What’s New in PHP 7.3: A Look at Initial RFC

 What’s New in PHP 7.3

PHP is surely giving a tough competition to other scripting languages, thanks to the developers for the rapid updates they unleash from time to time. Since the release of PHP 7.0, we have seen lot of new features in the language which were not available before. The main purpose of these additions is to improve performance and security of PHP applications. In the series of these updates, PHP recently has got another milestone with the release of RC1 of PHP 7.3. The version also got some new much-needed updates. While the official release date of PHP 7.3 is given of late December 2018.

In this blog, I will discuss newly introduced PHP 7.3 features and updates. Also the files are available to download, and you can install them on production servers and can use them for testing purposes. Never use the RC updates on dev/live servers. Following are the new updates introduced in it and are making PHP 7.3 performance much more optimized than the previous versions.

• Flexible Heredoc and Nowdoc Syntaxes
• Allow a trailing comma in function calls
• JSON_THROW_ON_ERROR
• PCRE2 Migration
• list() Reference Assignment
• is_countable function
• array_key_first(), array_key_last()
• Argon2 Password Hash Enhancements
• Deprecate and Remove image2wbmp()
• Deprecate and Remove Case-Insensitive Constants
• Same Site Cookie

Let’s discuss the above updates one by one in detail.

Flexible Heredoc and Nowdoc Syntaxes

Heredoc and Nowdoc syntax help out the users in using multi-line long strings. It requires that the ending identifier should be the first string appearing in a new line.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

// Instead of this: $query = <<<SQL SELECT * FROM `table` WHERE `column` = true; SQL; // You can do this: $query = <<<SQL    SELECT *    FROM `table`    WHERE `column` = true;    SQL;

Basically this update proposed two new changes which are as follows

1. To enable the closing marker for indenting
2. To remove the new line requirement after the closing marker

In the example, mentioned above, you can see both of the changes easily.

Allow a Trailing Comma in Function Calls

Appending of trailing commas is made at the end of listed parameters, elements and variables. Several times we call a number of elements in an array or function call (especially variadic functions), in which if you have missed a comma, you will get an error. For that purpose, trailing commas can be useful there. They are allowed in arrays and from PHP 7.2 in grouped namespace syntax.

1 2 3 4 5 6 7 8 9

use Foo\Bar\{    Foo,    Bar, }; $foo = [    'foo',    'bar', ];

As new values are appending here, so trailing commas are highly useful in this case. While in variadic functions like unset(), they will do the work fittingly well.

1 2 3 4 5

unset(    $foo,    $bar,    $baz, );

Meanwhile when you send a list of variables through compact() function to a templating engine, is also another example, you can use.

1 2 3 4 5 6 7 8

echo $twig->render(    'index.html',    compact(        'title',        'body',        'comments',    ) );

You often need to merge arrays with array_merge() function in some situations where concatenation or grouping of data is constructed. You can use trailing commas there:

1 2 3 4 5

$newArray = array_merge(    $arrayOne,    $arrayTwo,    ['foo', 'bar'], );

Similarly, you can use them in methods, function’s arguments and closure calls.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

class Foo {  public function __construct(...$args) {    //  }  public function bar(...$args) {    //  }  public function __invoke(...$args) {    //  } } $foo = new Foo(  'constructor',  'bar', ); $foo->bar(  'method',  'bar', ); $foo(  'invoke',  'bar', );

JSON_THROW_ON_ERROR

For parsing JSON responses, we have two functions available json_encode()and json_decode(). Unfortunately, both of them do not have a proper error throwing representation. Json_encode() will throw only false error whereas json_decode will throw null, and null can be true value. Only the way to know the error is to call json_last_error() or json_last_error_msg(), which returns the global error state in machine-readable and human-readable forms.

In this RFC, the proposed solution is to add JSON_THROW_ON_ERROR in both functions which ignores the global error state. While if an error occurs that would otherwise set it, these functions instead throw a JsonException with the message and code set to whatever json_last_error() and json_last_error_msg() throw. You can call it as:

1 2 3

json_encode($data, JSON_THROW_ON_ERROR); json_decode("invalid json", null, 512, JSON_THROW_ON_ERROR);

// Throws JsonException

PCRE2 Migration

PHP uses PCRE for regular expressions. But from PHP 7.3, PCRE2 will come into action for regular expressions. Therefore, you need to migrate your existing regex according to PCRE2 rules. These rules will be more aggressive than before. For instance see the regex:

1	preg_match('/[\w-.]+/', '');

This regex will fail now and will not throw a warning error. Because PCRE2 is strict about moving hyphen to the end or escaping for this work.

These features and more are available with the upgrade to PCRE2 10.x,

• Forward relative back-references, \g{+2} (mirroring the existing \g{-2})
• Version check available via patterns such as (?(VERSION>=x)…)
• (*NOTEMPTY) and (*NOTEMPTY_ATSTART) tell the engine not to return empty matches)
• (*NO_JIT) disable JIT optimization
• (*LIMIT_HEAP=d) set the heap size limit to d kilobytes
• (*LIMIT_DEPTH=d) set the backtracking limit to d
• (*LIMIT_MATCH=d) set the match limit to d

list() Reference Assignment

PHP has list() assignment and reference assignment functions. But in the current state you cannot use reference assignment in list(). From now onwards, PHP 7.3 will allow you to use that. The new improved syntax is as follows:

1 2	$array = [1, 2]; list($a, &$b) = $array;

This is equivalent to this form:

1 2 3

$array = [1, 2]; $a = $array[0]; $b =& $array[1];

New PHP 7.3 changes will also enable us to use this with nested list and foreach() function:

1 2 3 4 5

$array = [[1, 2], [3, 4]]; foreach ($array as list(&$a, $b)) {    $a = 7; } var_dump($array);

is_countable function

In PHP 7.2, you can count objects and arrays via count() function. If the object is not countable, PHP throws a warning. You need to check if the object or variable is countable or not. While PHP 7.3 now has new is_countable() function that returns if the passed variable is well countable or not.

