====== PHP RFC: Deprecations for PHP 8.5 ======
  * Date: 2024-09-26
  * Authors:
    * Gina Peter Banyard <girgias@php.net>
    * Christoph M. Becker <cmb@php.net>
    * Daniel Scherzer <daniel.e.scherzer@gmail.com>
    * Tim Düsterhus <timwolla@php.net>
    * Theodore Brown <theodorejb@php.net>
    * Jorg Sowa <jorg.sowa@gmail.com>
    * David Carlier <devnexen@gmail.com>
    * Jakub Zelenka <bukka@php.net>
    * Nicolas Grekas <nicolas.grekas@php.net>
    * Volker Dusch <edorian@php.net>
  * Status: Draft
  * Implementation: TBD

===== Introduction =====

The RFC proposes to deprecate the listed functionality in PHP 8.5 and remove it in PHP 9 (except where otherwise noted).

The following list provides a short overview of the functionality targeted for deprecation, while more detailed explanation is provided in the Proposal section:

  * Deprecate ''key_length'' parameter of <php>openssl_pkey_derive()</php>
  * ext/pdo deprecations:
    * Deprecate PDO's 'uri:' scheme
    * Deprecate PDO::ERRMODE_WARNING error mode
    * Deprecate driver specific <php>PDO</php> constants and methods
    * Deprecate <php>Pdo\Pgsql::PGSQL_TRANSACTION_IDLE</php>, <php>Pdo\Pgsql::PGSQL_TRANSACTION_ACTIVE</php>, <php>Pdo\Pgsql::PGSQL_TRANSACTION_INTRANS</php>, <php>Pdo\Pgsql::PGSQL_TRANSACTION_INERROR</php> and <php>Pdo\Pgsql::PGSQL_TRANSACTION_UNKNOWN</php>
  * Deprecate intl.error_level INI setting
  * ext/reflection deprecations:
    * Deprecate Reflection*::setAccessible()
    * Deprecate ReflectionParameter::allowsNull()
    * Deprecate ReflectionClass::getConstant() for missing constants
  * ext/filter deprecations:
    * Deprecate FILTER_DEFAULT constant
    * Make ''$filter'' parameter mandatory for <php>filter_*()</php> functions
    * Deprecate FILTER_CALLBACK filter
    * Deprecate <php>filter_input()</php>, <php>filter_input_array()</php>, and <php>filter_has_var()</php>
  * Core INI directive deprecations:
    * Deprecate the ''docref_root'' and ''docref_ext'' INI directives
    * Deprecate the ''error_prepend_string'' and ''error_append_string'' INI directives
    * Deprecate the ''report_memleaks'' INI directive
    * Deprecate the ''register_argc_argv'' INI directive
  * Formally deprecate mysqli_execute
  * Formally deprecate socket_set_timeout
  * Language/syntax deprecations:
    * Deprecate semicolon after ''case'' in switch statement
    * Deprecate non-standard cast names
    * Deprecate attributes applying to multiple class properties/constants
    * Deprecate backticks <php>`</php> as an alias for shell_exec
    * Deprecate <php>__construct()</php> and <php>__destruct()</php> in interfaces
    * Deprecate the <php>__sleep()</php> and <php>__wakeup()</php> magic methods
  * Deprecate the <php>$exclude_disabled</php> parameter of <php>get_defined_functions()</php>
  * Deprecate building ext/ldap against Oracle LDAP
  * Deprecate passing ''null'' to <php>readdir()</php>, <php>rewinddir()</php>, and <php>closedir()</php>
  * Deprecate the <php>$context</php> parameter for <php>finfo_buffer()</php>
  * Deprecate no-op functions from the resource to object conversion:
    * Deprecate <php>finfo_close()</php>
    * Deprecate <php>xml_parser_free()</php>
    * Deprecate <php>curl_close()</php>
    * Deprecate <php>curl_share_close()</php>
    * Deprecate <php>imagedestroy()</php>
  * Deprecate <php>DATE_RFC7231</php> and <php>DateTimeInterface::RFC7231</php>
  * ext/spl deprecations:
    * Deprecate <php>ArrayObject</php> and <php>ArrayIterator</php> with objects
    * Deprecate <php>SplObjectStorage::contains()</php>, <php>SplObjectStorage::attach()</php>, and <php>SplObjectStorage::detach()</php>
    * Deprecate passing <php>spl_autoload_call()</php> to <php>spl_autoload_unregister()</php>
  * Deprecate using values of type <php>null</php>, <php>bool</php>, and <php>float</php> as array offsets and when calling <php>array_key_exists()</php>
  * Deprecate <php>__debugInfo()</php> returning null
  * Deprecate constant redeclaration
  * Deprecate <php>Closure</php> binding issues
  * Enact follow-up phase of the "[[rfc:saner-inc-dec-operators|Path to Saner Increment/Decrement operators]]" RFC
  * Remove the ''disable_classes'' INI setting
  * Deprecate the <php>$http_response_header</php> predefined variable

===== Proposal =====

Each feature proposed for deprecation is voted separately and requires a 2/3 majority.
All votes refer to deprecation in PHP 8.5 and removal in PHP 9 (except where otherwise noted).

==== Deprecate key_length parameter of openssl_pkey_derive() ====

  * Author: Jakub Zelenka <bukka@php.net>

The key_length parameter is supposed to attempt to set the length of derived secret. However in reality it is completely ignored if the size is higher than the size of key prime. It has effect only if the size is lower that the size of the prime. In such case, the key is truncated for ECDH and the derivation fails for DH.

The idea is to deprecate this parameter so users do not get false sense of security when providing higher number than the size of prime.

This issue was raised during the security audit.

The caution notes has been added in https://github.com/php/doc-en/pull/3789 .

<doodle title="Deprecate key_length parameter of openssl_pkey_derive()?" auth="bukka" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== ext/pdo deprecations ====

=== Deprecate PDO's 'uri:' scheme ===

  * Author: Tim Düsterhus <timwolla@php.net>

PDO supports a ''uri:'' DSN scheme that does not refer to a database driver named “uri” but instead is an indication to read the actual DSN from the specified URI, including remote stream wrappers, such as HTTP URIs.

