5.1.13. Version Security Changes¶
5.1.13.1. 8.0¶
String-to-number weakly typed comparison will first convert the number to a string, then compare the two strings
Throws exception instead of warning when internal parameter introspection error
assert
is no longer supporte Code executionremove
create_function
remove the e-mode in
mb_ereg_replace()
Meta information in Phar is no longer automatically deserialized
parse_str
The second parameter must be passed inremove
string.strip_tags
inphp://filter
5.1.13.2. 7.2¶
Unquoted strings produce E_WARNING
create_function is deprecated
assert cannot pass in string expressions
using parse_str() without the second argument produces an E_DEPRECATED warning
__autoload() is deprecated
5.1.13.3. 7.1¶
Calling a user-defined function with insufficient arguments throws an error exception instead of a warning
Destructors are no longer called on incomplete objects
call_user_func() no longer supports calling functions by reference
The e-mode modifier for mb_ereg_replace() and mb_eregi_replace() is deprecated
ext/mcrypt is deprecated
5.1.13.4. 7.0¶
preg_replace “e” modifier produces E_WARNING error and fails
Remove all ext/mysql functions
Remove all ext/mssql functions
Remove call_user_method() and call_user_method_array()
foreach no longer changes the internal array pointer
Previously, an octal character that contained an invalid number would be silently truncated ( 0128 would be parsed as 012 ), now such an octal character will generate a parsing error
Hex strings are no longer considered numbers
dl() is no longer available in PHP-FPM, still available in CLI and embed SAPIs
Remove ASP and script PHP tags i.e. //<% %><%= %><script language=”php”> </script>
When the value overflows, the inner function will fail
$HTTP_RAW_POST_DATA removed
5.1.13.5. 5.6¶
$HTTP_RAW_POST_DATA is deprecated
You must set CURLOPT_SAFE_UPLOAD to FALSE before you can use the @file syntax to upload files
5.1.13.6. 5.5¶
preg_replace “e” modifier produces E_DEPRECATED error
Deprecated mysql_*series functions
5.1.13.7. 5.4¶
Safe Mode is no longer supported
remove magic quotes
Converting an array to a string will generate an E_NOTICE level error