PHP 7 Released!

Published by John on December 2, 2015 Under PHP

After a long wait, the much anticipated new version of PHP has been released! PHP 7.0 has been released. There are a bunch of cool features in the new version of PHP, along with better performance. You can read about some of the neat ones here.

This is a pretty big release, as PHP 6 got scrapped, and many of the current 5.X versions are no longer officially supported. Of course, it may be awhile before other distributions include the new version, as Redhat Enterprise Linux and other distros are much slower to adopt the new versions, so it isn’t uncommon to find servers still running PHP 5.3. If you have the opportunity though, PHP 7 is looking pretty neat, so(after testing of course) consider upgrading!

I recently wrote about improved support for asymmetric encryption in PHP 7, but there are a bunch of other features that I am excited about. For example, the new Null coalesce operator(??) is really cool. It works like so:


//Old Code
$var = (isset($_GET['var']) ? $_GET['var'] : null);

//New Code
$var = $_GET['var'] ?? null;

Totally saves a ton of typing and is much clearer. Another really cool one is being able to use define to declare variables of type array. Before, you either had to use the const declaration, but you can now do it with define like so:


//Old Code
const ANIMALS = array('this', 'is', 'not_as_cool');

//New Code
define('const_array', array(
    'this',
    'is',
    'cool'
));

Another very important one is improved security to the unserialize function. Prior to PHP 7, using unserialize, especially with user input, was not very safe due to the risk of object injection. So, using json_encode and json_decode was the recommended way of serializing data. However, with PHP 7, you can now white list what objects can be unserialized. Of course, the default behaviour is still unsafe, so you would still want to review/update your code if you are using unserialize. See below:


// this is the default, which works like before. ALL objects can be unserialized. 
$result = unserialize($unsafe_data, ["allowed_classes" => true]);

// this provides a safer alternative, specifiy that NO classes can be unserialized and they will be converted to __PHP_Incomplete_Class object
$result = unserialize($unsafe, ["allowed_classes" => false]);

// white list the 'allowed_class' class to be unserialized
$result = unserialize($unsafe, ["allowed_classes" => ["allowed_class"]]);

As you can see, there are a bunch of neat new features, so I am really excited about this release :D


No Comments |

Add a Comment