While this feature might appear to be useful to make it easier for environment-specific configuration of an application, the username and password notably are not part of the DSN, which would require a separate configuration mechanism and which point the actual DSN could use it as well. Similarly authentication via TLS certificates with the MySQL driver would require specifying the certificate and private key as the <php>$options</php>.

In case of remote stream wrappers, the feature can be actively dangerous, unless the URL referenced is 100% trustworthy, since the username and password for the database might be sent to an untrusted database servers. In case of the SQLite PDO driver, a remote URL might enable access to arbitrary SQLite files on the server. Furthermore remote stream wrappers might result in performance-bottlenecks, since the file is requested for every single connection.

If this feature is somehow exactly what is desired, it can easily replicated in userland as follows (while preserving the main semantics of only looking at the first line):

<PHP>
$dsn = '…';
if (str_starts_with($uri, 'uri:')) {
    if (($f = fopen(substr($uri, strlen('uri:')), 'rb'))) {
        $dsn = fgets($f, 512);
        fclose($f);
    } else {
        // Emit error message
    }
}
</PHP>

<doodle title="Deprecate PDO’s uri: scheme?" auth="timwolla" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate PDO::ERRMODE_WARNING error mode ===

  * Author: Gina Peter Banyard <girgias@php.net>

PDO can be set to report errors in 3 different ways:

  * <php>PDO::ERRMODE_SILENT</php>
  * <php>PDO::ERRMODE_WARNING</php>
  * <php>PDO::ERRMODE_EXCEPTION</php>

In silent mode, PDO will proceed if an error has occured within a PDO statement or PDO instance,
and set the error code and info so that it can be queried manually.
This allows for a more hands on approach to error handling.

In exception mode, PDO will instead throw a <php>PDOException</php> whenever an error occurs,
and unwind the stack unless it the exception is caught via a <php>catch</php> block.
This is a more of a hands off approach as error handling doesn't need to be done after each method call of a PDO or PDO statement instance.
This mode has been the default since PHP 8.0.

In warning mode, PDO will behave similarly as if set in silent mode,
but also raise an <php>E_WARNING</php> similarly to how the exception mode behaves.
As such this mode is a bit non-sensical as it is both a hands on and hands off approach to error handling.
Moreover, an <php>E_WARNING</php> may be promoted to an exception via an error handler set via <php>set_error_handler()</php>,
something that might not be expected by code written with <php>PDO::ERRMODE_SILENT</php> in mind.

As such we propose to deprecate the <php>PDO::ERRMODE_WARNING</php> constant and recommend users either use the silent or exception mode.


<doodle title="Deprecate PDO::ERRMODE_WARNING constant?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate driver specific PDO constants and methods ===

  * Author: Gina Peter Banyard <girgias@php.net>

With the acceptance and merging of the [[rfc:pdo_driver_specific_subclasses|PDO driver specific sub-classes]] RFC, the recommended way to provide driver specific functionality is by creating a subclass of PDO with said functionality. As such we propose deprecating the overloaded PDO constants which are declared using the <php>REGISTER_PDO_CLASS_CONST_LONG</php> macros and the overloaded PDO methods which are defined in the ''pgsql_driver.stub.php'' and ''sqlite_driver.stub.php'' files.

This means the following PDO constants would be deprecated:
  * <php>PDO::DBLIB_ATTR_CONNECTION_TIMEOUT</php>
  * <php>PDO::DBLIB_ATTR_QUERY_TIMEOUT</php>
  * <php>PDO::DBLIB_ATTR_STRINGIFY_UNIQUEIDENTIFIER</php>
  * <php>PDO::DBLIB_ATTR_VERSION</php>
  * <php>PDO::DBLIB_ATTR_TDS_VERSION</php>
  * <php>PDO::DBLIB_ATTR_SKIP_EMPTY_ROWSETS</php>
  * <php>PDO::DBLIB_ATTR_DATETIME_CONVERT</php>
  * <php>PDO::FB_ATTR_DATE_FORMAT</php>
  * <php>PDO::FB_ATTR_TIME_FORMAT</php>
  * <php>PDO::FB_ATTR_TIMESTAMP_FORMAT</php>
  * <php>PDO::MYSQL_ATTR_USE_BUFFERED_QUERY</php>
  * <php>PDO::MYSQL_ATTR_LOCAL_INFILE</php>
  * <php>PDO::MYSQL_ATTR_INIT_COMMAND</php>
  * <php>PDO::MYSQL_ATTR_MAX_BUFFER_SIZE</php>
  * <php>PDO::MYSQL_ATTR_READ_DEFAULT_FILE</php>
  * <php>PDO::MYSQL_ATTR_READ_DEFAULT_GROUP</php>
  * <php>PDO::MYSQL_ATTR_COMPRESS</php>
  * <php>PDO::MYSQL_ATTR_DIRECT_QUERY</php>
  * <php>PDO::MYSQL_ATTR_FOUND_ROWS</php>
  * <php>PDO::MYSQL_ATTR_IGNORE_SPACE</php>
  * <php>PDO::MYSQL_ATTR_SSL_KEY</php>
  * <php>PDO::MYSQL_ATTR_SSL_CERT</php>
  * <php>PDO::MYSQL_ATTR_SSL_CA</php>
  * <php>PDO::MYSQL_ATTR_SSL_CAPATH</php>
  * <php>PDO::MYSQL_ATTR_SSL_CIPHER</php>
  * <php>PDO::MYSQL_ATTR_SERVER_PUBLIC_KEY</php>
  * <php>PDO::MYSQL_ATTR_MULTI_STATEMENTS</php>
  * <php>PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT</php>
  * <php>PDO::MYSQL_ATTR_LOCAL_INFILE_DIRECTORY</php>
  * <php>PDO::ODBC_ATTR_USE_CURSOR_LIBRARY</php>
  * <php>PDO::ODBC_ATTR_ASSUME_UTF8</php>
  * <php>PDO::ODBC_SQL_USE_IF_NEEDED</php>
  * <php>PDO::ODBC_SQL_USE_DRIVER</php>
  * <php>PDO::ODBC_SQL_USE_ODBC</php>
  * <php>PDO::PGSQL_ATTR_DISABLE_PREPARES</php>
  * <php>PDO::PGSQL_TRANSACTION_IDLE</php>
  * <php>PDO::PGSQL_TRANSACTION_ACTIVE</php>
  * <php>PDO::PGSQL_TRANSACTION_INTRANS</php>
  * <php>PDO::PGSQL_TRANSACTION_INERROR</php>
  * <php>PDO::PGSQL_TRANSACTION_UNKNOWN</php>
  * <php>PDO::SQLITE_DETERMINISTIC</php>
  * <php>PDO::SQLITE_ATTR_OPEN_FLAGS</php>
  * <php>PDO::SQLITE_OPEN_READONLY</php>
  * <php>PDO::SQLITE_OPEN_READWRITE</php>
  * <php>PDO::SQLITE_OPEN_CREATE</php>
  * <php>PDO::SQLITE_ATTR_READONLY_STATEMENT</php>
  * <php>PDO::SQLITE_ATTR_EXTENDED_RESULT_CODES</php>

