$Id$ PHP 5.4 UPGRADE NOTES =========== 0. Contents =========== 1. Changes to INI directives 2. Changes to reserved words and classes 3. Changes to engine behavior 4. Changes to existing functions a. unserialize() change 5. Changes to existing classes 6. Changes to existing methods 7. Deprecated Functionality 8. Removed Functionality a. Removed features b. Removed functions c. Removed syntax d. Removed hash algorithms 9. Extension Changes: a. Extensions no longer maintained b. Extensions with changed behavior 10. Changes in SAPI support 11. Windows support 12. New in PHP 5.4: a. New features b. Syntax additions c. New functions d. New global constants e. New classes f. New methods g. New hash algorithms ============================= 1. Changes to INI directives ============================= - PHP 5.4 now checks at compile time if /dev/urandom or /dev/arandom are present. If either is available, session.entropy_file now defaults to that file and session.entropy_length defaults to 32. This provides non-blocking entropy to session id generation. If you do not want extra entropy for your session ids, add: session.entropy_file= session.entropy_length=0 to your php.ini to preserve pre-PHP 5.4 behavior. - Deprecated php.ini directives will now throw an E_CORE_WARNING's instead of the previous E_WARNING's. - The following php.ini directives are no longer available in PHP 5.4 and will now throw an E_CORE_ERROR upon startup: - allow_call_time_pass_reference - define_syslog_variables - highlight.bg - magic_quotes_gpc - magic_quotes_runtime - magic_quotes_sybase - register_globals - register_long_arrays - safe_mode - safe_mode_gid - safe_mode_include_dir - safe_mode_exec_dir - safe_mode_allowed_env_vars - safe_mode_protected_env_vars - session.bug_compat_42 - session.bug_compat_warn - y2k_compliance - zend.ze1_compatibility_mode - the following new php.ini directives were added: - max_input_vars - specifies how many GET/POST/COOKIE input variables may be accepted. The default value is 1000. - E_ALL now includes E_STRICT. - The recommended production value for error_reporting changed to E_ALL & ~E_DEPRECATED & ~E_STRICT. - Added new session support directives: session.upload_progress.enabled session.upload_progress.cleanup session.upload_progress.prefix session.upload_progress.name session.upload_progress.freq session.upload_progress.min_freq - Added a zend.multibyte directive as a replacement of the PHP compile time configuration option --enable-zend-multibyte. Now the Zend Engine always contains code for multibyte support, which can be enabled or disabled at runtime. Note: It doesn't make a lot of sense to enable this option if ext/mbstring is not enabled, because most functionality is implemented by mbstrings callbacks. - Added zend.script_encoding. This value will be used unless a "declare(encoding=...)" directive appears at the top of the script. - Added zend.signal_check to check for replaced signal handlers on shutdown - Added enable_post_data_reading, which is enabled by default. When it's disabled, the POST data is not read (or processed); the behavior is similar to that of other request methods with body, like PUT. This allows reading the raw POST data in multipart requests and reading/processing the POST data in a stream fashion (through php://input) without having it copied in memory multiple times. - Added windows_show_crt_warning. This directive shows the CRT warnings when enabled. These warnings were displayed by default until now. It is disabled by default. - Added cli.pager to set a pager for CLI interactive shell output. - Added cli.prompt to configure the CLI interactive shell prompt. - Added cli_server.color to enable the CLI web server to use ANSI color coding in terminal output. ======================================== 