Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:123833 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 841501A009C for ; Tue, 25 Jun 2024 18:06:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1719338858; bh=Mlb1WrQDMs0/tdQs6Q9K5Pr10t6QQr2uzseMbR13AL4=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=KRJBpT4ZmD9cXVm9r/SZKZs+rpc8ohxOZaT98/wmc9Bu4GX6cHkSRjX/np/Y6Vykb b4jYuCxA3qAqBrQ5bodCDzhE4vVWa66IVgkwO+7fN9oY/WQE3rbIG228fJQmcoZqAJ nXZtdVy87u9RqtUNBwTY2DiP1EbJpj1SUr9ESoEVlmTXFwHla1t/rkLgRo14KHkmln pZYKNGKu4JacGBQmDXKJFAOuVN4DUQL9aPr7UcQ9fPluVIEhgnInpXMV8zlL8X8mAO RPsxACbG6TUtjb1s27Hn9Ul0quMbtYzlyBbuoJferi5IDulJRm2HS8U8cfDi/von4Z N56SPmZPNU0xQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 73632180B8B for ; Tue, 25 Jun 2024 18:07:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DMARC_MISSING,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from mail-yw1-f174.google.com (mail-yw1-f174.google.com [209.85.128.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 25 Jun 2024 18:07:36 +0000 (UTC) Received: by mail-yw1-f174.google.com with SMTP id 00721157ae682-63174692a02so54804447b3.0 for ; Tue, 25 Jun 2024 11:06:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20230601.gappssmtp.com; s=20230601; t=1719338779; x=1719943579; darn=lists.php.net; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=fIpUcMtCyU3nmRbCp6HclQx4GkKzTiyOa6H1AshRl+0=; b=d8tyIXV8ZL62TTG/Seq+V81X3ASefMcoqp7vgILgR2GYD5YmuJeKeY4hykPze7IrUP Dc9Tvn6o4PCl9Cog8eWLGLxWgs/DyrcDCPJVK4PZuz97qMIBPR+yhfPUC3dKc/kslUYH tOS8kiERpiriIXjksc77P1dWipXjJuqAHT5rSBu0fE8Yij7p5rCRfJ+LYp5H1RZ9C9ZW HPPzBLBVTPanbhQUGtqVqiuMOlczhujRpS80HNzo3ANtDx/1fGLASFREkPibJk+Ixbw+ ydPF8iUQJLVFB6S/1i7nIoCKASf6Jnt8nYKsn0/1HRgQG7/uUyBHnLCdAVfQcYY0+TJW RQWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719338779; x=1719943579; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fIpUcMtCyU3nmRbCp6HclQx4GkKzTiyOa6H1AshRl+0=; b=TH+o1WqyR6RSMdBIs83o06RVCRyyu51U0bwLsRMjQ+AfVUpKdQ4kxXFZ3W0R2rtTd8 Rpy4WKbzTEyD+MJ9lX4PFsqFVa5L2n6d/rY5+faSbI3jiUInQvAKk6CiV2TBljbzljm3 48/l4lnuPXj7NFW0wdP7CRu3orYarN7kuWlYMbK5IeeeUQpJ3AFJwyjwRUaTJQABRwar ZvPTzBuhH8Jp/0FB5yUkZahgYWeQ0DY0/2BByRAB1wSjyvN9A3+nUMDPmS80QXWXEwgG pbrYud1AirwrQHPRMSln1psr3SFIXNhftI3Vc0AH8YJSoe7vWmJIppBqcvJ8383BiPTZ QAGg== X-Gm-Message-State: AOJu0YxNDAoGYML5U7VOZ4aIAB1brfKj095VbvZN1liHki5viFilXzMb lMBaCGzL/57RUBzWbo1TIlLxSwUgn8zFW9NdDuRMrjE1Ob6FM7OiOTd5Sm/563BR2fS9ye+xN96 uNBY= X-Google-Smtp-Source: AGHT+IG6n5fMSBj0wPmwNRwH+sqUEGgVOvMvtqc7XBtINMTg4FsxDlqUF9iw3sqv8uLT9FrQrLYQNQ== X-Received: by 2002:a81:b385:0:b0:627:dc03:575a with SMTP id 00721157ae682-64341e0f0e6mr84482777b3.49.1719338778939; Tue, 25 Jun 2024 11:06:18 -0700 (PDT) Received: from smtpclient.apple (c-98-252-216-111.hsd1.ga.comcast.net. [98.252.216.111]) by smtp.gmail.com with ESMTPSA id 00721157ae682-63f14b31412sm35098757b3.96.2024.06.25.11.06.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jun 2024 11:06:18 -0700 (PDT) Message-ID: Content-Type: multipart/alternative; boundary="Apple-Mail=_C269E3F4-54D4-4423-8C35-CD8FFFD7487C" Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\)) Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.4 Date: Tue, 25 Jun 2024 14:06:17 -0400 In-Reply-To: Cc: PHP internals To: "Gina P. Banyard" References: X-Mailer: Apple Mail (2.3696.120.41.1.8) From: mike@newclarity.net (Mike Schinkel) --Apple-Mail=_C269E3F4-54D4-4423-8C35-CD8FFFD7487C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 =20 > On Jun 25, 2024, at 10:36 AM, Gina P. Banyard > wrote: >=20 > Hello internals, >=20 > It is this time of year again where we proposed a list of deprecations = to add in PHP 8.4: >=20 > https://wiki.php.net/rfc/deprecations_php_8_4 = >=20 > As a reminder, this list has been compiled over the course of the past = year by various different people. >=20 > And as usual, each deprecation will be voted in isolation. >=20 > We still have a bit of time buffer, so if anyone else has any = suggestions, they are free to add them to the RFC. >=20 > Some should be non-controversial, others a bit more. strtok() =3D=3D=3D=3D=3D strtok() is found 35k times in GitHub: https://github.com/search?q=3Dmd5%28+language%3APHP+&type=3Dcode = It is a commonly used as a "left part of string up to a character" in = addition to its intended use for tokenizing. =20 I would prefer not deprecated because of BC breakage, but IF it is = deprecated I would suggest adding a one-for-one replacement function for = the "left part of string up to a character" use-case; maybe = `str_left("abc.txt",".")` returning `"abc"`. md5()/md5_file() =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Just FYI, md5() is found 868k times and md5_file() 29.7k times in = GitHub: https://github.com/search?q=3Dmd5%28+language%3APHP+&type=3Dcode = https://github.com/search?q=3Dmd5_file%28+language%3APHP+&type=3Dcode = That is a lot or broken code. However, if deprecated I would suggest adding `insecure_md5()` and = `insecure_md5_file()` as a drop-in replacement which would be more = obvious and easier than using hash() =E2=80=94 so people would be more = apt to use it =E2=80=94 and that would signal they are obviously using = an insecure function which increases the likelihood developers to go to = the effort to actually fix the security issues in their code and/or not = use md5 for security sensitive code to begin with. sha1()/sha1_file() =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sha1() is found 167k times and sha1_file() 6.8k times in GitHub: https://github.com/search?q=3Dsha1%28+language%3APHP+&type=3Dcode = https://github.com/search?q=3Dsha1_file%28+language%3APHP+&type=3Dcode = =20= Same arguments for md5()/md5_file(), e.g. if deprecated add = `insecure_sha1()` and `insecure_sha1_file(). #jmtcw -Mike --Apple-Mail=_C269E3F4-54D4-4423-8C35-CD8FFFD7487C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8  
On Jun 25, 2024, at 10:36 AM, Gina P. Banyard = <internals@gpb.moe> wrote:

