . Removed deprecated aliases datefmt_set_timezone_id() and - IntlDateFormatter::setTimeZoneID(). Use datefmt_set_timezone() and - IntlDateFormatter::setTimeZone() instead. - -- libxml: - . Added LIBXML_BIGLINES parser option. It's available starting with libxml 2.9.0 - and adds suppport for line numbers >16-bit in the error reporting. - -- Mcrypt - . Removed deprecated mcrypt_generic_end() alias in favor of - mcrypt_generic_deinit(). - . Removed deprecated mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb() and mcrypt_ofb() - functions in favor of mcrypt_encrypt() and mcrypt_decrypt() with an - MCRYPT_MODE_* flag. - -- Session - . session_start() accepts all INI settings as array. e.g. ['cache_limiter'=>'private'] - sets session.cache_limiter=private. It also supports 'read_and_close' which closes - session data immediately after read data. - . Save handler accepts validate_sid(), update_timestamp() which validates session - ID existence, updates timestamp of session data. Compatibility of old user defined - save handler is retained. - . SessionUpdateTimestampHandlerInterface is added. validateSid(), updateTimestamp() - is defined in the interface. - . session.lazy_write(default=On) INI setting enables only write session data when - session data is updated. - . session_regenerate_id() saves current $_SESSION before creating new session ID. - -- Opcache - . Removed opcache.load_comments configuration directive. Now doc comments - loading costs nothing and always enabled. - -- OpenSSL: - . Removed the "rsa_key_size" SSL context option in favor of automatically - setting the appropriate size given the negotiated crypto algorithm. - . Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic - detection or the "peer_name" option instead. - -- PCRE: - . Removed support for /e (PREG_REPLACE_EVAL) modifier. Use - preg_replace_callback() instead. - -- PDO_pgsql: - . Removed PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT attribute in favor of - ATTR_EMULATE_PREPARES. - -- Standard: - . Removed string category support in setlocale(). Use the LC_* constants - instead. - . Removed set_magic_quotes_runtime() and its alias magic_quotes_runtime(). + now results in the array ["b" => 1, "a" => 1], while for PHP 7.0 the result + was ["a" => 1, "b" => 1]. + . The allowed_classes element of the $options parameter of unserialize() is + now strictly typed, i.e. if anything other than an array or a boolean is + given, unserialize() returns FALSE and issues an E_WARNING. + . $this, autoglobals, and variables with the same name as a parameter can no + longer be bound to a closure via the use construct. - JSON: - . Rejected RFC 7159 incompatible number formats in json_decode string - - top level (07, 0xff, .1, -.1) and all levels ([1.], [1.e1]) - . Calling json_decode with 1st argument equal to empty PHP string or value that - after casting to string is empty string (NULL, FALSE) results in JSON syntax error. + . The serialize_precision is used instead of precision when encoding double + values. + . An empty key is decoded as an empty property name instead of using _empty_ + property name when decoding object to stdClass. + . When calling json_encode with JSON_UNESCAPED_UNICODE option, U+2028 and + U+2029 are escaped. -- Stream: - . Removed set_socket_blocking() in favor of its alias stream_set_blocking(). +- mbstring: + . mb_ereg() and mb_eregi() will now set the $regs argument to an empty array, + if nothing matched. Formerly, $regs was not modified in that case. -- XML: - . xml_set_object() now requires to manually unset the $parser when finished, - to avoid memory leaks. - -- XSL: - . Removed xsl.security_prefs ini option. Use XsltProcessor::setSecurityPrefs() - instead. +- OpenSSL: + . Dropped sslv2 stream. + +- Session: + . Session ID is generated from CSPRNG directly. As a result, Session ID length + could be any length between 22 and 256. Note: Max size of session ID depends + on save handler you are using. + . Following INIs are removed + . session.hash_function + . session.hash_bits_per_character + . session.entropy_file + . session.entropy_length + . New INIs and defaults + . session.sid_length (Number of session ID characters - 22 to 256. + php.ini-* default: 26 Compiled default: 32) + . session.sid_bits_per_character (Bits used per character - 4 to 6. + php.ini-* default: 5 Compiled default: 4) + . Length of old session ID string is determined as follows + . Used hash function's bits. + . session.hash_function=0 - MD5 128 bits (This was