2. Changes to reserved words and classes ======================================== - "callable", "insteadof" and "trait" are now reserved words. ============================= 3. Changes to engine behavior ============================= - The __construct arguments of an extended abstract constructor must now match: abstract class Base { abstract public function __construct(); } class Foo extends Base { public function __construct($bar) {} } This now emits a Fatal error due the incompatible declaration. - In previous versions, superglobal names could be used for parameter names, thereby shadowing the corresponding superglobal. In PHP 5.4 this now causes a fatal error such as "Cannot re-assign auto-global variable GLOBALS". - Turning null, false or an empty string into an object by adding a property will now emit a warning instead of an E_STRICT error. $test = null; $test->baz = 1; To create a generic object you can use StdClass: $test = new StdClass; $test->baz = 1; - Converting an array to a string now will cause an E_NOTICE warning. - Non-numeric string offsets, e.g. $a['foo'] where $a is a string, now return false on isset() and true on empty(), and produce warning if trying to use them. Offsets of types double, bool and null produce notice. Numeric strings ($a['2']) still work as before. Note that offsets like '12.3' and '5 and a half' are considered non-numeric and produce warning, but are converted to 12 and 5 respectively for backwards compatibility reasons. - Long numeric strings that do not fit in integer or double (such as "92233720368547758070") are compared using string comparison if they could otherwise result in precision loss - since 5.4.4. - Closures now support scopes and $this and can be rebound to objects using Closure::bind() and Closure::bindTo(). - 1; it doesn't merely decrement the resource refcount. - socket_set_options() and socket_get_options() now support multicast options. - The raw data parameter in openssl_encrypt() and openssl_decrypt() is now an options integer rather than a boolean. A value of true produces the same behavior. - Write operations within XSLT (for example with the extension sax:output) are disabled by default. You can define what is forbidden with the method XsltProcess::setSecurityPrefs($options). - Added AES support to OpenSSL. - openssl_csr_new() expects the textual data to be in UTF-8. - Added no-padding option to openssl_encrypt() and openssl_decrypt(). - Added a "no_ticket" SSL context option to disable the SessionTicket TLS extension. - Added new json_encode() options: JSON_PRETTY_PRINT, JSON_UNESCAPED_SLASHES, JSON_NUMERIC_CHECK, JSON_BIGINT_AS_STRING, JSON_UNESCAPED_UNICODE. - Added Tokyo Cabinet and Berkley DB 5 support to DBA extension. - Added support for CURLOPT_MAX_SEND_SPEED_LARGE and CURLOPT_MAX_RECV_SPEED_LARGE to cURL. - Added optional argument to debug_backtrace() and debug_print_backtrace() to limit the amount of stack frames returned. - Fixed crypt_blowfish handling of 8-bit characters. crypt() in Blowfish mode now supports hashes marked $2a$, $2x$ and $2y$. - mbstring now supports following encodings: Shift_JIS/UTF-8 Emoji, JIS X0213:2004 (Shift_JIS-2004, EUC-JP-2004, ISO-2022-JP-2004), MacJapanese (Shift_JIS), gb18030. - Added encode and decode in hex format to mb_encode_numericentity() and mb_decode_numericentity(). - Added support for SORT_NATURAL and SORT_FLAG_CASE in array sort functions: sort(), rsort(), ksort(), krsort(), asort(), arsort() and array_multisort(). - is_a() and is_subclass_of() now have third boolean parameter, which specifies if the first argument can be a string class name. Default if false for is_a and true for is_subclass_of() for BC reasons. - ob_start() will now treat a chunk size of 1 as meaning 1 byte, rather than