PCRE has been updated (https://wiki.php.net/rfc/pcre2-migration#backward_incompatible_changes).
The new PCRE version is stricter in some cases.
Due to the introduction of flexible heredoc/nowdoc syntax, doc strings that contain the ending label inside their body may cause syntax errors or change in interpretation. For example in:
<?php
$str = <<<FOO
abcdefg
FOO
FOO;
?>
FOO
did not previously have any
special meaning. Now it will be interpreted as the end of the heredoc string
and the following FOO;
will cause a syntax error. This issue can
always be resolved by choosing an ending label that does not occur within the
contents of the string.
continue
statements targeting switch
control flow structures will now generate a warning. In PHP such
continue
statements are equivalent to
break
, while they behave as continue 2
in other languages.
<?php
while ($foo) {
switch ($bar) {
case "baz":
continue;
// Warning: "continue" targeting switch is equivalent to
// "break". Did you mean to use "continue 2"?
}
}
?>
Array accesses of type $obj["123"]
, where
$obj
implements ArrayAccess and
"123"
is an integer string literal will no
longer result in an implicit conversion to integer, i.e.,
$obj->offsetGet("123")
will be called instead of
$obj->offsetGet(123)
. This matches existing behavior for
non-literals. The behavior of arrays is not affected in any way, they
continue to implicitly convert integral string keys to integers.
In PHP, static properties are shared between inheriting classes, unless the static property is explicitly overridden in a child class. However, due to an implementation artifact it was possible to separate the static properties by assigning a reference. This loophole has been fixed.
<?php
class Test {
public static $x = 0;
}
class Test2 extends Test { }
Test2::$x = &$x;
$x = 1;
var_dump(Test::$x, Test2::$x);
// Previously: int(0), int(1)
// Now: int(1), int(1)
?>
References returned by array and property accesses are now unwrapped as part of the access. This means that it is no longer possible to modify the reference between the access and the use of the accessed value:
<?php
$arr = [1];
$ref =& $arr[0];
var_dump($arr[0] + ($arr[0] = 2));
// Previously: int(4), Now: int(3)
?>
Argument unpacking stopped working with Traversables with non-integer keys. The following code worked in PHP 5.6-7.2 by accident.
<?php
function foo(...$args) {
var_dump($args);
}
function gen() {
yield 1.23 => 123;
}
foo(...gen());
?>
The ext_skel utility has been completely redesigned with new options and some old options removed. This is now written in PHP and has no external dependencies.
Support for BeOS has been dropped.
Exceptions thrown due to automatic conversion of warnings into exceptions in
EH_THROW
mode (e.g. some DateTime
exceptions) no longer populate error_get_last() state. As
such, they now work the same way as manually thrown exceptions.
TypeError now reports wrong types as
int
and bool
instead of
integer
and boolean
, respectively.
Undefined variables passed to compact() will now be reported as a notice.
getimagesize() and related functions now report the mime
type of BMP images as image/bmp
instead of
image/x-ms-bmp
, since the former has been registered with
the IANA (see » RFC 7903).
stream_socket_get_name() will now return IPv6 addresses
wrapped in brackets. For example "[::1]:1337"
will be
returned instead of "::1:1337"
.
All warnings thrown by BCMath functions are now using PHP's error handling. Formerly some warnings have directly been written to stderr.
bcmul() and bcpow() now return numbers with the requested scale. Formerly, the returned numbers may have omitted trailing decimal zeroes.
rsh/ssh logins are disabled by default. Use imap.enable_insecure_rsh if you want to enable them. Note that the IMAP library does not filter mailbox names before passing them to the rsh/ssh command, thus passing untrusted data to this function with rsh/ssh enabled is insecure.
Due to added support for named captures, mb_ereg_*()
patterns using named captures will behave differently. In particular named
captures will be part of matches and mb_ereg_replace()
will interpret additional syntax. See Named
Captures for more information.
Prepared statements now properly report the fractional seconds for
DATETIME
, TIME
and
TIMESTAMP
columns with decimals specifier (e.g.
TIMESTAMP(6)
when using microseconds). Formerly, the
fractional seconds part was simply omitted from the returned values.
Prepared statements now properly report the fractional seconds for
DATETIME
, TIME
and
TIMESTAMP
columns with decimals specifier (e.g.
TIMESTAMP(6)
when using microseconds). Formerly, the
fractional seconds part was simply omitted from the returned values. Please
note that this only affects the usage of PDO_MYSQL with emulated prepares turned off
(e.g. using the native preparation functionality). Statements using
connections having PDO::ATTR_EMULATE_PREPARES
=true
(which is the default) were not affected by the bug fixed and have already
been getting the proper fractional seconds values from the engine.
Reflection export to string now uses
int
and bool
instead of
integer
and boolean
, respectively.
If an SPL autoloader throws an exception, following autoloaders will not be executed. Previously all autoloaders were executed and exceptions were chained.
Mathematic operations involving SimpleXML objects will now treat the text as an int or float, whichever is more appropriate. Previously values were treated as ints unconditionally.
As of PHP 7.3.23, the names of incoming cookies are no longer url-decoded for security reasons.
PCRE has been updated (https://wiki.php.net/rfc/pcre2-migration#backward_incompatible_changes).
The new PCRE version is stricter in some cases.