default) + . session.hash_function=1 - SHA1 160 bits + . Bits per character. (4, 5 or 6 bits per character) + . Examples + MD5 and 4 bits = 32 chars, ceil(128/4)=32 + MD5 and 5 bits = 26 chars, ceil(128/5)=26 + MD5 and 6 bits = 22 chars, ceil(128/6)=22 + SHA1 and 4 bits = 40 chars, ceil(160/4)=40 + SHA1 and 5 bits = 32 chars, ceil(160/5)=32 + SHA1 and 6 bits = 27 chars, ceil(160/6)=27 + and so on. + . session_start() returns FALSE and no longer initializes $_SESSION when + it failed to start session. + +- Reflection: + . The behavior of ReflectionMethod::invoke() and ::invokeArgs() has been + aligned, which causes slightly different behavior than before for some + pathological cases. ======================================== 2. New Features ======================================== - - Core - . Added group use declarations. - (RFC: https://wiki.php.net/rfc/group_use_declarations) - . Added null coalesce operator (??). - (RFC: https://wiki.php.net/rfc/isset_ternary) - . Support for strings with length >= 2^31 bytes in 64 bit builds. - . Closure::call() method added (works only with userland classes). - . Added \u{xxxxxx} Unicode Codepoint Escape Syntax for double-quoted strings - and heredocs. - . define() now supports arrays as constant values, fixing an oversight where - define() did not support arrays yet const syntax did. - . Added the comparison operator (<=>), aka the spaceship operator. - (RFC: https://wiki.php.net/rfc/combined-comparison-operator) - . Added the yield from operator for delegating Generators like coroutines. - (RFC: https://wiki.php.net/rfc/generator-delegation) - . Reserved keywords can now be used in various new contexts. - (RFC: https://wiki.php.net/rfc/context_sensitive_lexer) - . Added support for scalar type declarations and strict mode using - declare(strict_types=1) (RFC: https://wiki.php.net/rfc/scalar_type_hints_v5) - . Added support for cryptographically secure user land RNG - (RFC: https://wiki.php.net/rfc/easy_userland_csprng) - -- Opcache - . Added second level file based opcode cache. It may be enabled by setting - opcache.file_cache=<DIR> configuration directive in php.ini. The second - level cache may improve performance when SHM is full, at server restart or - SHM reset. In addition, it's possibe to use file cache without SHM at all, - using opcache.file_cache_only=1 (this may be useful for sharing hosting), - and disable file cache consistency check, to speedup loading at the cost of - safety, using opcache.file_cache_consistency_checks=0. - . Added ability to move PHP code pages (PHP TEXT segment) into HUGE pages. - It's possible to enable/disable this feature in php.ini through - opcache.huge_code_pages=0/1. OS should be configured to provide huge pages. - . Added Windows only opcache.file_cache_fallback=1 ini option, which implies - the implemented fallback mechanism. When OPcache was not able to reattach - the shared memory segment to the desired address and opcache.file_cache - is on, opcache.file_cache_only=1 will be automatically enforced. - -- OpenSSL - . Added "alpn_protocols" SSL context option allowing encrypted client/server - streams to negotiate alternative protocols using the ALPN TLS extension when - built against OpenSSL 1.0.2 or newer. Negotiated protocol information is - accessible through stream_get_meta_data() output. - -- Reflection - . Added a ReflectionGenerator class (yield from Traces, current file/line, - etc.) - . Added a ReflectionType class to better support the new return type and - scalar type declarations features. The new ReflectionParameter::getType() - and ReflectionFunctionAbstract::getReturnType() methods both return an - instance of ReflectionType. - -- Stream: - . New Windows only stream context options was added to allow blocking reads - on pipes. To enable it, pass array("pipe" => array("blocking" => true)) - when creating the stream context. Be aware, that this option can under - circumstances cause dead locks on the pipe buffer. However it can be useful - in several CLI use case scenarios. + . Added void return type, which requires that a function not return a value. + (RFC: https://wiki.php.net/rfc/void_return_type) + . Added iterable pseudo-type accepting any array or object implementing + Traversable. + (RFC: https://wiki.php.net/rfc/iterable) + . String offset access now supports negative references, which will be + counted from the end of the string. + (RFC: https://wiki.php.net/rfc/negative-string-offsets) + . Added a form of the list() construct where keys can be specified. + (RFC: https://wiki.php.net/rfc/list_keys) + . Added [] = as alternative construct to list() =. + (RFC: https://wiki.php.net/rfc/short_list_syntax) + . Number operators taking numeric strings now emit "A non well formed numeric + value encountered" E_NOTICEs for leading-numeric strings, and "A + non-numeric value encountered" E_WARNINGs for non-numeric strings. + This always applies to the +, -, *, /, **, %, << and >> operators, and + their assignment counterparts +=, -=, *=, /=, **=, %=, <<= and >>=. + For the bitwise operators |, & and ^, and their assignment counterparts + |=, &= and ^=, this only applies where only one operand is a string. + Note that this never applies to the bitwise NOT operator, ~, which does not + handle numeric strings, nor to the increment and decrement operators + ++ and --, which have a unique approach to handling numeric strings. + (RFC: https://wiki.php.net/rfc/invalid_strings_in_arithmetic) + . Closure::fromCallable (RFC: https://wiki.php.net/rfc/closurefromcallable) + . Added support for class constant visibility modifiers. + (RFC: https://wiki.php.net/rfc/class_const_visibility) + . TypeError messages for arg_info type checks will now say "must be ... + or null", or "must ... or be null" where the parameter or return type + accepts null. arg_info type checks are used by all userland functions with + type declarations, and some internal functions. Both nullable type + declarations (?int) and parameters with default values of null + (int $foo = NULL) are considered to "accept null" for this purpose. + . The simple syntax for variable parsing inside of string literals now + supports negative offsets. ======================================== 3. Changes in SAPI modules ======================================== - -- FPM - . Fixed bug #65933 (Cannot specify config lines longer than 1024 bytes). - . Listen = port now listen on all addresses (IPv6 and IPv4-mapped). +- apache2handler: + . Implemented per module logging. + . Implemented error level mapping between PHP and Apache for the error logs. ======================================== 4. Deprecated Functionality ======================================== -- Core - . PHP 4 style constructors, where the constructor name is the same as the - class name, are now deprecated. - . Static calls to non-static methods are now deprecated. - -- OpenSSL - . The "capture_session_meta" SSL context option is now deprecated. Meta - data concerning active crypto on a stream resource is now accessible - through the return result from stream_get_meta_data(). +- 'e' option of mb_ereg_replace() and mb_eregi_replace(). +- ext/mcrypt is now fully deprecated. ======================================== 5. Changed Functions ======================================== - -- unserialize(): - . Added second parameter for unserialize function - (RFC: https://wiki.php.net/rfc/secure_unserialize) allowing to specify - acceptable classes: - unserialize($foo, ["allowed_classes" => ["MyClass", "MyClass2"]]); - -- proc_open(): - . The maximum number of pipes used by proc_open() was previously limited by - hardcoded value of 16. This limit is now removed and the number of pipes is - effectively limited by the amount of memory available to PHP. - . New Windows only configuration option "blocking_pipes" can be used to - force blocking reads on child process pipes. This covers several - edge cases in CLI usage however can lead to dead locks. Also, this - correlates with the new stream context options for pipes. - -- array_column(): - The function now supports an array of objects as well as two-dimensional - arrays. Only public properties are considered, and objects that make use of - __get() for dynamic properties must also implement __isset(). - -- stream_context_create() - It accepts now a Windows only configuration - array("pipe" => array("blocking" => <boolean>)) which forces blocking reads - on pipes. This option should be used carefully because due to the - platform restrictions dead locks on pipe buffers are possible. - -- dirname() - A new optional argument ($levels) allow to go up various times - dirname(dirname($foo)) => dirname($foo, 2); - -- debug_zval_dump - It prints now "int" instead of "long", and "float" instead of "double". - -- getenv() - Since 7.0.9, getenv() has optional second parameter, making it only - consider local environment and not SAPI environment if true. - +- get_headers() has an extra parameter which allows passing a custom stream + context. +- The first $varname argument for getenv() is no longer