rfc:deprecations_php_8_5

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
rfc:deprecations_php_8_5 [2024/09/26 19:00] – created girgiasrfc:deprecations_php_8_5 [2024/11/28 17:47] (current) – Add exclude_disabled param deprecation girgias
Line 13: Line 13:
  
   * Deprecate ''key_length'' parameter of <php>openssl_pkey_derive()</php>   * Deprecate ''key_length'' parameter of <php>openssl_pkey_derive()</php>
 +  * Deprecate PDO's 'uri:' scheme
 +  * Deprecate Reflection*::setAccessible()
 +  * Deprecate FILTER_DEFAULT constant
 +  * Make ''$filter'' parameter mandatory for <php>filter_*()</php> functions
 +  * Deprecate FILTER_CALLBACK filter
 +  * Deprecate <php>filter_input()</php>, <php>filter_input_array()</php>, and <php>filter_has_var()</php>
 +  * Deprecate the ''docref_root'' and ''docref_ext'' INI directives
 +  * Deprecate the ''error_prepend_string'' and ''error_append_string'' INI directives
 +  * Deprecate the ''report_memleaks'' INI directive
 +  * Deprecate the ''register_argc_argv'' INI directive
 +  * Formally deprecate mysqli_execute
 +  * Deprecate <php>__construct()</php> and <php>__destruct()</php> in interfaces
 +  * Deprecate semicolon after ''case'' in switch statement
 +  * Deprecate the <php>$exclude_disabled</php> parameter of <php>get_defined_functions()</php>
  
 ===== Proposal ===== ===== Proposal =====
Line 20: Line 34:
  
 ==== Deprecate key_length parameter of openssl_pkey_derive() ==== ==== Deprecate key_length parameter of openssl_pkey_derive() ====
 +
 +This parameter is useless and confusing for users. It just truncates lenght for ECDH but does nothing or fail for increasing lenghts and DH truncation. This was raised during the security audit.
  
