Deprecations and Changes for PHP 7.3 [Avoid Errors]
Deprecations and Changes for PHP 7.3 [Avoid Errors]
We take a look at what's new in the latest version of PHP that was recently released and how it will affect your code base.
Join the DZone community and get the full member experience.Join For Free
Are you ready to embrace the new changes that will come with the publication of PHP 7.3?
In this blog post, I will guide you through the process of updating your code so that you can avoid mistakes and keep working as smoothly as possible.
PHP 7, the new version of our favorite programming language, has been release. As a Web Developer, I’m excited and worried at the same time.
As you already know, if you have read the other posts I have published, with the new version, new features have been added that will facilitate your work and improve the quality of your code but at the same time when you are up to date you have to keep an eye on features that are not compatible anymore and that will cause problems to the code you've already written.
In this post, I share exactly what you need to know to start migrating your applications successfully, including all the features that will be deprecated and can cause an error if you keep them, and give you some insights on the new improvements like the new system to hash passwords and create constants.
Sound like a plan? Let’s get into it!
Follow the Series …
This blog post is the third part of “PHP 7.3 and its Christmas gifts”
If you did not read the other parts yet
You can check the other blog posts following the links below
Removal of image2wbmp()
Let’s start by breaking the name of this function down!
image — 2 — wbmp()
I must say that the purpose of this function is quite straightforward.
The wbmp format, also known as Wireless Bitmap, is a monochromatic image optimized for mobile devices.
bool imagewbmp(resource $image [, mixed $to [, int $foreground]]);
This function accepts three parameters (the resource, a string with the path to the saved file, and foreground color in integer format) and returns a boolean value depending on the outputs saved to the wbmp version of the image provided.
The reason this function has been deprecated (and it will be definitely deleted in the future versions of PHP) is that there is already a function that has exactly the same functionality.
You will see that
imagewbmp() has a much higher usage rate, so what the creators did was just eliminate the lesser used function.
From the next version of PHP, each call to
image2wbmp() will throw a deprecation warning, whereas later on in the following version, when it will be definitely deleted, it is going to throw a fatal error.
In order to update your scripts, if you are using
image2wbmp(), what you need to do is simply to replace it with
The code will do the same and there will be no warning or errors.
FILTER_FLAG_SCHEME_REQUIRED and FILTER_FLAG_HOST_REQUIRED Deprecated
These two are flags that belong to the
filter_var() filters variables with the flags specified by the developers.
mixed filter_var(mixed $variable
The first parameter is the variable that needs to be filtered or validated, the second parameter is called the flag and contains the ID of the filter that needs to be applied.
Here is the list of all the type of filters available in PHP.
The third parameter is mandatory and needs to be in the form of an array or a bitwise disjunction of flags.
If you are unfamiliar with the square brackets, what they mean is that the parameters' insides are not mandatory and you can avoid inserting them and still be sure that you will not get an error.
In the case of the filter parameter, the reason is that, by default, PHP will user
And here is what changed in PHP 7.3.
Since PHP 5.2.1, these two flags have been included in
FILTER_VALIDATE_URL, even if you did not specify them.
To sum up, these two constants are useless and, as written in the RFC, they have created the wrong impression that either the scheme or the host can be disabled.
If you have code that uses these two flags somewhere, just remove them and you will be good to go.
PHP 7.2 supported both case-sensitive and case-insensitive constants.
The letters are not used frequently but when used they cause inconsistencies.
bool define(string $name);
The last parameter of the function is a boolean and, if set to TRUE, the constant is going to be defined as case-insensitive.
Santa will represent different values.
As the name suggests, constants must be constant, meaning they cannot change after they have been declared.
This rule is not true in the case of case-insensitive constants.
define('SANTA', 42); var_dump(SANTA); // int(42) define('SANTA', 24); // Notice: Constant FOO already defined var_dump(SANTA); // int(42)
If case-sensitive and case-insensitive constants are mixed, like so,
define('santa', 42, true); var_dump(SANTA); // int(42) define('SANTA', 24); var_dump(SANTA); // int(24)
the previous code actually changes the value of the defined constant, which is not a behavior that we want.
There are various differences in PHP 7.3:
- The possibility to define the third parameter as TRUE has been deprecated and will definitely be removed in version 8.0.0.
- It won’t be possible to access a case-insensitive constant with a format that is different from the one used in the
define('Santa', 'Claus', true);
The previous code will throw “Deprecated: define(): Declaration of case-insensitive constants is deprecated.”
In case you try to access the constant just defined using another casing, it will result in “Deprecated: Case-insensitive constants are deprecated.”
The correct casing for this constant is “Santa.”
Unlike the other updates, to fix all the possible issues with the code you need to change a few things.
You must be looking for all the constants declared in a case-insensitive manner.
The good news is that you have to declare the constants that way outright, so just check for the
define function with the third parameter set as true.
PCRE to PCRE2 Migration
Perl Compatible Regular Expressions, also called PCRE, is a library that PHP uses for dealing with Regular Expressions.