And the following overloaded PDO methods would be deprecated:
  * <php>PDO::pgsqlCopyFromArray()</php>
  * <php>PDO::pgsqlCopyFromFile()</php>
  * <php>PDO::pgsqlCopyToArray()</php>
  * <php>PDO::pgsqlCopyToFile()</php>
  * <php>PDO::pgsqlGetNotify()</php>
  * <php>PDO::pgsqlGetPid()</php>
  * <php>PDO::pgsqlLOBCreate()</php>
  * <php>PDO::pgsqlLOBOpen()</php>
  * <php>PDO::pgsqlLOBUnlink()</php>
  * <php>PDO::sqliteCreateAggregate()</php>
  * <php>PDO::sqliteCreateCollation()</php>
  * <php>PDO::sqliteCreateFunction()</php>

<doodle title="Deprecate driver specific PDO constants and methods?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate Pdo_Pgsql constants related to statement transaction state ===

  * Author: David Carlier <devnexen@gmail.com>

The following constants

  * <php>Pdo\Pgsql::PGSQL_TRANSACTION_IDLE</php>
  * <php>Pdo\Pgsql::PGSQL_TRANSACTION_ACTIVE</php>
  * <php>Pdo\Pgsql::PGSQL_TRANSACTION_INTRANS</php>
  * <php>Pdo\Pgsql::PGSQL_TRANSACTION_INERROR</php>
  * <php>Pdo\Pgsql::PGSQL_TRANSACTION_UNKNOWN</php>

seem to have been an attempt to equalize, feature-wise, the pgsql and pdo/pgsql extensions. While it makes perfect sense for the former, it can't be usable in the latter in any way since it never returns the precise statement transaction state to the user code. Internally, the extension only checks if the transaction is stale or not but those constants are completely irrelevant in this context.
Therefore, we propose to start deprecating them starting from 8.5 then remove them in the next major release.

<doodle title="Deprecate statement transaction state specific PDO constants?" auth="devnexen" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Deprecate intl.error_level INI setting ====

  * Author: Gina Peter Banyard <girgias@php.net>

Error handling within the Intl extension is handled by two ini settings:

  * The ''intl.use_exceptions'' INI setting which determines if errors are report by throwing an <php>IntlException</php>
  * The ''intl.error_level'' INI setting allows to set which type of error level should used, typically one of the <php>E_*</php> error constants.

Moreover, it is possible to enable both exceptions and use a non-zero error level, in which case the error is emitted first.
This means that it can be "caught" via an error handler set with <php>set_error_handler()</php> first and be promoted to an exception different than <php>IntlException</php>.

However, more concerningly is that the error level could be set to <php>E_ERROR</php> which would trigger a bailout of the PHP VM.
PHP's bailout mechanism is generaly reserved for severe engine failures, such as being unable to allocate memory.

There are multiple issues with bailouts which are described in detail in the [[https://wiki.php.net/rfc/engine_exceptions_for_php7#issues_with_fatal_errors|"Issues with fatal errors" section of the Exceptions in the engine (for PHP 7)]] RFC.
Some of them are:

  * <php>finally</php> blocks are not executed
  * Destructors are not executed
  * Memory may not be freed

As this INI setting has some of the same pitfalls as the <php>PDO::ERRMODE_WARNING</php> constant and can cause bailouts,
we propose deprecating this INI setting, meaning setting it to any value different than ''0'' will raise an <php>E_DEPRECATED</php> diagnostic.

<doodle title="Deprecate intl.error_level INI setting?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== ext/reflection deprecations ====

=== Deprecate Reflection*::setAccessible() ===

  * Author: Tim Düsterhus <timwolla@php.net>

The [[rfc:make-reflection-setaccessible-no-op|“Make reflection setAccessible() no-op” RFC]] in PHP 8.1 made the <php>Reflection*::setAccessible()</php> methods a noop. However it did not deprecate the methods to simplify cross-version compatibility.

Since PHP 8.0, which is the last version where the methods did anything, is already EOL and PHP 8.1, which introduced the change will be EOL shortly after the release of PHP 8.5, it seems reasonable to deprecate the methods to make users aware that they have no effect (especially for calls to <php>->setAccessible(false)</php>) and to encourage users to remove them.

If compatibility with PHP 8.0 or earlier is desired, the deprecation can be suppressed with <php>@</php> or alternatively the call to <php>->setAccessible()</php> can be guarded by an <php>if (PHP_VERSION_ID < 80100)</php> check.

We therefore propose to add:

<PHP>
#[\Deprecated(since: '8.5', message: "as this method does nothing")]
</PHP>

to the signature.

<doodle title="Deprecate Reflection*::setAccessible()?" auth="timwolla" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate ReflectionParameter::allowsNull() ===

  * Author: Daniel Scherzer <daniel.e.scherzer@gmail.com>

With the introduction of <php>ReflectionParameter::getType()</php> in PHP 7.0, the preferred way to analyze the type of a parameter is by calling that method and then examining it, e.g. using <php>ReflectionType::allowsNull()</php>. However, while most of the methods for examining a parameter type directly from <php>ReflectionParameter</php> have been deprecated (<php>::isArray()</php>, <php>::isCallable()</php>, and <php>::getClass()</php>), the <php>::allowsNull()</php> method was not.

We propose to deprecate <php>ReflectionParameter::allowsNull()</php> in favor of using <php>ReflectionType::allowsNull()</php> by adding

<PHP>
#[\Deprecated(since: '8.5', message: "use ReflectionParameter::getType() instead")]
</PHP>

to the signature.

