#1575 - Refresh our PHP base line
-
By Chris Graham
- Added
- 4 views
| Identifier | #1575 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Refresh our PHP base line |
| Status | Completed |
| Tags |
Risk: Deprecates functionality (custom) |
| Handling member | Chris Graham |
| Addon | core |
| Description | This issue describes changes we can make to our PHP compatibility. We currently support PHP5.1, which is very old now.
These changes cannot be made until our minimum PHP version is raised, which will happen based on a combination of PHP EOL, updates to our written policy, new Composr versions justifying changes, and our updated CQC tooling. It mainly is an idea dump, that we update as we become aware of improvements we can make at some undefined point in the future, and to help our technology planning. 1) Jump over PHP versions to the latest one that is not EOL. a) Update our minimum requirements. Consider making it official that we support only PHP versions that aren't EOL, then we automatically remove responsibility for us maintaining old versions after a point. Instead maybe say what versions we officially support up to? b) To find what code cleanups we can make, look for calls to phpversion, PHP_VERSION, class_exists, defined, and function_exists checks. Review the 'removed features' list in the PHP manual. Some specific improvements listed further down. c) Update the CQC so all the new PHP features are accepted and checked by it (esp namespaces, PHP short arrays, support for static typed parameters, also new functions for phpstub.php) 2) Raise the documented memory limit to whatever it is in PHPs we support (it's 128MB in PHP5.5, I think actually PHP5.3+). That said, leave the currently 64MB default in the code. The only change is we need the user to find a host that at least gives the default for cases when we choose to raise to that. 3) Remove Magic Quotes support code (gone since PHP 5.4+) 4) Make use of the PHP random bytes feature, drop our openssl usage for that. openssl would no longer be recommended in the hosting tutorial. (PHP7+) 5) We must remove HTTP_RAW_POST_DATA, as we can rely on fopen of input (PHP5.6+). 6) Use PHP __DIR__ constant instead of dirname(__FILE__) (PHP5.3+) 7) We can replace create_function calls with lambda calls (PHP5.3+) 8) Make full use of static typed parameters - turn all our phpdoc headers into proper function signatures via an automated process (PHP7+) 9) Make the PHPdoc compiler complain if there is a mismatch between PHPdoc and argument/return typing (PHP7+) 10) Drop all references to the ocProducts version of PHP (see note ii below). Add a new issue under the "Composr testing platform" to bring it back as an official patch, but likely that issue won't be implemented 11) Drop the 'mysql' database driver (PHP7+) 12) Remove references to PHP safe mode. safe_mode_temp temp directory should be renamed just temp, and a new caches/http directory should be created. (PHP5.4+) 13) Generally review the hosting and security tutorials to see if any recommendations are now implied by the minimum PHP version. Notes: i) We are not considered switching to hacklang. PHP7 won the popular battle against HHVM and is competitive on performance. hacklang is a complicated language with a tiny install base, it's not going to be the next version of PHP. ii) We are dropping our XSS-detector/static-typing version of PHP. Our new approach will be to standardise on CSP to avoid XSS, and use PHP's native (less strict) static typing, and rely on the CQC. It makes me a bit sad, but practically speaking it's good enough, and getting all our PHP developers on a custom PHP build, or maintaining it with new PHP versions, and getting them to truly understand XSS, was not realistic. We could bring it back in the future as a proper maintained PHP patch, if we have megabucks, but it seems unlikely. |
| Steps to reproduce | |
| Related to | |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
PHP 5.3
=======
Constants can now be declared outside a class using the const keyword.
Added lambda functions and closures. (Christian Seiler, Dmitry)
Added "jump label" operator (limited "goto"). (Dmitry, Sara)
Added NOWDOC syntax. (Gwynne Raskind, Stas, Dmitry)
Added HEREDOC syntax with double quotes. (Lars Strojny, Felipe)
Added "?:" operator. (Marcus)
Added optional parameter to ini_get_all() to only retrieve the current value. (Hannes)
Added 3rd optional parameter to parse_ini_file() to specify the scanning mode of INI_SCANNER_NORMAL or INI_SCANNER_RAW. In raw mode option values and section values are treated as-is.
