rfc:deprecations_php_8_1

This is an old revision of the document!


PHP RFC: Deprecations for PHP 8.1

Introduction

The RFC proposes to deprecate the listed functionality in PHP 8.1 and remove it in PHP 9.

The following list provides a short overview of the functionality targeted for deprecation, while more detailed explanation is provided in the Proposal section:

  • date_sunrise() and date_sunset()
  • key(), current(), next(), prev(), and reset() on objects
  • mb_check_encoding() without argument
  • get_class(), get_parent_class() and get_called_class() without argument
  • FILE_BINARY and FILE_TEXT constants
  • t fopen mode
  • Passing bool for $amountOrUpOrDown argument of IntlCalendar::roll()
  • Accessing static members on traits
  • strptime()
  • strftime() and gmtstrftime()
  • mhash*() function family
  • ctype_*() function family accepts int parameters
  • Return by reference with void type
  • NIL constant defined by the IMAP extension
  • Calling overloaded pgsql functions without the connection argument
  • $num_points parameter of image(open|filled)polygon
  • mysqli::init()
  • filter.default ini setting
  • auto_detect_line_endings ini setting
  • ssl_method option to SoapClient constructor
  • FILTER_SANITIZE_STRING
  • oci8.old_oci_close_semantics ini setting
  • odbc_result_all()

Proposal

Each feature proposed for deprecation is voted separately and requires a 2/3 majority. All votes refer to deprecation in PHP 8.1 and removal in PHP 9.0.

date_sunrise() and date_sunset()

These two functions have the signature:

function date_sunset(
    int $timestamp,
    int $format = SUNFUNCS_RET_STRING,
    float $latitude = ini_get("date.default_latitude"),
    float $longitude = ini_get("date.default_longitude"),
    float $zenith = ini_get("date.sunset_zenith"),
    float $gmt_offset = 0
): mixed;

This function depends on ini settings that specify the “default” latitude and longitude, a concept that makes very little sense. Additionally it requires familiarity with appropriate zenith values to use for different purposes.

date_sunset() and date_sunrise() have since been superseded by date_sun_info():

function date_sun_info(int $time, float $latitude, float $longitude): array;

This function does not use “default” latitude and longitude, and returns an associative array of multiple different definitions of the sunrise/sunset concept.

The proposal is to deprecate date_sunset() and date_sunrise() in favor of date_sun_info(). The ini settings date.default_latitude, date.default_longitude and date.sunset_zenith are marked as deprecated in the documentation. In the next major version, both the functions and the ini settings will be removed. This was initially discussed in: https://github.com/php/php-src/pull/4423.

key(), current(), next(), prev(), reset() on objects

The key() family of functions, which are used to manipulate the internal array pointer, also accept objects. In this case they work on the mangled property table. That is, using key() and friends on an object is essentially the same as using them on get_mangled_object_vars($object).

This catches many people off guard, because they expect key() etc. to integrate with the iterator interface. That is, if the passed object implements Iterator then key($object) should perform an $object->key() call. The water here have been further muddied by ArrayObject, which prior to PHP 7.4 was the only object where key() etc. did effectively integrate with the iterator interface.

There are principally two ways to resolve this: The first is to deprecate the use of key() etc on objects, and instead require people to perform an explicit (array) cast or get_mangled_object_vars() call beforehand. The other is to actually make these functions integrate with iterators. The issue I see with the latter is that we would only be able to support the Iterator interface proper, but not general Traversables: For these IteratorAggregate::getIterator(), or the internal get_iterator() handler need to be called once at the start, which is not possible through the array iteration interface, as it consists of multiple independent functions. Additionally, the prev() function cannot be implemented for iterators.

As such, the proposal is to deprecate key(), current(), next(), prev() and reset() on objects. The suggested replacement is to cast the object to array first, or call get_mangled_object_vars(), depending on what the intention is.

mb_check_encoding() without argument

The mb_check_encoding() usually accepts a string and an encoding, but can also be called without arguments. The documentation says:

If it is omitted, this function checks all the input from the beginning of the request.

