PHP RFC: Deprecations for PHP 8.5
- Date: 2024-09-26
- Authors:
- Gina Peter Banyard girgias@php.net
- Status: Pending Implementation
- Implementation: TBD
Introduction
The RFC proposes to deprecate the listed functionality in PHP 8.5 and remove it in PHP 9 (except where otherwise noted).
The following list provides a short overview of the functionality targeted for deprecation, while more detailed explanation is provided in the Proposal section:
- Deprecate
key_length
parameter ofopenssl_pkey_derive()
- Deprecate PDO's 'uri:' scheme
- Deprecate Reflection*::setAccessible()
- Deprecate FILTER_DEFAULT constant
- Make
$filter
parameter mandatory forfilter_*()
functions - Deprecate FILTER_CALLBACK filter
- Deprecate
filter_input()
andfilter_input_array()
- Deprecate the
docref_root
anddocref_ext
INI directives - Deprecate the
error_prepend_string
anderror_append_string
INI directives - Deprecate the
report_memleaks
INI directive - Deprecate the
register_argc_argv
INI directive - Formally deprecate mysqli_execute
- Deprecate
__construct()
and__destruct()
in interfaces
Proposal
Each feature proposed for deprecation is voted separately and requires a 2/3 majority. All votes refer to deprecation in PHP 8.5 and removal in PHP 9 (except where otherwise noted).
Deprecate key_length parameter of openssl_pkey_derive()
This parameter is useless and confusing for users. It just truncates lenght for ECDH but does nothing or fail for increasing lenghts and DH truncation. This was raised during the security audit.
Deprecate PDO's 'uri:' scheme
Author: Tim Düsterhus timwolla@php.net
Deprecate Reflection*::setAccessible()
Author: Tim Düsterhus timwolla@php.net
TODO: Follow-up for https://wiki.php.net/rfc/make-reflection-setaccessible-no-op
Deprecate FILTER_DEFAULT constant
Author: Gina Peter Banyard girgias@php.net
The FILTER_DEFAULT
constant is an alias for the FILTER_UNSAFE_RAW
constant.
This has been the case since at least PHP 5.3.
This is confusing and seems to indicate that it corresponds to the filter set by the filter.default
INI setting.
Moreover, this INI setting was deprecated in PHP 8.1.
As this constant is confusing and misleading, we propose to deprecate it.
Make $filter parameter mandatory for filter_*() functions
Author: Gina Peter Banyard girgias@php.net
The filter_*()
functions do not require passing the $filter
parameter, the default value of it is FILTER_DEFAULT
which is an alias for the FILTER_UNSAFE_RAW
filter.
This filter does nothing if no flags are provided.
This behaviour is indicative of a bug, therefore, we propose to make the $filter
argument mandatory and emit a deprecation notice if the default value is used.
Deprecate FILTER_CALLBACK filter
Author: Gina Peter Banyard girgias@php.net
The FILTER_CALLBACK
filter allows providing a function to call on the value to filter.
This makes little sense as one can pass the value to filter directly to the function instead of passing by the filter extension.
Similarly, to filter an array of values, it is easier and more intuitive to use the array_map()
function rather than the filter extension.
As such, we propose to deprecate this filter.
Deprecate filter_input() and filter_input_array()
Author: Gina Peter Banyard girgias@php.net
The filter_input()
and filter_input_array()
functions operate on the original values provided by the SAPI that populate the superglobals for $_GET
, $_POST
, $_SERVER
, $_ENV
, and $_COOKIE
.
This means that modification to any entry of the superglobal will not be used when calling these functions. This is showcased by the following PHPT test:
--TEST-- filter_input() filter with superglobal modified --EXTENSIONS-- filter --GET-- a=hello --FILE-- <?php var_dump($_GET); $f1 = filter_input(INPUT_GET, "a", FILTER_CALLBACK, ['options' => fn (string $s) => $s === "world"]); var_dump($f1); $_GET['a'] = "world"; var_dump($_GET); $f2 =filter_input(INPUT_GET, "a", FILTER_CALLBACK, ['options' => fn (string $s) => $s === "world"]); var_dump($f2); var_dump($_GET); ?> --EXPECT-- array(1) { ["a"]=> string(5) "hello" } bool(false) array(1) { ["a"]=> string(5) "world" } bool(false) array(1) { ["a"]=> string(5) "world" }
As it is easy and straight forward to have the same behaviour by using
filter_var($_GET['a'], /* other params */)
and filter_var_array($_GET, /* other params */)
,
we propose to deprecate filter_input()
and filter_input_array()
.
Deprecate the docref_root and docref_ext INI directives
Author: Gina Peter Banyard girgias@php.net
Both of these INI settings allow overriding the output of HTML diagnostic errors
(warning, notice, deprecations, etc.) to change the base URL and file extension for the clickable links
pointing to functions and/or INI settings in error messages generated by calls to php_error_docref()
.
This is a debug feature and had some value when the php.net documentation had mirrors, considering those have been retired, their use is now limited.
As such, we propose deprecating those two INI settings.
Deprecate the error_prepend_string and error_append_string INI directives
Author: Gina Peter Banyard girgias@php.net
Both of these INI settings allow overriding the output of HTML diagnostic errors (warning, notice, deprecations, etc.) to prepend or append HTML before the generated HTML of these diagnostic errors.
This is a development and debugging feature which seems somewhat questionable and of limited use.
As such, we propose deprecating those two INI settings.
Deprecate the report_memleaks INI directive
Author: Gina Peter Banyard girgias@php.net
This INI directive allows to suppress ZendMM memory leaks in debug builds of PHP. This “feature” is highly questionable, as memory leaks should be fixed the moment they are made aware of. Because this cannot affect production builds of PHP we propose deprecating this INI setting.
Deprecate the register_argc_argv INI directive
Author: Nicolas Grekas nicolas.grekas@php.net
This INI directive tells PHP whether to declare the argv & argc variables. On the CLI, phpdbg and embed SAPIs it is forced to On. It defaults to Off on other SAPIs. This setting is dangerous on HTTP SAPIs because it allows defining the value of the argv/argc variables from the query string. This is almost always unwanted and certainly unexpected. It can lead to security issues if one reads argv/argc from an HTTP apps while not being aware of this behavior.
We propose to deprecate this INI setting and make in default to Off in PHP 8.5, then to hardcode it to Off for all non-CLI-related SAPIs on PHP 9 (while keeping it hardcoded to On for CLI-related ones).
Formally deprecate mysqli_execute
Author: Tim Düsterhus timwolla@php.net
TODO: https://www.php.net/manual/en/function.mysqli-execute.php
Deprecate __construct() and __destruct() in interfaces
Author: Tim Düsterhus timwolla@php.net
TODO: https://phpc.social/@dseguy/113476785631597024 / https://github.com/php/php-src/issues/16077
Backward Incompatible Changes
For PHP 8.5 additional deprecation notices will be emitted. The actual removal of the affected functionality will happen no earlier than PHP 9.
Removed from this proposal
The following entries were originally added to this proposal and then dropped.