<doodle title="Deprecate ReflectionParameter::allowsNull()?" auth="daniels" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate ReflectionClass::getConstant() for missing constants ===

  * Author: Daniel Scherzer <daniel.e.scherzer@gmail.com>

<php>ReflectionClass:getConstant()</php> returns the value of the class constant with a given name, or <php>false</php> if no such class constant exists. This behavior is confusing because it makes no distinction between a class constant with the value <php>false</php> and one that does not exist:

<PHP>
<?php

class Demo {
    public const EXISTS = false;
}

$r = new ReflectionClass( Demo::class );
echo "EXISTS: ";
var_dump( $r->getConstant( 'EXISTS' ) ); // false
echo "MISSING: ";
var_dump( $r->getConstant( 'MISSING' ) ); // false
</PHP>

Unlike with <php>ReflectionClass::getReflectionConstant()</php> (which returns either a <php>ReflectionClassConstant</php> or <php>false</php> for missing constants) the return value of <php>ReflectionClass:getConstant()</php> for a missing constant is also valid for an existing constant with the value <php>false</php>. This can result in confusion, and if the value is <php>false</php>, a call to <php>ReflectionClass::hasConstant()</php> to check if the constant exists or not. We propose that, if a constant with the given name does not exist, deprecation warnings be emitted (in PHP 8.5, becoming an exception in PHP 9.0).

<doodle title="Deprecate ReflectionClass::getConstant() for missing constants?" auth="daniels" voteType="single" closed="true">
   * Yes
   * No
</doodle>


==== ext/filter deprecations ====

  * Author: Gina Peter Banyard <girgias@php.net>

=== Deprecate FILTER_DEFAULT constant ===

The <php>FILTER_DEFAULT</php> constant is an alias for the <php>FILTER_UNSAFE_RAW</php> constant.
This has been the case since at least PHP 5.3.
This is confusing and seems to indicate that it corresponds to the filter set by the ''filter.default'' INI setting.
Moreover, this INI setting was deprecated in [[https://wiki.php.net/rfc/deprecations_php_8_1#filterdefault_ini_setting|PHP 8.1]].

As this constant is confusing and misleading, we propose to deprecate it.

<doodle title="Deprecate FILTER_DEFAULT constant?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Make $filter parameter mandatory for filter_*() functions ===

The <php>filter_*()</php> functions do not require passing the <php>$filter</php> parameter, the default value of it is <php>FILTER_DEFAULT</php> which is an alias for the <php>FILTER_UNSAFE_RAW</php> filter.
This filter does **nothing** if no flags are provided.
This behaviour is indicative of a bug, therefore, we propose to make the <php>$filter</php> argument mandatory and emit a deprecation notice if the default value is used.

<doodle title="Emit a deprecation notice when using the default value for the $filter argument of the filter_*() functions?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate FILTER_CALLBACK filter ===

The <php>FILTER_CALLBACK</php> filter allows providing a function to call on the value to filter.
This makes little sense as one can pass the value to filter directly to the function instead of passing by the filter extension.

Similarly, to filter an array of values, it is easier and more intuitive to use the <php>array_map()</php> function rather than the filter extension.

As such, we propose to deprecate this filter.

<doodle title="Deprecate FILTER_CALLBACK filter?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>


=== Deprecate filter_input(), filter_input_array(), and filter_has_var() ===

The <php>filter_input()</php> and <php>filter_input_array()</php> functions operate on the **original** values provided by the SAPI that populate the superglobals for <php>$_GET</php>, <php>$_POST</php>, <php>$_SERVER</php>, <php>$_ENV</php>, and <php>$_COOKIE</php>.

This means that modification to any entry of the superglobal will not be used when calling these functions.
This is showcased by the following PHPT test:

<PHP>
--TEST--
filter_input() filter with superglobal modified
--EXTENSIONS--
filter
--GET--
a=hello
--FILE--
<?php

var_dump($_GET);
$f1 = filter_input(INPUT_GET, "a", FILTER_CALLBACK, ['options' => fn (string $s) => $s === "world"]);
var_dump($f1);

$_GET['a'] = "world";
var_dump($_GET);
$f2 =filter_input(INPUT_GET, "a", FILTER_CALLBACK, ['options' => fn (string $s) => $s === "world"]);
var_dump($f2);
var_dump($_GET);

?>
--EXPECT--
array(1) {
  ["a"]=>
  string(5) "hello"
}
bool(false)
array(1) {
  ["a"]=>
  string(5) "world"
}
bool(false)
array(1) {
  ["a"]=>
  string(5) "world"
}
</PHP>

As it is easy and straight forward to have the same behaviour by using
<php>filter_var($_GET['a'], /* other params */)</php>
and <php>filter_var_array($_GET, /* other params */)</php>,
we propose to deprecate <php>filter_input()</php> and <php>filter_input_array()</php>.

As <php>filter_has_var()</php> is effectively equivalent to <php>array_key_exists()</php>,
but has the same caveat as the two previous functions, we propose to also deprecate this function.

<doodle title="Deprecate filter_input(), filter_input_array(), and filter_has_var()?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Core INI directive deprecations ====

=== Deprecate the docref_root and docref_ext INI directives ===

  * Author: Gina Peter Banyard <girgias@php.net>

Both of these INI settings allow overriding the output of HTML diagnostic errors
(warning, notice, deprecations, etc.) to change the base URL and file extension for the clickable links
pointing to functions and/or INI settings in error messages generated by calls to ''php_error_docref()''.

This is a debug feature and had some value when the php.net documentation had mirrors,
considering those have been retired, their use is now limited.

As such, we propose deprecating those two INI settings.

<doodle title="Deprecate the docref_root and docref_ext INI directives?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate the error_prepend_string and error_append_string INI directives ===

  * Author: Gina Peter Banyard <girgias@php.net>

Both of these INI settings allow overriding the output of HTML diagnostic errors
(warning, notice, deprecations, etc.) to prepend or append HTML before the generated HTML of these diagnostic errors.

This is a development and debugging feature which seems somewhat questionable and of limited use.

As such, we propose deprecating those two INI settings.