The implementation says:

/* FIXME: Actually check all inputs, except $_FILES file content. */
if (MBSTRG(illegalchars) == 0) {
    RETURN_TRUE;
}
RETURN_FALSE;

This FIXME does not induce a sense of confidence in this function...

Further research shows that the documentation is correct, in that any encoding checking or conversion functionality invoked during a request will increment MBSTRG(illegalchars). As such, mb_check_encoding() tells you whether any illegal encoding has been encountered at any point. My best guess is that this was intended to be used in conjunction with the encoding_translation feature, which “treats” incoming SAPI data.

Overall this functionality is confusing, and the implementation is unfinished or broken. There are no calls to mb_check_encoding() without argument in popular composer packages.

The proposal is to deprecate calling mb_check_encoding() without arguments.

get_class(), get_parent_class() and get_called_class() without argument

In PHP 7.2, passing null to ''get_class()'' was forbidden, because this behavior was very bug prone. However, the ability to call get_class() without argument was retained. In that case get_class() is approximately the same as self::class. get_parent_class() exhibits the same behavior.

The proposal is to deprecate argument-less get_class(), get_parent_class() and get_called_class() in favor of the dedicated self::class, parent::class and static::class syntax, which was introduced in PHP 5.5. (get_called_class() only has an argument-less form, so it would be deprecated entirely.)

As a caveat, if get_parent_class() is used to check whether the class has a parent, it is necessary to use get_parent_class(self::class) instead, because parent::class will generate an error if used inside a class without parent.

FILE_BINARY and FILE_TEXT constants

These were introduced in PHP 5.2.7 for forward compatibility with PHP 6, but don't have any effect. These constants are especially confusing because fopen() supports b (binary) and t (text) modes, which do have an effect, but a completely unrelated one.

The proposal is to deprecate the FILE_BINARY and FILE_TEXT constants.

This was pointed out in: https://github.com/php/php-src/pull/5556

"t" fopen mode

Next to the standard modes, fopen also accepts t and b modes, which are only meaningful on Windows. When b is used (which is the default), the file is treated as usual. If t is specified, automatic conversion between LF and CRLF line endings is performed. The documentation says:

Again, for portability, it is also strongly recommended that you re-write code that uses or relies upon the 't' mode so that it uses the correct line endings and 'b' mode instead.

The proposal is to deprecate the use of t mode in fopen(). Explicitly specifying the b mode remains supported.

There is a complication here: While fopen() itself defaults to binary mode, some other functions like proc_open() on pipe descriptors still default to text mode. It is not clear what should be done with these functions.

Passing bool for $amountOrUpOrDown argument of IntlCalendar::roll()

IntlCalendar::roll() accepts an integer which specifies how much to add to a given field. The integer can be negative to subtract.

However, it also accepts a boolean argument, in which case true is interpreted as 1 and false is interpreted as -1. This does not appear to be actually useful for anything, makes for a confusing function signature, and violates PHP's usual type coercion rules.

The proposal is to deprecate passing a boolean to this method argument.

Accessing static members on traits

Currently, it is possible to directly access static trait members, rather than accessing them on the class using the trait:

trait T {
    public static $foo;
}
class C {
    use T;
}
var_dump(T::$foo); // Currently allowed.

This is conceptually wrong, and causes various complications. For example, the meaning of self is ill-defined -- normally, it refers to the using class, not the trait, but there is no “using class” in this context. Static member access on traits is a regular complication for new functionality, because it results in an impure behavior model. For example, opcache preloading had to require evaluated initializers in traits, because there is a possibility that that members are accessed directly, even though in ordinary usage they can only be accessed after being imported into some class.

There is a somewhat dated analysis of projects using this functionality at https://github.com/php/php-src/pull/4829#issuecomment-542224541.

The proposal is to deprecate the ability to access static properties and static methods directly on traits.

strptime()

The strptime() function parses a date/time string into an array. However, this function is not supported on Windows, and the manual further warns:

Internally, this function calls the strptime() function provided by the system's C library. This function can exhibit noticeably different behaviour across different operating systems. The use of date_parse_from_format(), which does not suffer from these issues, is recommended on PHP 5.3.0 and later.

