5.1.13. Version Security Changes

5.1.13.1. 8.0

  • String-to-number weakly typed comparison will first convert the number to a string, then compare the two strings

  • Throws exception instead of warning when internal parameter introspection error

  • assert is no longer supporte Code execution

  • remove create_function

  • remove the e-mode in mb_ereg_replace()

  • Meta information in Phar is no longer automatically deserialized

  • parse_str The second parameter must be passed in

  • remove string.strip_tags in php://filter

5.1.13.2. 7.2

  • Unquoted strings produce E_WARNING

  • create_function is deprecated

  • assert cannot pass in string expressions

  • using parse_str() without the second argument produces an E_DEPRECATED warning

  • __autoload() is deprecated

5.1.13.3. 7.1

  • Calling a user-defined function with insufficient arguments throws an error exception instead of a warning

  • Destructors are no longer called on incomplete objects

  • call_user_func() no longer supports calling functions by reference

  • The e-mode modifier for mb_ereg_replace() and mb_eregi_replace() is deprecated

  • ext/mcrypt is deprecated

5.1.13.4. 7.0

  • preg_replace “e” modifier produces E_WARNING error and fails

  • Remove all ext/mysql functions

  • Remove all ext/mssql functions

  • Remove call_user_method() and call_user_method_array()

  • foreach no longer changes the internal array pointer

  • Previously, an octal character that contained an invalid number would be silently truncated ( 0128 would be parsed as 012 ), now such an octal character will generate a parsing error

  • Hex strings are no longer considered numbers

  • dl() is no longer available in PHP-FPM, still available in CLI and embed SAPIs

  • Remove ASP and script PHP tags i.e. //<% %><%= %><script language=”php”> </script>

  • When the value overflows, the inner function will fail

  • $HTTP_RAW_POST_DATA removed

5.1.13.5. 5.6

  • $HTTP_RAW_POST_DATA is deprecated

  • You must set CURLOPT_SAFE_UPLOAD to FALSE before you can use the @file syntax to upload files

5.1.13.6. 5.5

  • preg_replace “e” modifier produces E_DEPRECATED error

  • Deprecated mysql_*series functions

5.1.13.7. 5.4

  • Safe Mode is no longer supported

  • remove magic quotes

  • Converting an array to a string will generate an E_NOTICE level error