<doodle title="Deprecate the error_prepend_string and error_append_string INI directives?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate the report_memleaks INI directive ===

  * Author: Gina Peter Banyard <girgias@php.net>

This INI directive allows to suppress ZendMM memory leaks in debug builds of PHP.
This "feature" is highly questionable, as memory leaks should be fixed the moment they are made aware of.
Because this cannot affect production builds of PHP we propose deprecating this INI setting.

<doodle title="Deprecate the report_memleaks INI directive?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate the register_argc_argv INI directive ===

  * Author: Nicolas Grekas <nicolas.grekas@php.net>

This INI directive tells PHP whether to declare the argv & argc variables. On the CLI, phpdbg and embed SAPIs it is forced to On. On other SAPIs, it defaults to On in the C code but is set to Off in the default php.ini files. This setting is dangerous on HTTP SAPIs because it allows defining the value of the argv/argc variables from the query string. This is almost always unwanted and certainly unexpected. It can lead to security issues if one reads argv/argc from an HTTP apps while not being aware of this behavior.

We propose to deprecate this INI setting and make in default to Off in PHP 8.5, then to hardcode it to Off for all non-CLI-related SAPIs on PHP 9 (while keeping it hardcoded to On for CLI-related ones).

<doodle title="Deprecate the register_argc_argv INI directive and make in default to Off in PHP 8.5, then hardcode it to Off for all non-CLI-related SAPIs on PHP 9 (while keeping it hardcoded to On for CLI-related ones)?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Formally deprecate mysqli_execute ====

  * Author: Tim Düsterhus <timwolla@php.net>

<php>mysqli_execute()</php> is an alias of <php>mysqli_stmt_execute()</php> and already marked as deprecated in the documentation (“mysqli_execute() is deprecated and will be removed.”). Its name is misleading since it operates on an <php>mysqli_stmt</php> object, rather than an <php>mysqli</php> object, leading to possible confusion with the <php>mysqli_execute_query()</php> function added in PHP 8.2 that //does// operate on an <php>mysqli</php> object.

We therefore propose to add:

<PHP>
#[\Deprecated(since: '8.5', message: "use mysqli_stmt_execute() instead")]
</PHP>

to the signature.

<doodle title="Formally deprecate mysqli_execute?" auth="timwolla" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Formally deprecate socket_set_timeout ====

  * Author: Tim Düsterhus <timwolla@php.net>

<php>socket_set_timeout()</php> is an alias of <php>stream_set_timeout()</php> and already marked as deprecated in the documentation (“This function was previously called as set_socket_timeout() and later socket_set_timeout() but this usage is deprecated.”). Its name is misleading since it not part of the ext/sockets extension, which uses the <php>socket_x()</php> prefix.

We therefore propose to add:

<PHP>
#[\Deprecated(since: '8.5', message: "use stream_set_timeout() instead")]
</PHP>

to the signature.

<doodle title="Formally deprecate socket_set_timeout?" auth="timwolla" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Language/syntax deprecations ====
=== Deprecate semicolon after case in switch statement ===

  * Author: Theodore Brown <theodorejb@php.net>

It is possible to terminate ''case'' statements with a semicolon instead of the standard colon:

<PHP>
switch ($value) {
    case 'foo';
    case 'bar':
    case 'baz';
        echo 'foo, bar, or baz';
        break;
    default;
        echo 'Other';
}
</PHP>

This syntax is a leftover from PHP/FI 2, where nearly all lines including if conditions and case statements were terminated by a semicolon. [[https://externals.io/message/109350#109363|1]] [[https://www.php.net/manual/phpfi2.php#lang|2]]

There isn't a need for this syntax to exist anymore, and very few PHP developers are even aware of its existence. In the top 1000 Composer packages, zero out of 35,777 total case statements are using the alternate syntax (as of 2024-11-27). Edit: as of 2025-06-02 there are still zero usages of the alternate syntax in the top 1000 packages (out of 29,858 total case statements).

Case statements followed by a semicolon can cause confusion, as a developer may think they behave differently in some way from regular case statements (e.g. preventing fallthrough), when they do not.

Therefore, we propose to deprecate terminating case statements with a semicolon.

<doodle title="Deprecate semicolon-terminated case statements?" auth="theodorejb" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate non-standard cast names ===

  * Author: Gina Peter Banyard <girgias@php.net>

This supercedes the following inactive RFC [[rfc:deprecate-inconsistent-cast-keywords|Deprecate Inconsistent Cast Names]].

We propose to deprecate the following non-standard cast names:
  * <php>(integer)</php>
  * <php>(boolean)</php>
  * <php>(double)</php>
  * <php>(binary)</php>

This is inline how using non-standard names for built-in types emits a "confusable" warning at compile time, for example:
<PHP>
<?php

function foo(integer $x) {
    
}
</PHP>
Causes the following warning to be emitted:
<blockquote>Warning: "integer" will be interpreted as a class name. Did you mean "int"? Write "\integer" to suppress this warning</blockquote>

For consistency reasons with the rest of the language we propose to deprecate such casts and recommend using the standard ones.

<doodle title="Deprecate non-standard cast names?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate attributes applying to multiple class properties/constants ===

  * Author: Daniel Scherzer <daniel.e.scherzer@gmail.com>

Multiple class properties or constants can be declared in a single declaration, e.g.

<PHP>
<?php

#[Attribute]
class Test {}

class Foo {
    #[Test]
    public $bar, $baz;
    
    #[Test]
    public const BAR = 1, BAZ = 2;
}
</PHP>

This can be confusing, because the attributes are added to all of the properties/constants in the declaration, not just the first.

Because of the potential for confusion, when attributes were added to compile-time constants in [[rfc:attributes-on-constants]], adding attributes to multiple non-class constants at once was not allowed.

We now propose to deprecate the same confusing behavior for the existing cases of class properties/constants.

<doodle title="Deprecate attributes applying to multiple class properties/constants" auth="daniels" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate backticks as an alias for shell_exec ===

  * Author: Volker Dusch <edorian@php.net>

Backticks are a rarely used and somewhat unknown feature of PHP that can cause confusion and hide the need for error handling by not allowing access to exit codes.