Notably, distributions like alpine that use musl instead of glibc may exhibit unexpected behavior. Additionally, strptime() is locale-based, and as such may be affected by code running in a different thread.

As the note already mentioned, date_parse_from_format() is an alternative that is always available and always behaves consistently. DateTime::createFromFormat() is another alternative that creates a DateTime object instead. IntlDateFormatter::parse() is available as a more sophisticated, localization-aware alternative.

The proposal is to deprecate the strptime() function in favor of portable alternatives.

strftime() and gmstrftime()

The strftime() and gmstrftime() functions exhibit similar issues as strptime(), in that the formats they support, as well as their behavior, is platform-dependent. Unlike strptime(), these functions are available on Windows, though with a different feature set than on Linux. Musl-based distributions like Alpine do not support timezone-related format specifiers correctly. These functions are also locale-based, and as such may exhibit thread-safety issues.

Once again DateTime::format() provides a portable alternative, and IntlDateFormatter::format() provides a more sophisticated, localization-aware alternative.

The proposal is to deprecate strftime() and gmstrftime() in favor of these alternatives.

mhash*() function family

mhash*() functions were integrated into ext/hash in PHP 5.3 as a compatibility layer for ext/mhash (which has been removed in PHP 7.0). Unlike the hash_*() functions, the mhash* functions are not always available, and have to be separately enabled when configuring PHP.

The proposal is to deprecate mhash(), mhash_keygen_s2k(), mhash_count(), mhash_get_block_size() and mhash_get_hash_name() in favor of the standard ext/hash functionality.

ctype_*() function family accepts int parameters

Next to strings, the ctype_*() functions also accept integers, with semantics described by this note in the manual:

If an integer between -128 and 255 inclusive is provided, it is interpreted as the ASCII value of a single character (negative values have 256 added in order to allow characters in the Extended ASCII range). Any other integer is interpreted as a string containing the decimal digits of the integer.

This is a common cause for confusion, especially when passing integer values to ctype_digit(). ctype_digit(5) will return false, while ctype_digit(“5”) will return true. This violates the general principle that integral strings and integers should behave consistently.

Support for similar behavior in the strpos() family of functions has already been removed in PHP 8. If an ASCII codepoint should be checked, then it needs to be converted into a string explicitly using chr().

The proposal is to deprecate passing of non-strings to ctype_*() functions. In the next major versions, ctype_*() will be changed to accept a string parameter under standard semantics.

Return by reference with void type

It is currently possible to declare functions that return void by reference:

function &test(): void {}

This is contradictory, as void functions are not supposed to have a return value. Calling such a function will always result in a “Only variable references should be returned by reference” notice once it returns.

The proposal is to throw a compile-time deprecation for function signatures using by-reference returns in conjunction with void.

NIL constant defined by the IMAP extension

The NIL constant corresponds to the value 0, and can be confused with null.

The proposal is to deprecate this constant.

Calling overloaded pgsql functions without the connection argument

ext/pgsql has a few overloaded functions which can be called without providing the connection as the first argument. An example for this is the pg_query() function, which can be called in two ways:

pg_query($queryString); // uses default connection
pg_query($connection, $queryString);

As PHP has no native support for function overloading, this makes for a hard to understand function signature. The function is currently specified as:

/**
 * @param resource|string $connection
 * @return resource|false
 */
function pg_query($connection, string $query = UNKNOWN) {}

The proposal is to deprecate any use of the “default connection” in ext/pgsql. A deprecation notice will be thrown if a pgsql function is called without explicitly specifying the connection.

$num_points parameter of image(open|filled)polygon

imagepolygon, imageopenpolygon and imagefilledpolygon have an overloaded signature as of PHP 8.0.0, which allows to omit the $num_points parameter, which is of doubtful use, and likely has only been introduced, because the underlying gdImagePolygon and friends also have this parameter, although it is necessary in C, but not in PHP.