PCRE is made up of a set of functions that implement regex pattern matching with the same syntax and semantics as Perl 5; it cannot be disabled anymore.
The problem arrives when you realize that PHP still uses version 1.0 of the library that has been unutilized.
At the same time, the new version, PCRE2, was released in 2005.
This is mainly a core functionality of PHP, thus, for the most part, it won’t affect the user of the language but you need to be aware of some modifications that may affect how you work with PHP.
Here are some of the differences:
- Modifier S is now on by default. PCRE does some extra optimization.
- Option X is disabled by default. It makes PCRE do more syntax validation than before.
- Unicode 10 is used, while it was Unicode 7. This means more emojis, more characters, and more sets. Unicode regex may be impacted.
- Some invalid patterns may be impacted.
Simply put, PSRE2 is more strict in terms of pattern validations, so, after the upgrade, some of your existing patterns may not compile anymore.
Here is a simple snippet used in PHP.NET:
preg_match('/[\w-.]+/', ''); // this will not work in PHP7.3preg_match('/[\w\-.]+/', ''); // the hyphen need to be escaped
As you can see from the example above there is a little but substantial difference between the two lines.
The hyphen now needs to be escaped; this is probably one of the most common causes of incompatibility you will encounter.
Also, PHP does not lint regex during the linting process, so it is advised to check all the regex patterns you are using in your applications and test them with PHP 7.3.
Exakat.io provides a complete list of the regex inventory.
Implementing this new feature may be a little bit more problematic than the other seen previously, in fact, some calls to
preg_match() could stop working.
Before upgrading your PHP to 7.3, I advise to check it and, in case, update or rewrite the pattern you need.
Also, run your unit tests to find errors during compilation.
Undefined Variables in compact()
compact() is an amazing array function that allows the creation of array by using the name of one or more variables as parameters.
$name = "Claus"; $title = "Santa"; $residency = "North Pole"; $result = compact("name", "title", "residency", "reindeer"); Array [ [name] => Claus [title] => Santa [residency] => North Pole ];
In the previous example, the variable
$result is an array and contains the name of the variable selected in the form of keys and the values of the variable selected in the form of value.
During the last decade, because of the exponential use of PHP frameworks, and since the fact that the latter use template engine on MVC models, the use of this function has increased quite a lot.
A characteristic that this method did provide until version PHP 5.3 is that if we insert a string that refers to a variable that does not exist, the script will simply ignore the parameter.
In the long run, and especially with distracted web developers, this used to cause missing variables in the views (in the case of MVC) or missing data in general.
With an outstanding 32 vs. 5 vote, finally, after installing the new version of the programming language,
compact() will start to report these missing variables with the following notice:
// Notice: compact(): Undefined variable: reindeer
Please be careful because when updating your current projects as you may encounter a large number of the above mentioned notices.
You can also use the the
@operator and fix these errors one-by-one.
Argon2 Password Hash Enhancements
It is a good thing that developers always work on enhancements for security and password hashing. Striving to achieve a better level of protection is of fundamental importance, especially when talking about our data.
PHP 7.2 implemented a new hashing algorithm called Argon2 that is meant to be an alternative to Bcrypt.
Argon2 comes in three different versions:
- Argon2d, which is the fastest among them, uses data-depending memory access to maximize resistance to GPU attacks.
- Argon2i uses data-independent memory access. It is thus preferred for password hashing but it is slower.
- Then we have Argon2id, the version that combines the other two versions.
In PHP7.3, you will have the possibility to add the constant
PASSWORD_ARGON2ID as a flag of the
There are several details about this new method, like the parallelism factor, memory cost, and time cost calculations, but I will skim over these and simply show you the syntax you can use in case you want to opt for this type of hashing.
$options = ['memory_cost' => 1<<11, 'time_cost' => 4, 'threads' => 2];password_hash('password', PASSWORD_ARGON2ID, $options);
Another function that accepts this new algorithm is
password_needs_rehash(), which checks whether the supplied hash implements the algorithm and the option provided and returns a boolean accordingly.
$hash = password_hash('password', PASSWORD_ARGON2ID);password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => 1<<17]);
In this article, I have provided a summary of all the relevant changes and improvements that are featured in the newest version of PHP.
To make sure your code is ready for the new updates, first, you can update your code, checking and removing every incompatibility with the new version,
You can chech on each section of each new feature to see if there are any backward compatibility problems. A good idea would be to go throw all the sections of this article (I remind you that it is devided in three main components) and find out if they are supported in your code.
An example could be getting all the regex patterns in your code and linting them with the new PCRE2.
You can use polyfill for PHP 7.3
Also, run Exakat and look for issues.
Eventually, of course, run your unit test.
If you do not have any tests in your application and you do not use automated testing, write the test then run them!
Last note: the full list of PHP 7.3 proposals on the RFC and GitHub’s PHP 7.3 Notes are available on these links.
Published at DZone with permission of Nico Anastasio . See the original article here.
Opinions expressed by DZone contributors are their own.