BlogPreparing Your Site for PHP 7.2.0!
PHP 7.2 is released on 30th November 2017. And it comes with two new security features in the core, several smaller improvements and some language legacy clean-ups. In the article, I will describe what the improvements and changes are.
Argon2 in password hash
Argon2 is a password-based key derivation function winner of the Password Hashing Competition in July 2015. This function is an evolution of the bcrypt and scrypt algorithms. Argon2 provides security against brute force attacks using a predefined memory size, CPU time, and a degree of parallelism to prevent GPU attacks. It uses 3 parameters that control the memory requirements, the execution time, and the parallelism level.
There are two main versions of this algorithm: Argon2i and Argon2d. Argon2i is the safest against side-channel attacks, while Argon2d provides the highest resistance against GPU cracking attacks. Argon2d is not suitable for password hashing and should not be used. PHP 7.2 adds Argon2i support to its Password Hashing Functions.
password_hash('password', PASSWORD_ARGON2I)
Using PASSWORD_BCRYPT is still perfectly valid and safe option. Argon2i is just another option, which may become a default in the future. It is also time to check your password column length! PASSWORD_BCRYPT generates 60 characters long hashes. PASSWORD_ARGON2I hash is 96 characters long. The password_hash documentation recommends columns length of 255 characters to accommodate any future hash.
Make Libsodium a Core Extension
Libmcrypt hasn't been touched in eight years (the last release was in 2007), leaving openssl as the only viable option for PHP 5.x and 7.0 users. PHP 7.2 comes with cryptography library libsodium in the core. It was previously available through PECL. There is also a polyfill available so you can start using it right now (it even supports PHP 5.2.4!).
PHP will be the first programming language to adopt modern cryptography in its standard library.
Objecttypehint
PHP 7 introduced scalar types for parameters and also for declaring return types for functions. It will be possible to use an object as parameter type and as a return type. 'object' becomes a keyword in 7.2, so make sure you are not using it as a name for a class, interface or trait.
function foo(object $definitelyAnObject): object
{
return 'another string';
}
Although 'object' is already a soft reserved word, this RFC adds object as fully reserved classname.
Counting of non-countable objects
Calling count() on a scalar or object that doesn't implement the Countable interface returns 1. There are no known use cases for this, and it can easily hide bugs. This RFC proposes adding a warning when calling count() with a parameter that is a scalar, null, or an object that doesn't implement Countable.
Warning: count(): Parameter must be an array or an object that implements Countable
Deprecations for PHP 7.2
This is a draft RFC for multiple deprecations targeting PHP 7.2. The RFC proposes to deprecate the listed functionality in PHP 7.2 and remove it no later than in PHP 8.0.
The following list provides a short overview of the functionality targeted for depreciation:
- __autoload() - use spl_autoload_register() instead
- $php_errormsg - use error_get_last() instead
- create_function() - use closures instead
- mbstring.func_overload (ini setting) - use mb_* functions directly
- (unset) cast - this is not deprecating unset($var) but $foo = (unset) $bar which is equal to $foo = null
- parse_str() without second argument - directly creating variables when parsing query string is not something you should be doing (register_globals)
- gmp_random() - use gmp_random_bits() and gmp_random_range() instead
- each() - use foreach instead (it is more than 10 times faster)
- assert() with string argument - it is using eval() internally!
- $errcontext argument of error handler - use debug_backtrace() instead
PHP 7.2 contains new security features (sodium, Argon2i), several language improvements and a variety of minor changes that polish legacy parts of the language.