the previous special case behavior of treating it as 4096 bytes. - idn_to_ascii() and idn_to_utf8() now take two extra parameters, one indicating the variant (IDNA 2003 or UTS #46) and another, passed by reference, to return details about the operation in case UTS #46 is chosen. - gzencode() used with FORCE_DEFLATE now generates RFC1950 compliant data. - ob_start() no longer starts multiple output buffers when passed array("callback1", "callback2", "callback3", ...). - Since 5.4.4, "php://fd" stream syntax is available only in CLI build. - Since 5.4.5, resourcebundle_create() accepts null for the first two arguments. - Since 5.4.6, SimpleXMLElement::getDocNamespaces() has and extra parameter which allows for toggling if the list of namespaces starts from the document root or from the node you call the method on - Since 5.4.7, ctor is always called when new user stream wrapper object is created. Before, it was called only when stream_open was called. 4a. unserialize() change ------------------------ - Starting PHP 5.4.29, the bug fix for bug #67072 introduces a change to unserialize() function, detailed below: If the string looking like 'O:..:"ClassName":...' is unserialized, and the class named is an internal class that declares custom unserializer function, or extends such class, unserialize would fail. Using O: for user classes not extending internal classes (including those implementing Serializable) is still supported in 5.4, though it is deprecated and may not be supported in 5.6 for classes that do not originally serialize to O:. Same for using O: for internal classes implementing Serializable (like ArrayObject) and classes that extend them. The reason for that is that O: format is meant to be used with classes that do not define custom handlers, and was never intended for the use with classes that do. When used with the class that relies on custom unserializer, it can leave the object of such internal class in an inconsistent state which has been observed to result in crashes and may also lead to memory corruption and ultimately even arbitrary code execution. This was never the intended use of unserializer, and mere possibility of doing this constitutes a bug, since the data passed to unserialize() is not a valid serialization of any object. Since there are many applications applying unserialize() to untrusted data, this presents a potential security vulnerability. Thus, keeping such bug in the code base was considered too dangerous. We are aware that some applications use O: format as a way to instantiate classes. This was never the intended usage of serializer, and ReflectionClass methods such as newInstance or newInstanceWithoutConstructor can be used for that. We're working on providing more comprehensive solution for such use cases in PHP 5.6 and welcome the ideas in this area. We note also that using unserialize() on any data that is not the result of serialize() call continues to be an unsupported scenario and should not be relied on to produce any specific result. ============================== 5. Changes to existing classes ============================== - Classes that implement stream wrappers can define a method called stream_truncate that will respond to truncation, e.g. through ftruncate. Strictly speaking, this is an addition to the user-space stream wrapper template, not a change to an actual class. - Classes that implement stream wrappers can define a method called stream_metadata that will be called on touch(), chmod(), chgrp(), chown(). - Arrays cast from SimpleXMLElement now always contain all nodes instead of just the first matching node. - All SimpleXMLElement children are now always printed when using var_dump(), var_export(), and print_r(). - Added iterator support in MySQLi. mysqli_result