Trying to use values of type null, bool,
int, float or resource as an
array (such as
$null["key"]) will now generate a notice.
The get_declared_classes() function no longer returns anonymous classes that have not been instantiated yet.
fn is now a reserved keyword. In particular,
it can no longer be used as a function or class name.
It can still be used as a method or class constant name.
<?phptag at end of file
<?php at the end of the file (without trailing newline)
will now be interpreted as an opening PHP tag. Previously it was interpreted
either as a short opening tag followed by literal
resulted in a syntax error (with
or was interpreted as a literal
When using include/require on a stream,
will be invoked with the
Custom stream wrapper implementations may need to implement the
streamWrapper::stream_set_option() method to
avoid a warning (always returning
false is a sufficient implementation).
o serialization format has been removed.
As it is never produced by PHP, this may only break unserialization of
manually crafted strings.
Password hashing algorithm identifiers are now nullable strings rather than integers.
PASSWORD_DEFAULTwas int 1; now is
PASSWORD_BCRYPTwas int 1; now is string '2y'
PASSWORD_ARGON2Iwas int 2; now is string 'argon2i'
PASSWORD_ARGON2IDwas int 3; now is string 'argon2id'
Applications correctly using the constants PASSWORD_DEFAULT, PASSWORD_BCRYPT, PASSWORD_ARGON2I, and PASSWORD_ARGON2ID will continue to function correctly.
htmlentities() will now raise a notice (instead of a strict standards warning) if it is used with an encoding for which only basic entity substitution is supported, in which case it is equivalent to htmlspecialchars().
These functions now also raise a notice on failure, such as when trying to write to a read-only file resource.
BCMath functions will now warn if a non well-formed number is passed, such
"32foo". The argument will be interpreted as zero, as before.
Attempting to serialize a CURLFile class will now generate an exception. Previously the exception was only thrown on unserialization.
CURLPIPE_HTTP1 is deprecated, and is no longer
supported as of cURL 7.62.0.
$version parameter of curl_version()
is deprecated. If any value not equal to the default
is passed, a warning is raised and the parameter is ignored.
The embedded server functionality has been removed. It was broken since at least PHP 7.0.
mysqli::$stat property has been removed
in favor of mysqli::stat().
The openssl_random_pseudo_bytes() function will now
throw an exception in error situations, similar to random_bytes().
In particular, an Error is thrown if the number of
requested bytes is less than or equal to zero, and an Exception
is thrown if sufficient randomness cannot be gathered.
$crypto_strong output argument is guaranteed to always
true if the function does not throw, so explicitly checking it is not necessary.
PREG_UNMATCHED_AS_NULL mode is used, trailing
unmatched capturing groups will now also be set to
[null, -1] if offset capture is enabled).
This means that the size of the
$matches will always be the same.
Reflection objects will now generate an exception if an attempt is made to serialize them. Serialization for reflection objects was never supported and resulted in corrupted reflection objects. It has been explicitly prohibited now.
Calling get_object_vars() on an ArrayObject
instance will now always return the properties of the ArrayObject
itself (or a subclass). Previously it returned the values of the wrapped
array/object unless the
flag was specified.
Other affected operations are:
(array) casts are not affected. They will continue to
return either the wrapped array, or the ArrayObject
properties, depending on whether the
flag is used.
SplPriorityQueue::setExtractFlags() will throw an exception if zero is passed. Previously this would generate a recoverable fatal error on the next extraction operation.
SplDoublyLinkedList and SplObjectStorage
now support the
mechanism in addition to the Serializable interface.
This means that serialization payloads created on older PHP versions can still be
unserialized, but new payloads created by PHP 7.4 will not be understood by older versions.
token_get_all() will now emit a
T_BAD_CHARACTER token for unexpected
characters instead of leaving behind holes in the token stream.