mandatory, the + current environment variables will be returned as an associative array + when omitted. +- json_encode() accepts new option JSON_UNESCAPED_LINE_TERMINATORS that + disables escaping of U+2028 and U+2029 characters when + JSON_UNESCAPED_UNICODE is supplied. +- long2ip() accepts integer as parameter now +- openssl_encrypt and openssl_decrypt have extra parameters for handling + authenticated encryption (tag, aad, tag_length) and decryption (tag, aad). +- pg_last_notice() accepts optional long parameter to specify operation. + PGSQL_NOTICE_LAST - Get last notice (Default) + PGSQL_NOTICE_ALL - Get all stored notices + PGSQL_NOTICE_CLEAR - Remove all stored notices + It returns empty string or array on successful PGSQL_NOTICE_LAST/ALL calls. + It returned FALSE for empty notice previously. +- pg_fetch_all() accepts 2nd optional result type parameter like + pg_fetch_row(). +- pg_select() accepts 4th optional result type parameter like pg_fetch_row(). +- parse_url() is more restrictive now and supports RFC3986. +- unpack() accepts an additional optional $offset argument. '@' format code + (that specifes an absolute position) is applyed to input data after + the $offset argument. +- strpos(), stripos(), substr_count(), grapheme_strpos(), grapheme_stripos(), + grapheme_extract(), iconv_strpos(), mb_strimwidth(), mb_ereg_search_setpos(), + mb_strpos() and mb_stripos() now accept negative string offsets. +- substr_count() and mb_strimwidth() additionally also accept negative length. +- file_get_contents() accepts a negative seek offset if the stream is seekable. +- tempnam() throws a notice when failing back to the system temp dir. +- getopt() has an extra by-ref parameter : optind +- mb_ereg() and mb_ereg_replace() reject illegal byte sequences. +- FILTER_FLAG_EMAIL_UNICODE can be used with filter_var() for email validation + according to RFC 6531. +- output_reset_rewrite_vars() no longer reset session URL rewrite vars. +- the lasinsertid() in pdo_pgsql extension triggers an error, when no nextval() + were called in in the current session. - fopen() - Since 7.0.16, mode 'e' was added, which sets the close-on-exec flag + Since 7.1.2, mode 'e' was added, which sets the close-on-exec flag on the opened file descriptor. This mode is only available in PHP compiled on POSIX.1-2008 conform systems. + ======================================== 6. New Functions ======================================== +- Core: + . Added sapi_windows_cp_set(), sapi_windows_cp_get(), sapi_windows_cp_is_utf8(), + sapi_windows_cp_conv() for codepage handling. + +- cURL: + . Added curl_multi_errno() and curl_share_errno() to return the last error + number of curl_multi and curl_share resources. + . Added curl_share_strerror() to convert error code to error message text + describing the error. + +- Hash: + . In PHP 7.1.2: Added hash_hkdf() function, which implements the HMAC-based + Key Derivation Function (HKDF) algorithm according to RFC 5869. The + implementation combines the Extract and Expand steps. + +- pcntl: + . Added pcntl_signal_get_handler() that returns the current signal handler + for a particular signal. + +- Session: + . Added session_gc() that performs session data garbage collection. + https://wiki.php.net/rfc/session-gc + . Added session_create_id() for creating custom session ID. + https://wiki.php.net/rfc/session-create-id -- GMP - . Added gmp_random_seed(). - -- PCRE: - . Added preg_replace_callback_array function - (RFC: https://wiki.php.net/rfc/preg_replace_callback_array) - -- Standard - . Added intdiv() function for integer division. - . Added error_clear_last() function to reset error state. - -- Zip: - . Added ZipArchive::setCompressionIndex() and ZipArchive::setCompressionName() - for setting the compression method. - -- Zlib: - . Added deflate_init(), deflate_add(), inflate_init(), inflate_add() - functions allowing incremental/streaming compression/decompression. +- Standard: + . Added is_iterable() that determines if a value will be accepted by the new + iterable pseudo-type. ======================================== 7. New Classes and Interfaces ======================================== -- ReflectionGenerator -- ReflectionType - ======================================== 8. Removed Extensions and SAPIs ======================================== -- sapi/aolserver -- sapi/apache -- sapi/apache_hooks -- sapi/apache2filter -- sapi/caudium -- sapi/continuity -- sapi/isapi -- sapi/milter -- sapi/nsapi -- sapi/phttpd -- sapi/pi3web -- sapi/roxen -- sapi/thttpd -- sapi/tux -- sapi/webjames -- ext/mssql -- ext/mysql -- ext/sybase_ct -- ext/ereg - -For more details see - -https://wiki.php.net/rfc/removal_of_dead_sapis_and_exts -https://wiki.php.net/rfc/remove_deprecated_functionality_in_php7 - -NOTE: NSAPI was not voted in the RFC, however it was removed afterwards. It turned -out, that the corresponding SDK isn't available anymore. - ======================================== 9. Other Changes to Extensions ======================================== -- Mhash - Mhash is not an extension anymore, use function_exists("mhash") to check whether - it is avaliable. +- Date: + . Invalid serialization data for a DateTime or DatePeriod object will now + throw an instance of Error from __wakeup() or __set_state() instead of + resulting in a fatal error. + . Timezone initialization failure from serialized data will now throw an + instance of Error from __wakeup() or __set_state() instead of resulting in + a fatal error. + . DateTime and DateTimeImmutable now properly incorporate microseconds when + constructed from the current time, either explicitly or with a relative + string (e.g. "first day of next month"). This means that naive comparisons + of two newly created instances will now more likely return FALSE instead of + TRUE: + new DateTime() == new DateTime(); + +- DBA: + . Data modification functions (e.g.: dba_insert()) now throw an instance of + Error instead of triggering a catchable fatal error if the key does not + contain exactly two elements. + +- DOM: + . Invalid schema or RelaxNG validation contexts will throw an instance of + Error instead of resulting in a fatal error. + . Attempting to register a node class that does not extend the appropriate + base class will now throw an instance of Error instead of resulting in a + fatal error. + . Attempting to read an invalid or write to a readonly property will throw + an instance of Error instead of resulting in a fatal error. + +- GD: + . Changed the default of the ini setting gd.jpeg_ignore_warning to 1. + +- IMAP: + . An email address longer than 16385 bytes will throw an instance of Error + instead of resulting in a fatal error. + +- Intl: + . Failure to call the parent constructor in a class extending Collator + before invoking the parent methods will throw an instance of Error + instead of resulting in a recoverable fatal error. + . Cloning a Transliterator object may will now throw an instance of Error + instead of resulting in a fatal error if cloning the internal + transliterator fails. + +- LDAP: + . Providing an unknown modification type to ldap_batch_modify() will now + throw an instance of Error instead of resulting in a fatal error. + +- Mbstring: + . mb_ereg() and mb_eregi() will now throw an instance of ParseError if an + invalid PHP expression is provided and the 'e' option is used. + +- Mcrypt: + . mcrypt_encrypt() and mcrypt_decrypt() will throw an instance of Error + instead of resulting in a fatal error if mcrypt cannot be initialized. + +- Mysqli: + . Attempting to read an invalid or write to a readonly property will throw + an instance of Error instead of resulting in a fatal error. - PDO_Firebird - As of PHP 7.0.16, the fetched data for integer fields is aware of the Firebird - datatypes. Previously all integers was fetched as strings, starting with the + As of PHP 7.1.2, the fetched data for integer fields is aware of the Firebird + datatypes. Previously all integers was fetched as strings, starting with aforementioned PHP version integer fields are translated to the PHP integer datatype. The 64-bit integers are still fetched as strings in 32-bit PHP builds. -- GD - The bundled libgd requires libwebp instead of libvpx for the WebP functionality. +- Reflection: + . Failure to retrieve a reflection object or retrieve an object property + will now throw an instance of Error instead of resulting in a fatal error. + +- Session: + . Custom session handlers that do not return strings for session IDs will + now throw an instance of Error instead of resulting in a fatal error + when a function is called that must generate a session ID. + . Only CSPRNG is used to generate session ID. + +- SimpleXML: + . Creating an unnamed or duplicate attribute will throw an instance of Error + instead of resulting in a fatal error. -- Openssl - minimum supported OpenSSL version series was raised to 0.9.8 +- SPL: + . Attempting to clone an SplDirectory object will throw an instance of Error + instead of resulting in a fatal error. + . Calling ArrayIterator::append() when