implements Traversable. - Since 5.4.30, SOAPClient has __getCookies() method. ============================== 6. Changes to existing methods ============================== - DateTime::parseFromFormat() now has a "+" modifier to allow trailing text in the string to parse without throwing an error. - Added the ability to pass options to DOMDocument::loadHTML(). - FilesystemIterator, GlobIterator and (Recursive)DirectoryIterator now use the default stream context. - Since 5.4.5, the constructor of ResourceBundle accepts NULL for the first two arguments. =========================== 7. Deprecated Functionality =========================== - The following functions are deprecated in PHP 5.4: - mcrypt_generic_end(): use mcrypt_generic_deinit() instead - mysql_list_dbs() ======================== 8. Removed Functionality ======================== a. Removed features The following features have been removed from PHP 5.4: - Magic quotes - Register globals - Safe mode - Session extension bug compatibility mode - Y2K compliance mode b. Removed functions The following functions are no longer available in PHP 5.4: - define_syslog_variables() - import_request_variables() - session_is_registered() - session_register() - session_unregister() - set_magic_quotes_runtime() - mysqli_bind_param() (alias of mysqli_stmt_bind_param()) - mysqli_bind_result() (alias of mysqli_stmt_bind_result()) - mysqli_client_encoding() (alias of mysqli_character_set_name()) - mysqli_fetch() (alias of mysqli_stmt_fetch()) - mysqli_param_count() (alias of mysqli_stmt_param_count()) - mysqli_get_metadata() (alias of mysqli_stmt_result_metadata()) - mysqli_send_long_data() (alias of mysqli_stmt_send_long_data()) - mysqli::client_encoding() (alias of mysqli::character_set_name) - mysqli_stmt::stmt() (never worked/always throws, undocumented) c. Removed syntax - break $var; - continue $var; d. Removed hash algorithms - Salsa10 and Salsa20, which are actually stream ciphers ==================== 9. Extension Changes ==================== a. Extensions no longer maintained - ext/sqlite is no longer part of the base distribution and has been moved to PECL. Use sqlite3 or PDO_SQLITE instead. b. Extensions with changed behavior - The MySQL extensions (ext/mysql, mysqli and PDO_MYSQL) use mysqlnd as the default library now. It is still possible to use libmysql by specifying a path to the configure options. - PDO_MYSQL: Support for linking with MySQL client libraries older than 4.1 is removed. - The session extension now can hook into the file upload feature in order to provide upload progress information through session variables. - SNMP extension - Functions in SNMP extension now returns FALSE on every error condition including SNMP-related (no such instance, end of MIB, etc). Thus, in patricular, breaks previous behavior of get/walk functions returning an empty string on SNMP-related errors. - Multi OID get/getnext/set queries are now supported. - New constants added for use in snmp_set_oid_output_format() function. - Function snmp_set_valueretrieval() changed it's behavior: SNMP_VALUE_OBJECT can be combined with one of SNMP_VALUE_PLAIN or SNMP_VALUE_LIBRARY resulting OID value changes. When no SNMP_VALUE_PLAIN or SNMP_VALUE_LIBRARY is supplied with SNMP_VALUE_OBJECT, SNMP_VALUE_LIBRARY is used. Prior to 5.4.0 when no SNMP_VALUE_PLAIN or SNMP_VALUE_LIBRARY was supplied with SNMP_VALUE_OBJECT, SNMP_VALUE_PLAIN was used. - Added feature-rich OO API (SNMP class) - Dropped UCD-SNMP compatibility code. Consider upgrading to net-snmp v5.3+. Net-SNMP v5.4+ is required for Windows version. - In sake of adding support for IPv6 DNS name resolution of remote SNMP agent (peer) is done by extension now, not by Net-SNMP library anymore. - Date extension - Setting the timezone with the