What started by Rasmus Lerdorf in 1994 is now used by more than 80% of total websites in the world. The PHP programming language has been widely ported and deployed on most web serves on almost every platform and operating system, free of charge. Although the language development is focused on server-side scripting, you can do much more with it.
On 30 November, 2017, the PHP development team released a new version 7.2.0, which is a second feature update to the PHP 7 series. Like other updates, it comes with several new features and improvements. We have listed the 8 biggest changes that you will see in PHP 7.2.0. Have a look.
8. No Mcrypt Extension
The Mcrypt extension has been removed in this version. According the developers, Mcypt has many design warts and puts a lot of strain on implementors to select the suitable components and wrap them together effectively, which leads to error-prone cryptographic designs and thus insecure applications.
7. New Libsodium Extension
PHP has adopted the new libosodium extension that uses the ‘Sodium’ namespace. It’s a modern cryptography library offering high speed elliptic curve cryptography, authenticated encryption, digital signatures, and much more.
It is widely praised by cryptography and security industry experts for several reasons –
- APIs are powerful and simple
- Best-in-class elliptic curve cryptography
- Performs almost all security-critical operations in constant time
6. Improved TLS / SSL constants
TLC constants in PHP 7.2.0 have been changed to sane values. This will favor strong security, but not backwards compatibility with out of date and version intolerant servers. Moreover, STREAM_CRYPTO_METHOD_TLS_* will be migrated in the future when newer TLS versions are available.
This will break connection attempt to the TLS server with only TLS 1.0 enabled. Also, it will break all ssl:// wrapper connections if the remote host supports only SSL (not TLS).
5. Object typehint
Scalar types for parameters were introduced in PHP 7. They can also be used for return types for functions. However, you can’t declare that a function must return an object, or either needs to be passed an object as a parameter.
PHP 7.2.0 uses object as a return type and parameter type. All objects pass the type check, so if you pass a value, which is not an object to a parameter (that’s declared as type object), it would fail type check and throw a TypeError.
In the same way, it would throw TypeError if a function is declared as returning object but it doesn’t do the same. Since this would be used internally, object would become a reserved classname, and therefore not available for use as a class name in userland code.
The class methods that are using objects as either return type or parameter, the inheritance checks will use covariance for return types and contravariance for parameter types.
4. HashContext as Object
In PHP 5 and later versions, objects are preferred to wrap internal data. Some clod generated the hash extension for using resources. To deal with this error, Hash extension has been migrated to use an object implementation for hash contexts rather than a resource.
PHP 7.2.0 converts the opaque resource to an opaque object to make sure that existing code continue to function unless it checks for is_resource() explicitly. This would also make potential security issues as the internal hash state visible.
3. Handling Non-Countable Objects
Calling count() on object or scalar, which does not implement the Countable interface returns 1. This could hide defects. Consider the code as an example –
If you pass a Generator that has nothing, it won’t call allempty() or allvalues(), or alert the programmer to the issue. Now you can add a warning while calling count() with a parameter that is null, scalar, or an object that does not implement Countable.
Since calling count() will still return 0 for null, or 1, backwards compatibility is preserved.
2. Argon2 Password Hash
PHP now implements Argon2 within the password_* functions, instead of Bcrypt. It’s a modern algorithm that makes your passwords even more strong. Argon2 is developed for highest memory filling rate, and provides defense against tradeoff attacks. It takes 3 different factors into account-
- Memory cost (how much memory algorithm is using)
- Time cost (how much algorithm is taking to execute, and the number of iterations)
- Parallelism (number of parallel threads)
There are 2 versions of Argon2 – Argon2d and Argon2i. Argon2d uses data dependent memory access and is quite faster. It’s more secure against GPU cracking attacks and supports apps with no threats from side-channel timing attacks. On the other hand, Argon2d is tuned for password based key derivation and password hashing.
1. Convert Numeric Keys In Object or Array Casts
Many edge cases in the Zend Engine exist where object HashTables can have integer keys, and array HashTables can have numeric string keys. In such scenarios, the keys cannot be accessed through PHP code. This is because the code handling array would never search for integer keys in the HashTable as objects map those to string keys. Similarly, the code would never look for numeric string keys in the HashTable as array map those to integer keys.
This issue can be fixed by converting the keys of object or array HashTables, so numeric string property names in objects will be converted to integer array keys, and vice-versa, leaving no inaccessible properties behind.
Although developers have tried to fix this issue many times before, there is a significant performance issue – simply copying a HashTable without performing key conversion is quite faster than making a new HashTable and iterating over all keys in the existing HashTable to manually copy all keys to the new HashTable, converting if required.
In order to deal with the performance issue, the new approach will avoid manually copying the entire HashTable. It will first confirm whether it’s essential, either by checking flags or iterating over the HashTable checking for keys that require conversion.
If there is no need for conversion, it will revert back to zend_array_dup()(which is much faster), or simply copy the reference. Since the approach performs manual duplication where necessary, converting objects with only non-numeric string property names to array and converting arrays with only string keys to objects, face very low performance impact.
For these conversions, new zend_proptable_to_symtable() (object to array HashTable) and zend_symtable_to_proptable() (object to array HashTable) has been integrated into the Zend API.
Other Minor Changes
- Implemented ‘Trailing Commas In List Syntax’
- Added extended_value to opcode dump output
- Implemented imageresolution as getter and setter
- Added DateTime constants to the DateTimeInterface interface
- Moved utf8_decode() and utf8_encode() to the Standard extension
- Integrated global optimization passes based on data flow analysis using SSA (Single Static Assignment)
If you’re interested in reading complete list of changes, it is mentioned in the Changelog. To get this version, visit their official download page. Also, there is a migration guide available in the PHP Manual.