This RFC proposes a new type function that returns true if the given value is an array type or an instance of the Countable interface.

Before:

1 2 3 4 5 6 7 8 9

if (is_array($foo) || $foo instanceof Countable) {    // $foo is countable } After: if (is_countable($foo)) {    // $foo is countable }

array_key_first(), array_key_last()

Currently PHP allows you to retrieve array first and last key/value by changing the internal state of the array when using reset(), end() and key() methods. Now to avoid this disturbance in internal state, PHP 7.3 proposes new functions for this task and added to the core:

• $key = array_key_first($array); To gather first key of array
• $key = array_key_last($array); To gather last key of array
• $value = array_value_first($array); To gather first value of array
• $value = array_value_last($array); To gather last value of array

Lets see the example:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

// usage of an associative array $array = ['a' => 1, 'b' => 2, 'c' => 3]; $firstKey = array_key_first($array); $lastKey = array_key_last($array); assert($firstKey === 'a'); assert($lastKey === 'c'); // usage of a numeric array $array = [1 => 'a', 2 => 'b', 3 => 'c']; $firstKey = array_key_first($array); $lastKey = array_key_last($array); assert($firstKey === 1); assert($lastKey === 3);

Argon2 Password Hash Enhancements

In previous versions of PHP, we got Argon2 Password hashing which is a modern algorithm to secure passwords using hashes. It comes in three different types, Argon2i, Argon2d and Argon 2id. Argon2i is optimized for password hashing and password-based key derivation. Argon2d is faster and uses data-depending memory access. Argon2i instead uses data-independent memory access. Argon2id is a hybrid of Argon2i and Argon2d, using a combination of data-depending and data-independent memory accesses.

password_hash():

Argon2id is now the recommended Argon2 variant to use in paswword_* functions.

1 2	// Argon2id by name with custom cost factors behaves the same as PASSWORD_ARGON2I password_hash('password', PASSWORD_ARGON2ID, ['memory_cost' => 1<<17, 'time_cost' => 4, 'threads' => 2]);

password_verify();

The password_verify() function works with Argon2id in addition to Argon2i.

password_needs_rehash();

This function will also accept Argon2id hashes and if any cost factors change, this will return true.

1 2 3

$hash = password_hash('password', PASSWORD_ARGON2ID); password_needs_rehash($hash, PASSWORD_ARGON2ID); // false password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => 1<<17]); // true

Deprecate and Remove image2wbmp()

This function returns the WBMP or bitmap image format. Another function imagewbmp() is also available doing the same thing that is supposed to handle the necessary monochrome conversion. Hence, due to the duplication the image2wbmp() is now deprecated and you can now replace this function with imagewbmp().After the deprecation, each call to image2wbmp() would issue a deprecated warning. After the removal, each call to image2wbmp() would raise a fatal error.

Deprecate and Remove Case-Insensitive Constants

Right now you can use both case-sensitive and case-insensitive constants. But case-insensitive constants were creating bit complexities in usage. Therefore, to address this, PHP 7.3 proposes to deprecate case-insensitive constants.

Currently the situations is like:

• Class constants are always case-sensitive.
• Global constants declared with const are always case-sensitive. Note that this applies only to the short name of the constant, while namespaces in PHP are always case-insensitive.
• Constants declared with define() are case-sensitive by default.
• It is possible to declare case-insensitive constants by passing true as the third parameter of define().

Now the PHP 7.3 proposed deprecater to remove these items:

• In PHP 7.3: Deprecate calling define() with third parameter true.
• In PHP 7.3: Deprecate accessing a case-insensitive constant with a casing that differs from the declaration-site. The constants true, false and null are exempt from this.

Same Site Cookie

PHP 7.3 proposes to add the same site flag when issuing cookies. This RFC will affect four core functions.

1. setcookie
2. setrawcookie
3. session_set_cookie_params
4. session_get_cookie_params

The effect will take place in two possible ways. Either it will add new argument to the function or will allow an array of options for moving all cookie options in there.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

bool setcookie(    string $name    [, string $value = ""    [, int $expire = 0    [, string $path = ""    [, string $domain = ""    [, bool $secure = false    [, bool $httponly = false ]]]]]] ) bool setcookie (    string $name    [, string $value = ""    [, int $expire = 0    [, array $options ]]] ) // Both ways work.

Final Words

So above we have seen different updates, deprecations and new PHP 7.3 features included in the latest release. These will be available soon and will merge to the master branch. At this time you cannot use the files in live servers. You can also move to official RFC page for the detailed version of everything defined above. While if you still have any questions regarding this blog or new PHP 7.3 RFC, feel free to write your comments below in the comments section.