   * In code review, it's hard to spot the difference between <php>`</php> and <php>'</php> at a glance.
   * JavaScript uses it for template strings, causing confusion between the syntax, even for more senior developers switching between the languages.
   * It's not trivial to look up what the operator does.
   * Refactoring efforts, even for complex calls, are minimal thanks to <php><<<'NOWDOC'</php>.
   * It would eventually free up the backtick operator for future use.
   * Simplifies the languages for humans, static analysis and other tooling.
   * Hides the need for <php>escapeshellarg</php> more than other ways of executing shell code.

Therefore, we propose to deprecate the backtick operator.

<doodle title="Deprecate backticks as an alias for shell_exec?" voteType="single" closed="true">
   * Yes
   * No
</doodle>


=== Deprecate __construct() and __destruct() in interfaces ===

  * Authors:
    * Gina Peter Banyard <girgias@php.net>
    * Tim Düsterhus <timwolla@php.net>

In PHP the <php>__construct()</php> magic methods is exempt from LSP compatibility obligations,
unless the class implements an interface that declares a <php>__construct()</php> method.

However, the <php>__construct()</php> should never be called manually unless when calling <php>parent::__construct()</php>
as it is tied to the the <php>new</php> keyword when instantiating a new class.
As the instantiation of a class is //dependent// on which class is being instantiated,
restricting how it can be done by enforcing a specific signature for <php>__construct()</php> is ill-advised.

Similarly, requiring a class to implement a <php>__destruct()</php> is nonsensical as this should never be called manually
and a class might not even need one.

As such we propose deprecating specifying the <php>__construct()</php> and <php>__destruct()</php> in interfaces.

<doodle title="Deprecate __construct() and __destruct() in interfaces?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate the __sleep() and __wakeup() magic methods ===

  * Author: Gina Peter Banyard <girgias@php.net>

Class serialization in PHP has had multiple mechanism introduced to control its behaviour by userland.
Initially with the <php>__sleep()</php> and <php>__wakeup()</php> magic methods, then with the <php>Serializable</php> interface and finally with <php>__serialize()</php> and <php>__unserialize()</php>.

The last mechanism of <php>__serialize()</php> and <php>__unserialize()</php> was introduced in PHP 7.4 with the [[custom_object_serialization|New custom object serialization mechanism RFC]] to fix deep issues with the way the <php>Serializable</php> interface worked and improve on the usability of the custom serialisation mechanism.
The [[phase_out_serializable|Serializable interface is in the process of being phased out]], however no such thing is being done for the initial serialization mechanism of <php>__sleep()</php> and <php>__wakeup()</php>.

Having multiple serializations methods which can be supersceded by newer methods is somewhat confusing and add unnecessary complexity to the language.
Because the <php>__serialize()</php>/<php>__unserialize()</php> mechanism is a straight up improvement over <php>__sleep()</php>/<php>__wakeup()</php> we propose to deprecate the latter in favour of the former.

<doodle title="Deprecate the __sleep() and __wakeup() magic methods?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Deprecate the $exclude_disabled parameter of get_defined_functions() ====

  * Author: Gina Peter Banyard <girgias@php.net>

As of PHP 8.0.0, functions that are disabled via the ''disable_functions'' INI setting are simply removed from the function table.
As such, this parameter no longer has any effect and is pointless.
Therefore, we propose to deprecate it.

<doodle title="Deprecate the $exclude_disabled parameter of get_defined_functions()?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Deprecate building ext/ldap against Oracle LDAP ====

  * Author: Christoph M. Becker <cmb@php.net>

Building ext/ldap against Oracle LDAP had been supported, and is theoretically still supported, but is apparently [[https://github.com/php/php-src/issues/15051|broken for a while]].  The Oracle LDAP implementation is part of Oracle Instant Client, and uses an older LDAP API; apparently, there are no plans for updating this.  So users are almost certainly better off to build against OpenLDAP (and if they need OCI8, to build that as shared library, and load after ext/ldap).

Therefore we supposed to deprecate building ext/ldap against Oracle LDAP.

It should be noted that the ''ldap_connect_wallet()'' function, [[https://wiki.php.net/rfc/deprecate_functions_with_overloaded_signatures#ldap_connect|available only as of PHP 8.3]], would also be part of the deprecation, as well as other existing Oracle LDAP specific features.

==== Deprecate passing null to readdir(), rewinddir(), and closedir()  ====

  * Author: Gina Peter Banyard <girgias@php.net>

The <php>readdir()</php>, <php>rewinddir()</php>, and <php>closedir()</php> functions accept <php>null</php> as the value for the <php>$dir_handle</php>, in which case it will used the previously opened directory stream opened with <php>opendir()</php>.

This is global state that can change if another call to <php>opendir()</php> is made, which could happen by calling a library function, and leading to spooky action at a distance.
Prior extensions and functions that behaved this way have been deprecated, most notably the original ext/mysql extension and more recently [[rfc:deprecations_php_8_1#calling_overloaded_pgsql_functions_without_the_connection_argument|the ext/pgsql functions that were overloaded were deprecated in PHP 8.1]]

As such, we propose deprecating passing <php>null</php> to <php>readdir()</php>, <php>rewinddir()</php>, and <php>closedir()</php>.

<doodle title="Deprecate passing null to readdir(), rewinddir(), and closedir()?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Deprecate the $context parameter for finfo_buffer()  ====

  * Author: Gina Peter Banyard <girgias@php.net>

This parameter is unused, and the only reason it exists in the first place is because the implementation of it was delegated to a "god" C function that also was handling <php>finfo_file()</php> which does use the provided context.

As this parameter is not useful for this function it should be deprecated.

<doodle title="Deprecate the $context parameter for finfo_buffer()?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Deprecate no-op functions from the resource to object conversion ====

  * Author: Daniel Scherzer <daniel.e.scherzer@gmail.com>

In the migration of various extensions from resources to objects, a number of functions to close or free the resources became no-ops. Specifically:

  * <php>finfo_close()</php> since the ext/fileinfo migration in PHP 8.1
  * <php>xml_parser_free()</php> since the ext/xml migration in PHP 8.0
  * <php>curl_close()</php> since the ext/curl migration in PHP 8.0
  * <php>curl_share_close()</php> since the ext/curl migration in PHP 8.0
  * <php>imagedestroy()</php> since the ext/gd migration in PHP 8.0

Since these functions are not needed anymore, they should be deprecated. We therefore propose to add

<PHP>
#[\Deprecated(since: '8.5', message: "as this method does nothing")]
</PHP>

to the signatures.