The proposal is to deprecate the old signatures which accept four parameters in favor of the new signatures which accept only three parameters. Suggested implementation.

The follwing example shows how to avoid the deprecation. It should be noted that drawing a triangle from a four point array is likely rare in practice, and might even hint at a bug.

$points = [10, 10, 10, 90, 90, 90, 90, 10];
 
// draw a rectangle (i.e. use all points)
imagepolygon($im, $points, count($points)/2, 0x000000); // before
imagepolygon($im, $points, 0x000000); // after
 
// draw a triangle (i.e. use only 3 points)
imagepolygon($im, $points, 3, 0x000000); // before
imagepolygon($im, array_slice($points, 0, 6), 0x000000); // after

mysqli::init()

This methods is the same as the function mysqli_init(). However, the use of the method form is very confusing, because it is an instance method rather than a static method. Calling mysqli::__construct() without any arguments will already create an initialized but not connected mysqli object and calling mysqli::init() afterwards is neither necessary nor useful.

The only known “real” use case for this method is in polymorphism. If you extend mysqli class you can call init() instead of the parent constructor.

The proposal is to deprecate mysqli::init() in favor of mysqli::__construct(), for example:

class test extends mysqli
{
    public function __construct($host, $user, $passwd, $db, $port, $socket) {
        // parent::init();
        // replace the above line with the following line:
        parent::__construct();
 
        parent::real_connect($host, $user, $passwd, $db, $port, $socket);
    }
}

filter.default ini setting

The filter.default ini setting allows to apply a filter to all GPCRS data. As the documentation states:

Filter all $_GET, $_POST, $_COOKIE, $_REQUEST and $_SERVER data by this filter. Original data can be accessed through filter_input().

For example, filter.default=magic_quotes or filter.default=add_slashes (depending on PHP version) can be used to resurrect the magic quotes functionality that was removed in PHP 5.4. filter.default=special_chars gives you magic quotes, but for HTML.

Magic quotes were removed for very good reason, and filter.default provides functionality that is even worse, because it allows a wider range of different filters, and there is much less awareness of its existence.

The proposal is to emit a deprecation warning if filter.default is set to a value other than unsafe_raw (the default). No separate deprecation warning is emitted for filter.default_options, but both ini settings will be removed together in the next major version.

auto_detect_line_endings ini setting

The auto_detect_line_endings ini setting modifies the behavior of file() and fgets() to support an isolated \r (as opposed to \n or \r\n) as a newline character. These newlines were used by “Classic” Mac OS, a system which has been discontinued in 2001, nearly two decades ago. Interoperability with such systems is no longer relevant.

The proposal is to emit a deprecation warning if auto_detect_line_endings is enabled.

'ssl_method' option to SoapClient constructor

One of the many options which can be passed (in an associative array) to the SoapClient constructor is ssl_method, which theoretically allows selection of the SSL/TLS version. The value is one of four extension-specific constants:

  • Due to changes elsewhere, both SOAP_SSL_METHOD_TLS and SOAP_SSL_METHOD_SSLv23 are the same as the default, which is currently to negotiate TLS 1.0 or higher
  • SOAP_SSL_METHOD_SSLv2 will always result in an error, because PHP no longer supports SSL 2
  • SOAP_SSL_METHOD_SSLv3 will select SSL 3, if the OpenSSL in use includes support; it's use is probably very rare, since SSL 3 has been considered insecure for many years

A full set of options (including both SSL 3 and all individual versions of TLS) is available using the ['ssl' => ['crypto_method' => ...] option to stream_context_create, which can then be passed to the SoapClient in the context parameter.

The proposal is to deprecate passing an ssl_method option to the constructor, and recommend the use of context option instead.

