Migrating to PHP 5.4

register_globals: old


http://your.server/script.php?foo=bar

register_globals: old


http://your.server/script.php?foo=bar

echo 'Hello '.htmlspecialchars($foo);

register_globals: old




if ($admin) {
	// God mode!
}

register_globals: old


http://your.server/script.php?admin=1

if ($admin) {
	// God mode!
}

register_globals: new


http://your.server/script.php?foo=bar

echo 'Hello '.htmlspecialchars($_GET['foo']);

register_globals: bad option


extract($_REQUEST);

register_globals: better option

Audit your code!
Avoid $_REQUEST

Magic quotes


http://your.server/script.php?foo=double+quote+"

Magic quotes


http://your.server/script.php?foo=double+quote+"

$_GET['foo']:
	double quote \"

Magic quotes: bad option


foreach (array($_GET, $_POST, $_COOKIE) as &$a) {
	array_walk($a, function (&$v, $k) {
		return addslashes($v);
	});
}

Magic quotes: better option

Prepared queries via PDO or MySQLi

PHP ≤ 4.0.2

addslashes()

PHP 4.0.3 — 4.2.3

addslashes()
mysql_escape_string()

PHP 4.3.0 — 4.4.9

addslashes()
mysql_escape_string()
mysql_real_escape_string()

PHP ≥ 5.0.0

addslashes()
mysql_escape_string()
mysql_real_escape_string()
PDO::prepare(), mysqli::prepare()

Internationalisation

Different charsets have \ in different places
ISO-8859-1 and UTF-8 (and others): 0x5c
Ergo, \' is 0x5c 0x27
But in Big5 0xbf 0x5c is 縗

So, in Big5…

http://your.server/script.php?foo=%bf%27;DROP DATABASE mysql;--
becomes
縗';DROP DATABASE mysql;--

Safe mode

Restricted file access by script UID

Safe mode: alternatives

Apache: mod_itk, suPHP
FastCGI: php-fpm

Sessions: old


$foo = 'bar';
session_register('foo');

if (session_is_registered('foo')) {
	session_unregister('foo');
}

Sessions: new


$_SESSION['foo'] = 'bar';

if (isset($_SESSION['foo'])) {
	unset($_SESSION['foo']);
}

SQLite 2

Unmaintained since 2005

SQLite 2


$dbh = sqlite_open('my.db');
$rst = sqlite_query('SELECT * FROM t');
if ($rst) {
	$row = sqlite_fetch_array($rst);
} else {
	echo 'Query failed';
}

SQLite 3 with ext/sqlite3


$dbh = new SQLite3('my.db');
$rst = $dbh->query('SELECT * FROM t');
if ($rst) {
	$row = $rst->fetchArray();
} else {
	echo 'Query failed';
}

SQLite 3 with PDO


$dbh = new PDO('sqlite:'.realpath('my.db'));
$rst = $dbh->query('SELECT * FROM t');
if ($rst) {
	$row = $rst->fetch();
} else {
	echo 'Query failed';
}

Call time pass by reference


function func($f) {
	$f = 42;
}

$foo = 6 * 9;
func(&$foo);

Call time pass by reference


function func(&$f) {
	$f = 42;
}

$foo = 6 * 9;
func($foo);

Time zones

PHP no longer guesses
Set date.timezone in php.ini or call date_default_timezone_set()

Character set

default_charset is now UTF-8


header('Content-Type: text/html; charset=UTF-8');

Errors

E_ALL now includes E_STRICT and E_DEPRECATED

crypt()

Sign extension bug in Blowfish mode ( $2a$ )
Affects passwords with byte 0xff only
$2x$ keeps old, buggy behaviour

Other gotchas

MySQL extensions now use mysqlnd by default
APC will not be bundled with 5.4

Deprecated features

ereg survived in 5.4, but is still deprecated
ext/mysql (functions beginning with mysql_) is soft deprecated; will be really deprecated in 5.5

Traits

Same problem space as mixins
Allows horizontal reuse of methods across classes
Independent of inheritance

Traits


trait Hello {
  public function hello() { echo "Hello!"; }
}

class Greeter {
  use Hello;
}

Traits






class Greeter {
  public function hello() { echo "Hello!"; }
}

Traits


trait Hello {
  public function hello() { echo "Hello!"; }
}

class Greeter {
  use Hello;
}

$greeter = new Greeter;
$greeter->hello();

Closure binding


class Greeter {
  public function say() { echo "Hello!\n"; }
}
class Fareweller {
  public function say() { echo "Goodbye!\n"; }
}

Closure binding


class Greeter {
  public function say() { echo "Hello!\n"; }
}
class Fareweller {
  public function say() { echo "Goodbye!\n"; }
}

$say = function () { return $this->say(); };

Closure binding


class Greeter {
  public function say() { echo "Hello!\n"; }
}
class Fareweller {
  public function say() { echo "Goodbye!\n"; }
}

$say = function () { return $this->say(); };
$hello = $say->bindTo(new Greeter);
$goodbye = $say->bindTo(new Fareweller);
$hello(); $goodbye();

Arrays


$temp = arrayFunction();
$value = $temp['key'];

Arrays


$temp = arrayFunction();
$value = $temp['key'];

$value = arrayFunction()['key'];

More arrays


$list = array(1, 2, 3);
$assoc = array('a' => 1, 'b' => 2, 'c' => 3);

More arrays


$list = array(1, 2, 3);
$assoc = array('a' => 1, 'b' => 2, 'c' => 3);

$list = [1, 2, 3];
$assoc = ['a' => 1, 'b' => 2, 'c' => 3];

Objects


$temp = new DateTime();
$temp->format('r');

Objects


$temp = new DateTime();
$temp->format('r');

(new DateTime())->format('r');

Speed

	5.3.8	5.4.0 RC1	δ
Wordpress	7.02	7.28	3.70%
Drupal	7.07	7.17	1.41%
Joomla!	5.99	5.73	-4.34%
SilverStripe	8.25	8.67	5.09%

Requests per second
Average of three benchmarks after discarding the first invocation
PHP invoked via FastCGI under lighttpd
Current stable versions of each package were tested

Other improvements

<?= always available
Binary literals: 0b101010 === 42
callable type hint

When?

RC5 released on Saturday the 7^th
Next release due on Thursday the 19^th
PHP 5.3 supported until at least July 2012
PHP 5.5 will be branched in the next few months

Please help!

Please help test the RC: both with your own code and by submitting make test results
Raise an issue for anything you find

Questions?

http://p70.us/14
(or gopher://p70.us/1/13)