=== Deprecate finfo_close()  ===

  * Implementation: https://github.com/php/php-src/pull/18396

<doodle title="Deprecate finfo_close()?" auth="daniels" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate xml_parser_free()  ===

<doodle title="Deprecate xml_parser_free()?" auth="daniels" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate curl_close()  ===

<doodle title="Deprecate curl_close()?" auth="daniels" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate curl_share_close()  ===

<doodle title="Deprecate curl_share_close()?" auth="daniels" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate imagedestroy()  ===

<doodle title="Deprecate imagedestroy()?" auth="daniels" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Deprecate DATE_RFC7231 and DateTimeInterface::RFC7231 ====

  * Author: Jorg Sowa <jorg.sowa@gmail.com>

Because the implementation of the constant contains the timezone `GMT` designation, the format of date will always show the `GMT` timezone, despite the real timezone of the instance of `DateTimeInterface`. This may lead to unwanted results.

The implementation of this constant was a mistake, as this was described as bug. This wasn't bug, but a feature request: https://github.com/php/php-src/pull/2450

Implementation: https://github.com/php/php-src/pull/12989

==== ext/spl deprecations ====

=== Deprecate ArrayObject and ArrayIterator with objects ===

  * Author: Daniel Scherzer <daniel.e.scherzer@gmail.com>
  * Author: Gina Peter Banyard <girgias@php.net>

<php>ArrayObject</php> allows using an instance of a class as a "backing array" rather than the more typical behaviour of using a standard PHP array.

However the way this feature was designed breaks nearly every single expectation and invariant around objects not just for users, but also the engine.

It allows accessing private and protected properties from the global scope, write multiple times to <php>readonly</php> properties, write values of invalid types to typed properties, misshandles <php>isset()</php> and <php>empty()</php>, allows writing dynamic properties without issuing any warning , and can even add dynamic properties to internal classes that ban dynamic properties, doesn't call the magic <php>__get()</php> and <php>__set()</php> methods, and probably some other hidden issues.

One example to showcase some of the issues is the following:

<PHP>
<?php
class T {
    private readonly int $p;
    public string $p2;
    
    public function getP() {
        return $this->p;
    }
}
 
$o = new T();
$a = new ArrayObject($o);
$a["\0T\0p"] = 'str';
var_dump($o->getP());
$a["\0T\0p"] = 'modified';
var_dump($o->getP());
var_dump(isset($a["p2"]));
var_dump($o->p2);
</PHP>
which outputs the following:
<PHP>
string(3) "str"
string(8) "modified"
bool(true)

Fatal error: Uncaught Error: Typed property T::$p2 must not be accessed before initialization in php-wasm run script:%d
Stack trace:
#0 {main}
  thrown in php-wasm run script on line %d
</PHP>

As such we recommend deprecating passing an object to the constructor of <php>ArrayObject</php>.
Because <php>ArrayIterator</php> shares a lot of the implementation details with <php>ArrayObject</php>
we also recommend deprecating passing objects to it.

<doodle title="Deprecate ArrayObject and ArrayIterator with objects?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate SplObjectStorage::contains(), SplObjectStorage::attach(), and SplObjectStorage::detach() ===

  * Author: Gina Peter Banyard <girgias@php.net>

This is lifted from the [[rfc:container-offset-behaviour|Improve language coherence for the behaviour of offsets and containers]] RFC as it is time sensitive.

The following three methods are aliases for methods defined by <php>ArrayAccess</php>, namely:
  * <php>SplObjectStorage::contains()</php> is an alias for <php>SplObjectStorage::offsetExists()</php>
  * <php>SplObjectStorage::attach()</php> is an alias for <php>SplObjectStorage::offsetSet()</php>
  * <php>SplObjectStorage::detach()</php> is an alias for <php>SplObjectStorage::offsetUnset()</php>

However, extending `SplObjectStorage` and overwriting one of the alias methods does //not// modify
the behaviour of using the offset access operators.
Meaning that it is possible to have an asymetry between using methods calls and the overloaded offset access operators.

As such we propose deprecating the method aliases in favour of using the <php>ArrayAccess</php> methods.

<doodle title="Deprecate SplObjectStorage::contains(), SplObjectStorage::attach(), and SplObjectStorage::detach()?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

=== Deprecate passing spl_autoload_call() to spl_autoload_unregister() ===

  * Author: Gina Peter Banyard <girgias@php.net>

The <php>spl_autoload_register()</php> function allows registering a callable to find classes during autoloading.
Naturally it prevents passing the <php>spl_autoload_call()</php> as a callback, as this would be non-sensical.

However, the <php>spl_autoload_unregister()</php> function, which is used to remove a callback from the autoloading sequence does permit passing the <php>spl_autoload_call()</php> function as a callback, in which case **//all//** autoloading callbacks are removed.

This behaviour is undocumented and frankly baffling, as such we propose to deprecate passing <php>spl_autoload_call()</php> to <php>spl_autoload_unregister()</php>.

If there is a need to remove all autoloading functions it is possible to do so via the following obvious method:
<PHP>
foreach (spl_autoload_functions() as $fn) {
    spl_autoload_unregister($fn);
}
</PHP>

<doodle title="Deprecate passing spl_autoload_call() to spl_autoload_unregister()?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>


==== Deprecate using values of type null, bool, and float as array offsets and when calling array_key_exists() ====

  * Author: Gina Peter Banyard <girgias@php.net>

This is lifted from the [[rfc:container-offset-behaviour|Improve language coherence for the behaviour of offsets and containers]] RFC as it is time sensitive.

How offsets are handled in PHP is rather unintuitive and not consistent with many other areas of the language.
Notably an offset of <php>null</php> is type juggled to the empty string <php>""</php> rather than <php>0</php>,
contrasting with how values of type <php>bool</php>, <php>float</php>, and <php>resources</php> are cast to <php>int</php>.
Which is even more surprising that the other operators that accept both string and int are bitwise operators and they throw a type error when attempting to use <php>null</php> with a value of type <php>string</php>.

Moreover, invalid types for string offsets always warn, which is not the case for array offsets (except when using a resource).