iterating over an object will throw an + instance of Error instead of resulting in a fatal error. -- Shmop - The shmop identifiers have been changed from ints to resources of type shmop. +- SQLite3: + . Upgraded bundled SQLite lib to 3.13.0 + +- Standard: + . assert() will throw a ParseError when evaluating a string given as the first + argument if the PHP code is invalid instead of resulting in a catchable + fatal error. + . Calling forward_static_call() outside of a class scope will now throw an + instance of Error instead of resulting in a fatal error. + +- Tidy: + . Creating a tidyNode manually will now throw an instance of Error instead of + resulting in a fatal error. + +- WDDX: + . A circular reference when serializing will now throw an instance of Error + instead of resulting in a fatal error. + +- XML-RPC: + . A circular reference when serializing will now throw an instance of Error + instead of resulting in a fatal error. + +- Zip: + . ZipArchive::addGlob() will throw an instance of Error instead of resulting + in a fatal error if glob support is not available. ======================================== 10. New Global Constants ======================================== -- Core - . PHP_INT_MIN added. - -- PCRE - . This error constant is added to signal errors due to stack size limitations - when PCRE JIT support is enabled: - . PREG_JIT_STACKLIMIT_ERROR - -- Zlib - . These constants are added to control flush behavior with the new - incremental deflate_add() and inflate_add() functions: - . ZLIB_NO_FLUSH - . ZLIB_PARTIAL_FLUSH - . ZLIB_SYNC_FLUSH - . ZLIB_FULL_FLUSH - . ZLIB_BLOCK - . ZLIB_FINISH - -- GD - . IMG_WEBP (>= 7.0.10) - - . T1Lib support removed, thus lifting the optional dependency on T1Lib, the - following is therefore not available anymore: - - Functions: - - imagepsbbox() - - imagepsencodefont() - - imagepsextendedfont() - - imagepsfreefont() - - imagepsloadfont() - - imagepsslantfont() - - imagepstext() - - Resources: - - 'gd PS font' - - 'gd PS encoding' - -- Zip - . Filename encoding flags, as of 7.0.8 - - ZipArchive::FL_ENC_GUESS - - ZipArchive::FL_ENC_RAW - - ZipArchive::FL_ENC_STRICT - - ZipArchive::FL_ENC_UTF_8 - - ZipArchive::FL_ENC_CP437 +- Core: + . PHP_FD_SETSIZE + +- JSON: + . JSON_UNESCAPED_LINE_TERMINATORS + +- Pgsql: + PGSQL_NOTICE_LAST + PGSQL_NOTICE_ALL + PGSQL_NOTICE_CLEAR + +- Standard: + . IMAGETYPE_WEBP ======================================== 11. Changes to INI File Handling ======================================== -- Core - . Removed asp_tags ini directive. Trying to enable it will result in a fatal - error. - . Removed always_populate_raw_post_data ini directive. - . realpath_cache_size set to 4096k by default +- serialize_precision + . If the value is set to -1, then the dtoa mode 0 is used. The value -1 + is now used by default. + +- precision + . If the value is set to -1, then the dtoa mode 0 is used. No changes + in default value which is still 14. + +- realpath_cache_size + . Set to 4096k by default ======================================== 12. Windows Support ======================================== -- Core - . Support for native 64 bit integers in 64 bit builds. - . Support for large files in 64 bit builds. - . Support for getrusage() - -- ftp - . The ftp extension is always shipped shared - . For SSL support, the dependency on the openssl extension was abolished. Instead - it depends alone on the openssl library. If it's present at the compile time, - ftp_ssl_connect() is enabled automatically. - -- imap - . Static building of ext/imap is disabled - -- odbc - . The odbc extension is always shipped shared +- Core: + . Support for long and UTF-8 path; + + If a web application is UTF-8 conform, no further action is required. For + applications depending on paths in non UTF-8 encodings for I/O, an explicit + INI directive has to be set. The encoding INI settings check relies on the + order in the core: + - internal_encoding + - default_charset + - zend.multibyte + + Several functions for codepage handling were itroduced: + - sapi_windows_cp_set() to set the default codepage + - sapi_windows_cp_get() to retrieve the current codepage + - sapi_windows_cp_is_utf8() + - sapi_windows_cp_conv() to convert between codepages, using iconv() + compatible signature + These functions are thread safe. + + The console output codepage is adjusted depending on the encoding used in + PHP. Depending on the concrete system OEM codepage, the visible output + might or might be not correct. For example, in the default cmd.exe