PHP 7.2.0 Release

php logo

PHP 7.2.0 is here from 30 November 2017. This release is the second feature update in the PHP 7 series, which comes with improvements and new features. For source downloads visit the downloads page of or get the binaries for Windows. The full list changes can be found in the ChangeLog. There are big changes in security so let’s see the major changes:

Convert numeric keys in object/array casts

The first change affects the two core data types which are collections of key/value pairs. Various edge cases in the Zend Engine exist where array HashTables can contain numeric string keys, and object HashTables can contain integer keys.

In such cases, these keys are inaccessible from PHP code, because the code handling arrays will never look for numeric string keys in the HashTable (as arrays map those to integer keys), and the code handling objects will never look for integer keys in the HashTable (as objects map those to string keys).

This RFC proposes to fix this issue for object-to-array casts and array-to-object casts, both for the casting operators and for settype(), and also fix the same issue in get_object_vars(). This would be done by converting the keys of array or object HashTables as appropriate, so numeric string property names in objects would be converted to integer array keys, and vice-versa.

Counting of non-countable objects

The second change proposes adding a warning when calling count() with a parameter that is a scalar, null, or an object that doesn’t implement Countable. The return values remain for the function, so backward compatibility is maintained.

Note that the sizeof alias is also affected.

Object typehint

With the release of PHP 7 scalar types was introduced for parameters and also for declaring return types for functions. In the new release they propose that object should be used as a parameter type and as a return type.

Any object would pass the type check. Passing a value that is not an object to a parameter that is declared as type object would fail the type check, and a TypeError would be thrown.

Migration Hash Context from Resource to Object

For wrapping internal data, objects have been the preferred structure for a long time. Some clod however created the hash extensions to use resources.  In the fourth change seeks to rectify that error by migrating the Hash extension to use an object implementation for hash contexts instead of a resource. They propose to convert the opaque resource to an opaque object. This ensures the continuous operation of current code unless it has explicit is_resource() checks.

Argon2 Password Hash

The fifth change proposes an alternative use to Bcrypt within the password_* functions: Argon2i. Argon2 is the recommended password hashing algorithm by the Password Hashing Competition. It addresses several existing downsides of previous algorithms, it is designed for the highest memory filling rate ad effective use of multiple computing units while still providing defense against tradeoff attacks. From the two variants Argon2i is optimized for password hashing and password based key derivation, and Argon2d is faster and uses data-dependent memory access.

Improved SSL/TLS constants

The sixth change proposes to change the avoided 5.6 RFC (due to BC reasons) in changing PHP’s TLS constants to sane values. This time they favor better security over backward compatibility with version intolerant and out of date servers. Exact proposal:

  • Make tls:// default to TLSv1.0 + TLSv1.1 + TLSv1.2
  • Make ssl:// an alias of tls://
  • Make STREAM_CRYPTO_METHOD_TLS_* constants default to TLSv1.0 + TLSv1.1 + TLSv1.2 instead of TLSv1.0 only

Deprecate ( then Remove ) Mcrypt

In the seventh change they want to get rid of the Mcrypt extension as it is abandonware and inhibits the growth of the language. Now it will not be a part of the core, but those who really want to install it can do so if they install PHP extensions from PECL.

Libsodium is a modern cryptography library that offers authenticated encryption, high-speed elliptic curve cryptography, and much more. Unlike other cryptography standards (which are a potluck of cryptography primitives; i.e. WebCrypto), libsodium is comprised of carefully selected algorithms implemented by security experts to avoid side-channel vulnerabilities.

Make Libsodium a core extension

The last major change addresses the current state of cryptography in PHP. So far Libmcrypt was not touched since 2007, leaving openssl as the only viable option for PHP 5 and 7.0 users. As libsodium have been available in PECL, it has reached stability and makes it into a core extension.

For more details visit


Leave a Comment

Your email address will not be published.

You may also like