As such we propose deprecating using values of type <php>null</php>, <php>bool</php>, and <php>float</php> as array offsets and when calling <php>array_key_exists()</php>

<doodle title="Deprecate using values of type null, bool, and float as array offsets and when calling array_key_exists()?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Deprecate __debugInfo() returning null  ====

  * Author: Daniel Scherzer <daniel.e.scherzer@gmail.com>

Since the <php>__debugInfo()</php> magic method was added, it has been documented as needing to return an array (see [[https://github.com/php/php-src/commit/1e752ce9c57310cced0a5ba8399778c1f500f2b4|original implementation]]) in the error message if you return a non-array and non-null value.

However, <php>null</php> has been silently treated the same as an empty array.

This can result in confusion about if null means something different. Accordingly, we propose to deprecate returning null from <php>__debugInfo()</php> magic methods.

==== Deprecate constant redeclaration  ====

  * Author: Daniel Scherzer <daniel.e.scherzer@gmail.com>

In PHP 8, attempting to declare a constant that already existing was changed to emit a warning rather than just a notice. Since a warning is considered stronger than a deprecation, the error code should not change, but we propose that

  * The behavior trigger an error in PHP 9
  * The warning messages in 8.5+ indicate that the behavior will trigger an error in PHP 9

Redeclaring a constant can lead to invalid assumptions, specifically if a developer assumes that the declaration will succeed they may assume a constant has one value when it actually has a different value.

==== Deprecate closure binding issues  ====

  * Author: Daniel Scherzer <daniel.e.scherzer@gmail.com>

When trying to bind a <php>Closure</php> object, multiple issues can potentially be raised, but only as warnings:

  * "Cannot bind an instance to a static closure"
  * "Cannot bind method %s::%s() to object of class %s" - for trying to change the type of object bound to
  * "Cannot unbind $this of method"
  * "Cannot unbind $this of closure using $this"
  * "Cannot bind closure to scope of internal class %s"
  * "Cannot rebind scope of closure created from function"
  * "Cannot rebind scope of closure created from method"

Since a warning is considered stronger than a deprecation, the error code should not change, but we propose that

  * The behavior trigger errors in PHP 9
  * The warning messages in 8.5+ indicate that the behavior will trigger errors in PHP 9

==== Enact follow-up phase of the "Path to Saner Increment/Decrement operators" RFC ====

  * Author: Gina Peter Banyard <girgias@php.net>

The [[rfc:saner-inc-dec-operators|Path to Saner Increment/Decrement operators]] RFC delayed the deprecation of the PERL string increment feature so that users could have time to migrate to the new <php>str_increment()</php> function introduced in PHP 8.3.

As there have been two minor versions to allow this migration we now proposed to enact the following delayed deprecation from the RFC:

<blockquote>Deprecate using the increment operator with non-numeric strings.</blockquote>

<doodle title="Enact follow-up phase of the Path to Saner Increment/Decrement operators RFC?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

==== Remove disable_classes INI setting ====

  * Author: Gina Peter Banyard <girgias@php.net>

This supercedes the following inactive RFC [[rfc:remove_disable_classes|Remove disable_classes INI setting]].

The ''disable_classes'' INI setting is fundamentally useless and causes various issues in the engine, as using it will result in unexpected states for the engine to deal with.

Only internal classes can be disabled, which brings the following observation.
On a minimal build of PHP, with only the mandatory extensions enabled, there are 148 classes/interfaces/traits defined. [2]

Other than a specific subset of classes defined in the SPL extension, disabling any of these classes will cause issues within the engine.
Moreover, the subset of SPL classes that could be disabled are not a security concern.

Therefore, any other class that can be disabled must come from an extension that can be disabled altogether.
And "disabling" a class from an extension without disabling said extension will, other than rendering it useless, cause various issues that the extension is not prepared to handle as they expect the classes they defined to exist.

If a hosting provider is concerned about an extension, then it should not enable it in the first place. Not break it ad hoc.

Considering the above, the usefulness of this feature has always been dubious.

This is in stark contrast to the ''disable_functions'' INI setting, which can be used to selectively remove functionality of an extension without breaking it overall.

What makes this setting particularly broken is that it does not unregister the class, it only overwrites the create CE handler to emit a warning and purge the properties and function hash tables.
This leads to various use after free, segfaults, and broken expectations for the engine and extensions which define said classes.
On top of that, it is possible to actually instantiate such a class (and even classes which actually disallow this like ''ext/imap'') in userland, and pass it to functions that are typed against said class without raising a TypeError.
However, when trying to do anything with said object, stuff is going to explode in countless ways.

The only usage we can find is within the Fuzzer SAPI to block instantiation of the <php>InfiniteIterator</php> class so that it does not try to fuzz this class. This can be fixed by manually changing the create handler of the <php>InfiniteIterator</php> CE to throw in the fuzzer initiation code.

As such we propose removing the ''disable_classes'' INI setting.

<doodle title="Remove disable_classes INI setting?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>


==== Deprecate the $http_response_header predefined variable ====

  * Author: Gina Peter Banyard <girgias@php.net>

This was initially slated for [[rfc:deprecations_php_8_1#predefined_variable_http_response_header|deprecation in PHP 8.1]],
however it was removed from the proposal as there were no practical alternatives for this functionality.

This was addressed in PHP 8.4 by adding the 
[[rfc:http-last-response-headers|http_get_last_response_headers() function]].
As the usage of this predefined variable is small, at the time of the RFC introducing the new functions, 65 times.
And it is possible to write cross version compatible code in the following way:
<PHP>
$content = file_get_contents('http://example.com/');
if (function_exists('http_get_last_response_headers')) {
    $http_response_header = http_get_last_response_headers();
}
// Use $http_response_header as before
</PHP>

We propose deprecating using the <php>$http_response_header</php> without having previously called <php>http_get_last_response_headers()</php>

<doodle title="Deprecate the $http_response_header predefined variable?" auth="girgias" voteType="single" closed="true">
   * Yes
   * No
</doodle>

===== Backward Incompatible Changes =====

For PHP 8.5 additional deprecation notices will be emitted.
The actual removal of the affected functionality will happen no earlier than PHP 9.

===== Removed from this proposal =====

The following entries were originally added to this proposal and then dropped.