FILTER_SANITIZE_STRING

This is a very dubious filter that has almost no use. It removes NUL bytes, encodes single and double quotes in HTML, and removes anything between < and optional >. It does not function the same as strip_tags() as pointed out in this comment https://www.php.net/manual/en/filter.filters.sanitize.php#118186

This filter is dangerously misleading and encourages bad practice, in that the set of encoded/stripped characters is not suitable for any particular purpose. It seems to be intended as a kind of generic string filter that renders the string safe in a magic fashion, without taking into account the context where it will be used. Use of this filter should be replaced with escaping/encoding specific to the given context.

The name of the filter can also be confused with a default filter for accepting arbitrary strings (which would be more in line with what other filters like FILTER_SANITIZE_INT do). The filter that actually does this is FILTER_UNSAFE_RAW, which sounds like something one should not use. In reality, it is the use of FILTER_SANITIZE_STRING which will result in data corruption.

The proposal is to deprecate the FILTER_SANITIZE_STRING constant, its alias FILTER_SANITIZE_STRIPPED, as well as use of this filter.

oci8.old_oci_close_semantics INI setting

By enabling this INI setting, oci_close() will do nothing instead of closing the connection. As it only exists for backward compatibility purposes for a long time, we should remove it.

The proposal is to throw a deprecation warning if oci8.old_oci_close_semantics is enabled.

odbc_result_all()

The odbc_result_all() function prints all rows from an ODBC query result as an HTML table. However, the printed data is not escaped. This means that the function is not only of very dubious usefulness, but also actively dangerous when used for non-debugging purposes.

The proposal is to deprecate the odbc_result_all() function.

Backward Incompatible Changes

For PHP 8.1 additional deprecation notices will appear. For PHP 9.0 the previously deprecated functionality will no longer be available.

Removed from this proposal

The following entries were originally added to this proposal and then dropped.

get_browser() function

This was originally included on the rationale that get_browser() is much slower than userland browscap implementations. However, this is no longer the case since a PHP 7.0 patch release, see https://github.com/php/php-src/pull/2242.

DatePeriod::__construct()

This is a heavily overloaded function (it has 3 signatures) which should be deprecated in favor of 3 factory methods. However, those factory methods need to be introduced first, before the constructor can be deprecated.

Passing a method name as the first parameter to ReflectionMethod::__construct()

ReflectionMethod::__construct() currently also accepts a single argument of the form “ClassName::methodName”, as opposed to the class and method name being passed separately. A ReflectionMethod::fromMethodName() method should be added as a replacement. The replacement should be added before this overload can be deprecated.

unserialize_callback_func INI setting

This ini setting is currently still used (by Symfony for example) to throw an exception if a class is not found, instead of creating an instance of __PHP_Incomplete_Class. We should introduce an unserialize option that achieves this before the deprecate the ini setting.

Predefined variable $http_response_header

The ''$http_response_header'' variable is magically created in the local scope whenever an HTTP request is performed through PHP's stream layer. Creating a variable in the local scope is a terrible way of returning additional information, and we have removed all other features using this operating principle, such as $php_errormsg.

It is possible to replace $http_response_header by making use of stream wrapper metadata. However, this means that you cannot simply use file_get_contents() anymore, and need to drop down to the stream layer:

// Replace:
$url = 'https://example.org';
$response = file_get_contents($url);
$headers = $http_response_header;
 
// With:
$url = 'https://example.org';
$f = fopen($url, 'r');
$reponse = stream_get_contents($f);
$headers = stream_get_meta_data($f)['wrapper_data'];

Things become more complicated once you want to access headers of a request that failed. In this case, stream meta data will not be available, as the fopen() call will fail. Instead, it is necessary to set the ignore_errors option:

$url = 'https://example.org/file_not_found';
$context = stream_context_create([
    'http' => [
        'ignore_errors' => true,
    ],
]);
$f = fopen($url, 'r', context: $context);
$response = stream_get_contents($f);
$headers = stream_get_meta_data($fp)['wrapper_data'];

This also means that you now manually need to detect whether the request failed based on the headers.

These alternatives are workable, but also not great. Possibly we should add a function that returns the last response headers, instead of creating a variable?

rfc/deprecations_php_8_1.1624891403.txt.gz · Last modified: 2021/06/28 14:43 by dharman