and on + a system with the OEM codepage 437, outputs in codepages 1251, 1252, 1253 + and some others can be shown correctly when using UTF-8. On the same system, + chars in codepage like 20932 probably won't be shown correctly. This refers + to the particular system rules for codepage, font compatibility and the + particular console program used. PHP automatically sets the console codepage + according to the encoding rules from php.ini. Using alternative consoles + instead of cmd.exe directly might bring better experience in some cases. + + Nevertheless be aware, runtime codepage switch after the request start + might bring unexpected side effects on CLI. The preferrable way is php.ini, + When PHP CLI is used in a console emulator, that doesn't support Unicode, + it might possibly be required, to avoid changing the console codepage. The + best way to achieve it is by setting the default or internal encoding to + correspond the ANSI codepage. Another method is to set the INI directives + output_encoding and input_encoding to the required codepage, in which case + however the difference between internal and I/O codepage is likely to cause + mojibake. In rare cases, if PHP happens to crash gracefully, the original + console codepage might be not restored. In this case, the chcp command + can be used, to restore it manually. + + Special awareness for the DBCS systems - the codepage switch on runtime + using ini_set() is likely to cause display issues. The difference to the + non DBCS systems is, that the extended characters require two console cells + to be displayed. In certain case, only the mapping of the characters into + the glyph set of the font could happen, no actual font change. This is the + nature of DBCS systems, the most simple way to prevent display issues is + to avoid usage of ini_set() for the codepage change. + + As a result of UTF-8 support in the streams, PHP scripts are not limited + to ASCII or ANSI filenames anymore. This is supported out of the box on + CLI. For other SAPI, the documentation for the corresponding server + is useful. + + Long paths support is transparent. Paths longer than 260 bytes get + automatically prefixed with \\?\. The max path length is limited to + 2048 bytes. Be aware, that the path segment limit (basename length) still + persists. + + For the best portability, it is strongely recommended to handle filenames, + I/O and other related topics UTF-8. Additionally, for the console applications, + the usage of a TrueType font is preferrable and the usage of ini_set() for + the codepage change is discouraged. + + . Support for ftok() + +- FCGI + . PHP_FCGI_CHILDREN is respected. If this environment variable is defined, + the first php-fcgi.exe process will exec the specified number of children. + Those will share the same TCP socket. + +- readline: + . The readline extension is supported through the WinEditLine library + (http://mingweditline.sourceforge.net/). Thereby, the interactive CLI + shell is supported as well (php.exe -a). + + It is well known, but nevertheless is worth mentioning again, that + the readline extension is not thread safe and will never be. Thus, + the usage of it with any true thread safe SAPI (like Apache mod_winnt) is + strongely discouraged. ======================================== 13. Other Changes ======================================== -- Core - . Instead of being undefined and platform-dependent, NaN and Infinity will - always be zero when cast to integer. - . Calling a method on a non-object now raises a catchable error instead of a - fatal error; see: https://wiki.php.net/rfc/catchable-call-to-member-of-non-object - . Error messages for zend_parse_parameters, type hints and conversions now - always say "integer" and "float" instead of "long" and "double". - . Output buffering now continues to work for an aborted connection if - ignore_user_abort is set to true. - . Zend Extensions API was extended with zend_extension.op_array_persist_calc() - and zend_extensions.op_array_persist() handlers. They allow to store (or - reset) associated with op_array addition information in Opcache Shared - Memory. - . zend_internal_function.reserved[] array was introduced to allow association - of aditional information with internal functions. In PHP-5 it was possible - to use zend_function.op_array.reserved[] even for internal functions, but - now we don't allocate extra space. - -- CURL - . curl_getinfo($ch, CURLINFO_CERTINFO) returns certificate Subject and Issuer - as a string (PHP >= 7.0.10) |