PHP 5.4 vs 5.3 differences : What to watch out for

Each major release of any framework can make someone begin to second-guess what is still 'current'. Hopefully this list of incompatible changes will help serve as a reference so that you do not have a site fail due to deprecated code.

Safe mode is no longer supported. Any applications that rely on safe mode may need adjustment, in terms of security.

Magic quotes has been removed, an overdue change. Applications relying on this feature may need to be updated, to avoid security issues. get_magic_quotes_gpc() and get_magic_quotes_runtime() now always return FALSE. set_magic_quotes_runtime() raises an E_CORE_ERROR level error.

The register_globals and register_long_arrays php.ini directives have been removed

Call-time pass by reference has been removed.

The break and continue statements no longer accept variable arguments (e.g., break 1 + foo() * $bar;). Static arguments still work, such as break 2;. As a side effect of this change break 0; and continue 0; are no longer allowed.

In the date and time extension the timezone can no longer be set using the TZ environment variable. Instead you have to specify a timezone using the date.timezone php.ini option or date_default_timezone_set() function. PHP will no longer attempt to guess the timezone, and will instead fall back to “UTC” and issue a E_WARNING.

Non-numeric string offsets e.g. $a['foo'] where $a is a string – now return false on isset() and true on empty(), and produce a E_WARNING if you try to use them. Offsets of types double, bool and null produce a E_NOTICE. Numeric strings (e.g. $a['2']) still work as before. Note that offsets like ’12.3′ and ’5 foobar’ are considered non-numeric and produce a E_WARNING, but are converted to 12 and 5 respectively, for backward compatibility reasons. Note: Following code returns different result.

$str=’abc’;var_dump(isset($str['x'])); // false for PHP 5.4 or later, but true for 5.3 or less. This one still has my head reeling… i’ve always used isset()/empty() as boolean – assuming the false is now returned and the true is assumed(?)… if you know ‘for sure’ – please post below.

Converting an array to a string will now generate an E_NOTICE level error, but the result of the cast will still be the string “Array”.

Turning NULL, FALSE, or an empty string into an object by adding a property will now emit an E_WARNING level error, instead of E_STRICT.

Parameter names that shadow super globals now cause a fatal error. This prohibits code like function foo($_GET, $_POST) {}.Honestly, in a way this could be saving us from ourselves… if you need to reference a super-global – it’s safer in the long run to filter/sanitize it before using it… no direct reference will probably save a lot of horror stories.

The Salsa10 and Salsa20 hash algorithms have been removed. As if I knew they were ever there? o.O

array_combine() now returns array() instead of FALSE when two empty arrays are provided as parameters.

If you use htmlentities() with asian character sets, it works like htmlspecialchars() – this has always been the case in previous versions of PHP, but now an E_STRICT level error is emitted.

The following keywords are now reserved and may not be used as names by functions, classes, etc.traitcallableinsteadofThe following functions have been removed from PHP:define_syslog_variables()import_request_variables()session_is_registered(), session_register() and session_unregister().The aliases mysqli_bind_param(), mysqli_bind_result(), mysqli_client_encoding(), mysqli_fetch(), mysqli_param_count(), mysqli_get_metadata(), mysqli_send_long_data(), mysqli::client_encoding() and mysqli_stmt::stmt(). If you were using any of these as keywords as var, function or class names, go stand in the corner for 30 minutes.

In case you were using the super global variables as viable variables don’t be hard on yourself – we’ve all done it. However, take advantage of the filter functions – it’s painless:

FILTER_SANITIZE_EMAIL “email” = Remove all characters except letters, digits and !#$%&’*+-/=?^_`{|}~@.[].
FILTER_SANITIZE_MAGIC_QUOTES “magic_quotes” = Apply addslashes().
FILTER_SANITIZE_NUMBER_INT “number_int” = Remove all characters except digits, plus and minus sign.
FILTER_SANITIZE_SPECIAL_CHARS “special_chars” = HTML-escape ‘”<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.

Using them is just as painless too:

instead of: $_POST['email']
filter_var($_POST['email'], FILTER_SANITIZE_EMAIL)

Just remember that failing the filter_var test is true/false... so plan accordingly.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to use the PHP mail function

You can use the PHP mail() function to send an email with PHP. The simplest way to do this is...

Parsing PHP code within HTML pages

The easiest way to parse or run PHP code within an HTML page is to simply change the extension...

Change/Select PHP version

If you require a different version of PHP than which we run by default you can select which...

Ruby on Rails

For information about Ruby on Rails, visit their website.