What is new in PHP 7.2?
On 30 November 2017, the PHP community announced the release of PHP 7.2. More specifically, this is the second feature update to the PHP 7 series.
Building on the achievements of PHP 7
PHP 7 was released at the end of 2015 and marked a new era for the programming language and the associated community, which have gone through some major changes over the last few years.
PHP is a very accessible language, which is sometimes discredited by language purists in the development world. The reality, however, is that more than 83% of all websites on the Internet are written in PHP. And popular frameworks such as WordPress, Drupal and Magento only contribute to the success of the PHP ecosystem.
Major investments have been made to significantly improve the performance of PHP 7. Great efforts have also been made for a better type hinting, and many old extensions are no longer supported.
The release timeline shows that feature updates are released on a yearly basis. So, this year, after the release of PHP 7.1 in 2016, we got PHP 7.2 as an early Christmas gift.
PHP 7.2 is essentially a security feature release
Except for some minor improvements to the language itself, one observes that most new features are security related.
- Announcement of the new Argon2 Password Hashing algorithm in the PHP core
- Removal of the mcrypt extension from the PHP core
- Implementation of the Sodium extension in the PHP core
- Improvement of the minimum TLS version constants
Argon2 Password Hashing
Argon2 came first in the Password Hashing Competition and is considered more secure than bcrypt thanks to the fact that, in addition to a “time cost”, there is also a “memory cost”.
This means that the algorithm will make it harder for hackers to crack passwords using brute force attacks. The “time cost” is usually avoided by unleashing powerful GPU-based computing power on the password.
The extra “memory cost” ensures that these machines suddenly require a proportional amount of RAM to be able to guess the password with a brute force attack.
Another benefit of Argon2 is that it also allows you to define the number of parallel threads used to calculate the complexity of the password hashing algorithm.
Mcrypt is gone
Mcrypt is a popular PHP cryptography extension. Unfortunately, the mcrypt library on which this extension depends has not been updated since 2007.
The library has several bugs and patches that have not been fixed for quite a long time. In PHP 7.1, this extension was already deprecated. In 7.2, mcrypt was removed from the PHP core and moved to the Pecl repository.
Instead of Mcrypt, developers can now use OpenSSL and the new Sodium extension.
Sodium as a competitor to OpenSSL
OpenSSL is the most popular cryptography library, but it has both pros and cons. In the spirit of healthy competition, PHP 7.2 provides an alternative cryptography library: Sodium.
A libsodium implementation has long been available in PHP, via Pecl. Promoting this extension required a namespace change to conform to the PHP coding standards: in PECL, the “\Sodium” namespace was used to call associated features.
In PHP 7.2, these features will be included in the root namespace and re-prefixed “sodium”.
The improvement of TLS version constants
Until recently, “ssl” was the standard stream wrapper when an encrypted connection was established from PHP. The developers of PHP 7.2 decided to make “tls” default and “ssl” an alias.
They also decided to be more rigorous about supported TLS versions. Clients with only TLS 1.0 enabled will no longer be supported.
In the past, an attempt had already been made for this, but back then, the decision was postponed to maintain compatibility with PHP 5.6. The fact that PHP 7.2 is part of a new “major release” allows for such a “backwards compatibility break”.
The language-related features are not particularly remarkable and are mainly corrections of previous errors:
- Correct conversion of numeric keys when casting objects to arrays and vice-versa
- Returning correct results when calling a non-countable object via “count”
The only noteworthy language feature in PHP 7.2 is the availability of the “object typehint”, which allows to accept and return generic objects in functions and methods. This way, it is no longer necessary to use specific class names.
From now on, PHP 7.2 is also available on Combell’s shared hosting platform
PHP 7.2 was released on 30 November 2017. On the very same day, we announced that this version was also supported on our shared hosting platform.
As of now, you can thus use all the new features. With new web hosting packages, you can immediately pick this version. And with existing packages, you can switch versions on the fly in My Combell.
This new release also includes many bug fixes and internal improvements.