PHP RFC: Deprecations for PHP 8.5

• Date: 2024-09-26
• Authors:
  • Gina Peter Banyard girgias@php.net
• Status: Pending Implementation
• Implementation: TBD

The RFC proposes to deprecate the listed functionality in PHP 8.5 and remove it in PHP 9 (except where otherwise noted).

The following list provides a short overview of the functionality targeted for deprecation, while more detailed explanation is provided in the Proposal section:

• Deprecate key_length parameter of openssl_pkey_derive()
• Deprecate PDO's 'uri:' scheme
• Deprecate Reflection*::setAccessible()
• Deprecate FILTER_DEFAULT constant
• Make $filter parameter mandatory for filter_*() functions
• Deprecate FILTER_CALLBACK filter
• Deprecate filter_input() and filter_input_array()

Each feature proposed for deprecation is voted separately and requires a 2/3 majority. All votes refer to deprecation in PHP 8.5 and removal in PHP 9 (except where otherwise noted).

This parameter is useless and confusing for users. It just truncates lenght for ECDH but does nothing or fail for increasing lenghts and DH truncation. This was raised during the security audit.

See: https://github.com/php/doc-en/pull/3789

Author: Tim Düsterhus timwolla@php.net

TODO: https://github.com/php/php-src/blob/d7bdf902e5b88189037883d462e422838bd9be55/ext/pdo/pdo_dbh.c#L323-L335

Author: Tim Düsterhus timwolla@php.net

TODO: Follow-up for https://wiki.php.net/rfc/make-reflection-setaccessible-no-op

Author: Gina Peter Banyard girgias@php.net

The FILTER_DEFAULT constant is an alias for the FILTER_UNSAFE_RAW constant. This has been the case since at least PHP 5.3. This is confusing and seems to indicate that it corresponds to the filter set by the filter.default INI setting. Moreover, this INI setting was deprecated in PHP 8.1.

As this constant is confusing and misleading, we propose to deprecate it.

Author: Gina Peter Banyard girgias@php.net

The filter_*() functions do not require passing the $filter parameter, the default value of it is FILTER_DEFAULT which is an alias for the FILTER_UNSAFE_RAW filter. This filter does nothing if no flags are provided. This behaviour is indicative of a bug, therefore, we propose to make the $filter argument mandatory and emit a deprecation notice if the default value is used.

Author: Gina Peter Banyard girgias@php.net

The FILTER_CALLBACK filter allows providing a function to call on the value to filter. This makes little sense as one can pass the value to filter directly to the function instead of passing by the filter extension.

Similarly, to filter an array of values, it is easier and more intuitive to use the array_map() function rather than the filter extension.

As such, we propose to deprecate this filter.

Author: Gina Peter Banyard girgias@php.net

The filter_input() and filter_input_array() functions operate on the original values provided by the SAPI that populate the superglobals for $_GET, $_POST, $_SERVER, $_ENV, and $_COOKIE.

This means that modification to any entry of the superglobal will not be used when calling these functions. This is showcased by the following PHPT test:

--TEST--
filter_input() filter with superglobal modified
--EXTENSIONS--
filter
--GET--
a=hello
--FILE--
<?php
 
var_dump($_GET);
$f1 = filter_input(INPUT_GET, "a", FILTER_CALLBACK, ['options' => fn (string $s) => $s === "world"]);
var_dump($f1);
 
$_GET['a'] = "world";
var_dump($_GET);
$f2 =filter_input(INPUT_GET, "a", FILTER_CALLBACK, ['options' => fn (string $s) => $s === "world"]);
var_dump($f2);
var_dump($_GET);
 
?>
--EXPECT--
array(1) {
  ["a"]=>
  string(5) "hello"
}
bool(false)
array(1) {
  ["a"]=>
  string(5) "world"
}
bool(false)
array(1) {
  ["a"]=>
  string(5) "world"
}

As it is easy and straight forward to have the same behaviour by using filter_var($_GET['a'], /* other params */) and filter_var_array($_GET, /* other params */), we propose to deprecate filter_input() and filter_input_array().

For PHP 8.5 additional deprecation notices will be emitted. The actual removal of the affected functionality will happen no earlier than PHP 9.

The following entries were originally added to this proposal and then dropped.