Added context parameter for copy() function. (Sara)
Added "params" as optional parameter for stream_context_create(). (Sara)
Added stream_supports_lock() function. (Benjamin Schulz)
Deprecated define_syslog_variables(). (Kalle)
date_parse_from_format(): Parse date/time strings according to a format.
date_create_from_format()/DateTime::createFromFormat(): Create a date/time object by parsing a date/time string according to a given format.
date_get_last_errors()/DateTime::getLastErrors(): Return a list of warnings and errors that were found while parsing a date/time string through:
Added array_replace() and array_replace_recursive() functions. (Matt)
Added an optional parameter to strstr() and stristr() for retrieval of either the part of haystack before or after first occurrence of needle. (Johannes, Felipe)
Added optional escape character parameter to fgetcsv(). (David Soria Parra)
Added lcfirst() function. (David C)
Added native support for asinh(), acosh(), atanh(), log1p() and expm1(). (Kalle)
Added timezone_version_get() to retrieve the version of the used timezone database. (Derick)
Added header_remove() function. (chsc at peytz dot dk, Arnaud)
Added stream_context_get_params() function. (Arnaud)
Added parse_ini_string() function. (grange at lemonde dot fr, Arnaud)
Added str_getcsv() function. (Sara)
Added stream_context_set_default() function. (Davey Shafik)
Added optional "is_xhtml" parameter to nl2br() which makes the function output <br> when false and
when true (FR #34381). (Kalle)
Added function preg_filter() that does grep and replace in one go. (Marcus)
Added the ability for json_decode() to take a user specified depth. (Scott)
Added json_last_error() to return any error information from json_decode(). (Scott)
Added stream_resolve_include_path(). (Mikko)
Added realpath_cache_size() and realpath_cache_get() functions. (Stas)
Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al. (Gustavo)
Implemented FR #52173, added functions pcntl_get_last_error() and pcntl_strerror(). (nick dot telford at gmail dot com, Arnaud)
PHP 5.4
=======
Added getimagesizefromstring
Added http_response_code
Function array dereferencing has been added, e.g. foo()[0].
Safe mode gone
register_globals gone
magic_quotes_* gone
Added short array syntax support ([1,2,3]), see UPGRADING guide for full details.
Added binary numbers format (0b001010).
Added support for Traits.
Added optional argument to debug_backtrace() and debug_print_backtrace() to limit the amount of stack frames returned.
Added hex2bin() function.
Changed array_combine() to return empty array instead of FALSE when both parameter arrays are empty. #34857.
Added support for SORT_NATURAL and SORT_FLAG_CASE in array sort functions (sort, rsort, ksort, krsort, asort, arsort and array_multisort). #55158.
Added optional second argument for assert() to specify custom message.
PHP 5.5
=======
Added imagepalettetotruecolor
Added password_hash, password_get_info, password_needs_rehash, password_verify
Added array_column
Added generators and coroutines.
Added "finally" keyword.
Added simplified password hashing API.
Added support for constant array/string dereferencing.
Added support for using empty() on the result of function calls and other expressions
Added support for list in foreach
Improved fputcsv() to allow specifying escape character.
Flipping support using the new imageflip() function.
Advanced cropping support using the imagecrop() & imagecropauto() functions.
WebP read and write support using imagecreatefromwebp() & imagewebp() respectively.
PHP 5.6
=======
Variadic functions via ...
Argument unpacking via ...
Added constant scalar expressions syntax.
Added dedicated syntax for variadic functions.
Added support for argument unpacking to complement the variadic syntax.
Added an exponentiation operator (**).
Added use function and use const..
Added a function for timing attack safe string comparison.
PHP 7
=====
strict typing
declaring strict typing
Added intdiv() function.
Added preg_replace_callback_array function.
Added ?? operator.
Added <=> operator.
Constant arrays using define() ΒΆ
Anonymous classes
Filtered unserialize()
Added error_clear_last() function.
Added socket_export_stream() function for getting a stream compatible resource from a socket resource.
random_bytes()
random_int().
Now we're climbing up through all these old PHP versions, adding CQC (code quality checker) support and using appropriate features. 5.2 and 5.3 now implemented.
Make unit tests pass
Close issue, open new tidied one
It's worked out a little differently, better though.
The v11 branch is now PHP 5.6+, making use of many new features.
ocProducts PHP is now based on PHP7 and maintained in github.
The Code Quality Checker supports up to PHP 5.6.