5.1.13. Version Security Changes¶

5.1.13.1. 8.0¶

String-to-number weakly typed comparison will first convert the number to a string, then compare the two strings
Throws exception instead of warning when internal parameter introspection error
assert is no longer supporte Code execution
remove create_function
remove the e-mode in mb_ereg_replace()
Meta information in Phar is no longer automatically deserialized
parse_str The second parameter must be passed in
remove string.strip_tags in php://filter

Calling a user-defined function with insufficient arguments throws an error exception instead of a warning
Destructors are no longer called on incomplete objects
call_user_func() no longer supports calling functions by reference
The e-mode modifier for mb_ereg_replace() and mb_eregi_replace() is deprecated
ext/mcrypt is deprecated

preg_replace “e” modifier produces E_WARNING error and fails
Remove all ext/mysql functions
Remove all ext/mssql functions
Remove call_user_method() and call_user_method_array()
foreach no longer changes the internal array pointer
Previously, an octal character that contained an invalid number would be silently truncated ( 0128 would be parsed as 012 ), now such an octal character will generate a parsing error
Hex strings are no longer considered numbers
dl() is no longer available in PHP-FPM, still available in CLI and embed SAPIs
Remove ASP and script PHP tags i.e. //<% %><%= %><script language=”php”> </script>
When the value overflows, the inner function will fail
$HTTP_RAW_POST_DATA removed

$HTTP_RAW_POST_DATA is deprecated
You must set CURLOPT_SAFE_UPLOAD to FALSE before you can use the @file syntax to upload files