TZ environment variable is no longer supported, instead date.timezone and/or date_default_timezone_set() have to be used. - The extension will no longer guess the default timezone if none is set with date.timezone and/or date_default_timezone_set(). Instead it will always fall back to "UTC". - Hash extension - the output of the tiger hash family has been corrected, see https://bugs.php.net/61307 =========================== 10. Changes in SAPI support =========================== - A REQUEST_TIME_FLOAT value returns a floating point number indicating the time with microsecond precision. All SAPIs providing this value should be returning float and not time_t. - apache_child_terminate(), getallheaders(), apache_request_headers() and apache_response_headers() are now supported on FastCGI. - The interactive shell allows a shortcut #inisetting=value to change php.ini settings at run-time. - The interactive shell now works with the shared readline extension. - The interactive shell no longer terminates on fatal errors. - A new PHP CLI command line option --rz shows information about the named Zend extension. =================== 11. Windows support =================== - is_link now works properly for symbolic links on Windows Vista or later. Earlier systems do not support symbolic links. - As of PHP 5.4.5 and above the COM extension isn't compiled statically in PHP anymore but shared. It'll still be delivered with the standard PHP release but must be activated manually with the "extension = php_com_dotnet.dll" directive in php.ini. - Apache 2.4 handler is supported as of PHP 5.4.9 ================== 12. New in PHP 5.4 ================== a. New Features - A built-in CLI web server for testing purposes is now available: $ php -S 127.0.0.1:8888 - File Upload Progress support is implemented in the Session extension. b. Syntax additions - Traits: trait HelloWorld { public function sayHello() { echo 'Hello World!'; } } class CanIGetHello { use HelloWorld; } $hello = new CanIGetHello(); $hello->sayHello(); - Function call result array access, e.g.: foo()[0] $foo->bar()[0] - Callable typehint indicating argument must be callable: function foo(callable $do) { } foo("strcmp"); foo(function() {}); $o = new ArrayObject(); foo(array($o, "count")); - Short array syntax: $a = [1, 2, 3, 4]; $a = ['one' => 1, 'two' => 2, 'three' => 3, 'four' => 4]; $a = ['one' => 1, 2, 'three' => 3, 4]; - Binary number format: 0b00100 0b010101 - Chained string array offsets now work. $a = "abc"; echo $a[0][0]; - Anonymous functions now support using $this and class scope. Anonymous function can be declared as "static" to ignore the scope. - Class::{expr}() syntax is now supported: class A { static function foo() { echo "Hello world!\n"; } } $x = "f"; $y = "o"; A::{$x.$y.$y}(); - Class member access on instantiation: (new foo)->method() (new foo)->property (new foo)[0] c. New functions - Core: - get_declared_traits() - getimagesizefromstring() - hex2bin() - header_register_callback() - http_response_code() - stream_set_chunk_size() - socket_import_stream() - trait_exists() - Intl: - transliterator_create() - transliterator_create_from_rules() - transliterator_create_inverse() - transliterator_get_error_code() - transliterator_get_error_message() - transliterator_list_ids() - transliterator_transliterate() - LDAP: - ldap_control_paged_result() - ldap_control_paged_result_response() - ldap_modify_batch (5.4.26) - libxml: - libxml_set_external_entity_loader() - mysqli: - mysqli_error_list() - mysqli_stmt_error_list() - pgsql - pg_escape_identifier() (5.4.4) - pg_escape_literal() (5.4.4) - Session: - session_register_shutdown() - session_status() - SPL - class_uses() - SplFixedArray - SplFixedArray::__wakeup() (5.4.18) d. New global constants - CURLOPT_MAX_RECV_SPEED_LARGE - CURLOPT_MAX_SEND_SPEED_LARGE - ENT_DISALLOWED - ENT_HTML401 - ENT_HTML5 - ENT_SUBSTITUTE - ENT_XHTML - ENT_XML1 - IPPROTO_IP - IPPROTO_IPV6 - IPV6_MULTICAST_HOPS - IPV6_MULTICAST_IF - IPV6_MULTICAST_LOOP - IP_MULTICAST_IF - IP_MULTICAST_LOOP - IP_MULTICAST_TTL - JSON_BIGINT_AS_STRING - JSON_OBJECT_AS_ARRAY - JSON_PRETTY_PRINT - JSON_UNESCAPED_SLASHES - JSON_UNESCAPED_UNICODE - LIBXML_HTML_NODEFDTD - LIBXML_HTML_NOIMPLIED - LIBXML_PEDANTIC - MCAST_JOIN_GROUP - MCAST_LEAVE_GROUP - MCAST_BLOCK_SOURCE - MCAST_UNBLOCK_SOURCE - MCAST_JOIN_SOURCE_GROUP - MCAST_LEAVE_SOURCE_GROUP - OPENSSL_CIPHER_AES_128_CBC - OPENSSL_CIPHER_AES_192_CBC - OPENSSL_CIPHER_AES_256_CBC - OPENSSL_RAW_DATA - OPENSSL_ZERO_PADDING - PHP_OUTPUT_HANDLER_CLEAN - PHP_OUTPUT_HANDLER_CLEANABLE - PHP_OUTPUT_HANDLER_DISABLED - PHP_OUTPUT_HANDLER_FINAL - PHP_OUTPUT_HANDLER_FLUSH - PHP_OUTPUT_HANDLER_FLUSHABLE - PHP_OUTPUT_HANDLER_REMOVABLE - PHP_OUTPUT_HANDLER_STARTED - PHP_OUTPUT_HANDLER_STDFLAGS - PHP_OUTPUT_HANDLER_WRITE - PHP_QUERY_RFC1738 - PHP_QUERY_RFC3986 - PHP_SESSION_ACTIVE - PHP_SESSION_DISABLED - PHP_SESSION_NONE - SCANDIR_SORT_ASCENDING - SCANDIR_SORT_DESCENDING - SCANDIR_SORT_NONE - SORT_FLAG_CASE - SORT_NATURAL - STREAM_META_ACCESS - STREAM_META_GROUP - STREAM_META_GROUP_NAME - STREAM_META_OWNER - STREAM_META_OWNER_NAME - STREAM_META_TOUCH - T_CALLABLE - T_INSTEADOF - T_TRAIT - T_TRAIT_C - ZLIB_ENCODING_DEFLATE - ZLIB_ENCODING_GZIP - ZLIB_ENCODING_RAW - U_IDNA_DOMAIN_NAME_TOO_LONG_ERROR - IDNA_CHECK_BIDI - IDNA_CHECK_CONTEXTJ - IDNA_NONTRANSITIONAL_TO_ASCII - IDNA_NONTRANSITIONAL_TO_UNICODE - INTL_IDNA_VARIANT_2003 - INTL_IDNA_VARIANT_UTS46 - IDNA_ERROR_EMPTY_LABEL - IDNA_ERROR_LABEL_TOO_LONG - IDNA_ERROR_DOMAIN_NAME_TOO_LONG - IDNA_ERROR_LEADING_HYPHEN - IDNA_ERROR_TRAILING_HYPHEN - IDNA_ERROR_HYPHEN_3_4 - IDNA_ERROR_LEADING_COMBINING_MARK - IDNA_ERROR_DISALLOWED - IDNA_ERROR_PUNYCODE - IDNA_ERROR_LABEL_HAS_DOT - IDNA_ERROR_INVALID_ACE_LABEL - IDNA_ERROR_BIDI - IDNA_ERROR_CONTEXTJ e. New classes - Reflection: - ReflectionZendExtension - Intl: - Transliterator - Spoofchecker - JSON: - JsonSerializable - Session: - SessionHandler - SNMP: - SNMP - SPL: - CallbackFilterIterator - RecursiveCallbackFilterIterator f. New methods - Closure: - Closure::bind() - Closure::bindTo() - Reflection: - ReflectionClass::getTraitAliases() - ReflectionClass::getTraitNames() - ReflectionClass::getTraits() - ReflectionClass::isCloneable() - ReflectionClass::isTrait() - ReflectionClass::newInstanceWithoutConstructor() - ReflectionExtension::isPersistent() - ReflectionExtension::isTemporary() - ReflectionFunction::getClosure() - ReflectionFunction::getClosureScopeClass() - ReflectionFunction::getClosureThis() - ReflectionFunctionAbstract::getClosureScopeClass() - ReflectionFunctionAbstract::getClosureThis() - ReflectionMethod::getClosure() - ReflectionMethod::getClosureScopeClass() - ReflectionMethod::getClosureThis() - ReflectionObject::getTraitAliases() - ReflectionObject::getTraitNames() - ReflectionObject::getTraits() - ReflectionObject::isCloneable() - ReflectionObject::isTrait() - ReflectionObject::newInstanceWithoutConstructor() - ReflectionParameter::canBePassedByValue() - ReflectionParameter::isCallable() - PDO_DBLIB: - PDO::newRowset() - SPL: - DirectoryIterator::getExtension() - RegexIterator::getRegex() - SplDoublyLinkedList::serialize() - SplDoublyLinkedList::unserialize() - SplFileInfo::getExtension() - SplFileObject::fputcsv() - SplObjectStorage::getHash() - SplQueue::serialize - SplQueue::unserialize - SplStack::serialize - SplStack::unserialize - SplTempFileObject::fputcsv - XSLT: - XsltProcessor::setSecurityPrefs() - XsltProcessor::getSecurityPrefs() - Zlib: - zlib_decode() - zlib_encode() g. New Hash algorithms - fnv132 - fnv164 - joaat