 See: https://github.com/php/doc-en/pull/3789 See: https://github.com/php/doc-en/pull/3789
 +
 +==== Deprecate PDO's 'uri:' scheme ====
 +
 +Author: Tim Düsterhus <timwolla@php.net>
 +
 +TODO: https://github.com/php/php-src/blob/d7bdf902e5b88189037883d462e422838bd9be55/ext/pdo/pdo_dbh.c#L323-L335
 +
 +==== Deprecate Reflection*::setAccessible() ====
 +
 +Author: Tim Düsterhus <timwolla@php.net>
 +
 +TODO: Follow-up for https://wiki.php.net/rfc/make-reflection-setaccessible-no-op
 +
 +==== Deprecate FILTER_DEFAULT constant ====
 +
 +Author: Gina Peter Banyard <girgias@php.net>
 +
 +The <php>FILTER_DEFAULT</php> constant is an alias for the <php>FILTER_UNSAFE_RAW</php> constant.
 +This has been the case since at least PHP 5.3.
 +This is confusing and seems to indicate that it corresponds to the filter set by the ''filter.default'' INI setting.
 +Moreover, this INI setting was deprecated in [[https://wiki.php.net/rfc/deprecations_php_8_1#filterdefault_ini_setting|PHP 8.1]].
 +
 +As this constant is confusing and misleading, we propose to deprecate it.
 +
 +==== Make $filter parameter mandatory for filter_*() functions ====
 +
 +Author: Gina Peter Banyard <girgias@php.net>
 +
 +The <php>filter_*()</php> functions do not require passing the <php>$filter</php> parameter, the default value of it is <php>FILTER_DEFAULT</php> which is an alias for the <php>FILTER_UNSAFE_RAW</php> filter.
 +This filter does **nothing** if no flags are provided.
 +This behaviour is indicative of a bug, therefore, we propose to make the <php>$filter</php> argument mandatory and emit a deprecation notice if the default value is used.
 +
 +==== Deprecate FILTER_CALLBACK filter ====
 +
 +Author: Gina Peter Banyard <girgias@php.net>
 +
 +The <php>FILTER_CALLBACK</php> filter allows providing a function to call on the value to filter.
 +This makes little sense as one can pass the value to filter directly to the function instead of passing by the filter extension.
 +
 +Similarly, to filter an array of values, it is easier and more intuitive to use the <php>array_map()</php> function rather than the filter extension.
 +
 +As such, we propose to deprecate this filter.
 +
 +
 +==== Deprecate filter_input(), filter_input_array(), and filter_has_var() ====
 +
 +Author: Gina Peter Banyard <girgias@php.net>
 +
 +The <php>filter_input()</php> and <php>filter_input_array()</php> functions operate on the **original** values provided by the SAPI that populate the superglobals for <php>$_GET</php>, <php>$_POST</php>, <php>$_SERVER</php>, <php>$_ENV</php>, and <php>$_COOKIE</php>.
 +
 +This means that modification to any entry of the superglobal will not be used when calling these functions.
 +This is showcased by the following PHPT test:
 +
 +<PHP>
 +--TEST--
 +filter_input() filter with superglobal modified
 +--EXTENSIONS--
 +filter
 +--GET--
 +a=hello
 +--FILE--
 +<?php
 +
 +var_dump($_GET);
 +$f1 = filter_input(INPUT_GET, "a", FILTER_CALLBACK, ['options' => fn (string $s) => $s === "world"]);
 +var_dump($f1);
 +
 +$_GET['a'] = "world";
 +var_dump($_GET);
 +$f2 =filter_input(INPUT_GET, "a", FILTER_CALLBACK, ['options' => fn (string $s) => $s === "world"]);
 +var_dump($f2);
 +var_dump($_GET);
 +
 +?>
 +--EXPECT--
 +array(1) {
 +  ["a"]=>
 +  string(5) "hello"
 +}
 +bool(false)
 +array(1) {
 +  ["a"]=>
 +  string(5) "world"
 +}
 +bool(false)
 +array(1) {
 +  ["a"]=>
 +  string(5) "world"
 +}
 +</PHP>
 +
 +As it is easy and straight forward to have the same behaviour by using
 +<php>filter_var($_GET['a'], /* other params */)</php>
 +and <php>filter_var_array($_GET, /* other params */)</php>,
 +we propose to deprecate <php>filter_input()</php> and <php>filter_input_array()</php>.
 +
 +As <php>filter_has_var()</php> is effectively equivalent to <php>array_key_exists()</php>,
 +but has the same caveat as the two previous functions, we propose to also deprecate this function.
 +
 +==== Deprecate the docref_root and docref_ext INI directives ====
 +
 +Author: Gina Peter Banyard <girgias@php.net>
 +
 +Both of these INI settings allow overriding the output of HTML diagnostic errors
 +(warning, notice, deprecations, etc.) to change the base URL and file extension for the clickable links
 +pointing to functions and/or INI settings in error messages generated by calls to ''php_error_docref()''.
 +
 +This is a debug feature and had some value when the php.net documentation had mirrors,
 +considering those have been retired, their use is now limited.
 +
 +As such, we propose deprecating those two INI settings.
 +
 +
 +==== Deprecate the error_prepend_string and error_append_string INI directives ====
 +
 +Author: Gina Peter Banyard <girgias@php.net>
 +
 +Both of these INI settings allow overriding the output of HTML diagnostic errors
 +(warning, notice, deprecations, etc.) to prepend or append HTML before the generated HTML of these diagnostic errors.
 +
 +This is a development and debugging feature which seems somewhat questionable and of limited use.
 +
 +As such, we propose deprecating those two INI settings.
 +
 +
 +==== Deprecate the report_memleaks INI directive ====
 +
 +Author: Gina Peter Banyard <girgias@php.net>
 +
 +This INI directive allows to suppress ZendMM memory leaks in debug builds of PHP.
 +This "feature" is highly questionable, as memory leaks should be fixed the moment they are made aware of.
 +Because this cannot affect production builds of PHP we propose deprecating this INI setting.
 +
 +==== Deprecate the register_argc_argv INI directive ====
 +
 +Author: Nicolas Grekas <nicolas.grekas@php.net>
 +
 +This INI directive tells PHP whether to declare the argv & argc variables. On the CLI, phpdbg and embed SAPIs it is forced to On. It defaults to Off on other SAPIs. This setting is dangerous on HTTP SAPIs because it allows defining the value of the argv/argc variables from the query string. This is almost always unwanted and certainly unexpected. It can lead to security issues if one reads argv/argc from an HTTP apps while not being aware of this behavior.
 +
 +We propose to deprecate this INI setting and make in default to Off in PHP 8.5, then to hardcode it to Off for all non-CLI-related SAPIs on PHP 9 (while keeping it hardcoded to On for CLI-related ones).
 +
 +==== Formally deprecate mysqli_execute ====
 +
 +Author: Tim Düsterhus <timwolla@php.net>
 +
 +TODO: https://www.php.net/manual/en/function.mysqli-execute.php
 +
 +==== Deprecate __construct() and __destruct() in interfaces ====
 +
 +Author: Tim Düsterhus <timwolla@php.net>
 +
 +TODO: https://phpc.social/@dseguy/113476785631597024 / https://github.com/php/php-src/issues/16077
 +
 +==== Deprecate semicolon after case in switch statement ====
 +
 +Author: Theodore Brown <theodorejb@php.net>
 +
 +It is possible to terminate ''case'' statements with a semicolon instead of the standard colon:
 +
 +<PHP>
 +switch ($value) {
 +    case 'foo';
 +    case 'bar':
 +    case 'baz';
 +        echo 'foo, bar, or baz';
 +        break;
 +    default;
 +        echo 'Other';
 +}
 +</PHP>
 +
 +This syntax is a leftover from PHP/FI 2, where nearly all lines including if conditions and case statements were terminated by a semicolon. [[https://externals.io/message/109350#109363|1]] [[https://www.php.net/manual/phpfi2.php#lang|2]]
 +
 +There isn't a need for this syntax to exist anymore, and very few PHP developers are even aware of its existence. In the top 1000 Composer packages, zero out of 35,777 total case statements are using the alternate syntax (as of 2024-11-27).
 +
 +Case statements followed by a semicolon can cause confusion, as a developer may think they behave differently in some way from regular case statements (e.g. preventing fallthrough), when they do not.
 +
 +Therefore, we propose to deprecate terminating case statements with a semicolon.
 +
 +
 +==== Deprecate the $exclude_disabled parameter of get_defined_functions() ====
 +
 +Author: Gina Peter Banyard <girgias@php.net>
 +
 +As of PHP 8.0.0, functions that are disabled via the ''disable_functions'' INI setting are simply removed from the function table.
 +As such, this parameter has no longer any effect and is pointless.
 +Therefore, we propose to deprecate it.
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
rfc/deprecations_php_8_5.1727377214.txt.gz · Last modified: 2024/09/26 19:00 by girgias

Page Tools