Hello = internals,

It is this time of year again = where we proposed a list of deprecations to add in PHP 8.4:

https://wiki.php.net/rfc/deprecations_php_8_4

As a reminder, this list has been compiled = over the course of the past year by various different people.

And as usual, each deprecation will be voted = in isolation.

We still have a bit of time = buffer, so if anyone else has any suggestions, they are free to add them = to the RFC.

Some should be = non-controversial, others a bit more.

strtok()
=3D=3D=3D=3D=3D
strtok() is found 35k = times in GitHub:

https://github.com/search?q=3Dmd5%28+language%3APHP+&type=3D= code

It = is a commonly used as a "left part of string up to a character" in = addition to its intended use for tokenizing.  

I would prefer not = deprecated because of BC breakage, but IF it is deprecated I would = suggest adding a one-for-one replacement function for = the  "left part of string up to a character" use-case; maybe = `str_left("abc.txt",".")` returning `"abc"`.


md5()/md5_file()
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Just FYI, md5() is found 868k times and = md5_file() 29.7k times in GitHub:

https://github.com/search?q=3Dmd5%28+language%3APHP+&type=3D= code
https://github.com/search?q=3Dmd5_file%28+language%3APHP+&t= ype=3Dcode

That= is a lot or broken code.

However, if deprecated I would suggest adding = `insecure_md5()` and `insecure_md5_file()`  as a drop-in = replacement which would be more obvious and easier than using hash() =E2=80= =94 so people would be more apt to use it =E2=80=94 and that would = signal they are obviously using an insecure function which increases the = likelihood developers to go to the effort to actually fix the security = issues in their code and/or not use md5 for security sensitive code to = begin with.

sha1()/sha1_file()
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
sha1() is found 167k times and sha1_file() = 6.8k times in GitHub:

https://github.com/search?q=3Dsha1%28+language%3APHP+&type=3D= code
https://github.com/search?q=3Dsha1_file%28+language%3APHP+&= type=3Dcode 

Same arguments for md5()/md5_file(), e.g. = if deprecated add  `insecure_sha1()` and `insecure_sha1_file().

#jmtcw

-Mike



= --Apple-Mail=_C269E3F4-54D4-4423-8C35-CD8FFFD7487C--