Welcome to the world, PHP 7.2!

30 November, 2017

Larry Garfield

Director of Developer Experience

Today the PHP development team released the latest version of the web's favorite language, PHP 7.2.0. Huge thanks and congratulations to everyone that worked on it, especially release managers Sara Golemon and Remi Collet.

You can already try it out on Platform.sh, of course.

Better performance

Unlike PHP 7.0 and 7.1, 7.2 focused mainly on internal improvements rather than user-facing languages features. Most notably, many of the changes to the engine and syntax that have been made in recent versions allowed the PHP team to optimize the engine even further. It's not as big of a performance boost as PHP 7.0 was, but 7.2 should still be measurably faster than PHP 7.1. In fact, a few optimizations only work if you're using scalar types for parameters as it allows the engine to make some type-specific optimizations. Typing is good for you.

Securing PHP

The other major improvements involve security. For those using password_hash() to manage passwords (which is everyone, or really should be), a new, more-secure hash algorithm has been made available: Argon2. The existing BCrypt algorithm is still available, and is still the default, but for those who want to be forward looking PASSWORD_ARGON2 is now an option as well. For example:

echo password_hash("secret_password", PASSWORD_ARGON2I);

More significantly, the security library libsodium has now been bundled with PHP, replacing the long-derided mcrypt. Sodium is a library for writing encryption workflows more complex than simple password hashing without having to "roll your own" encryption API, a process that is extremely easy to get wrong. The libsodium API allows for "secure by default" API call for signing and validating encrypted messages. For example:

$alice_kp = sodium_crypto_sign_keypair();
$alice_sk = sodium_crypto_sign_secretkey($alice_kp);
$alice_pk = sodium_crypto_sign_publickey($alice_kp);

$message = 'This is a test message.';
$signature = sodium_crypto_sign_detached($message, $alice_sk);
if (sodium_crypto_sign_verify_detached($signature, $message, $alice_pk)) {
    echo 'OK', PHP_EOL;
} else {
    throw new Exception('Invalid signature');
}

If you need to use an older version of PHP but still want to use libsodium, there's a polyfill library available (which provided the example above, as well).

A grab-bag of syntax

For the syntax fans there's still a bit of new syntax available. Most notably, there's a new object type hint that will match any object of any class but disallow primitives or arrays. Like any other type hint it works on both parameters and return values.

It's also now possible to "widen" a parameter type. In previous versions, if an interface or parent class specified a type for a parameter or return value then all subclasses were required to have the exact same type hint. As of PHP 7.2, it's possible to omit the type for a parameter in a child class, allowing more variable types to pass. That still respects the Liskov Substitution Principle so it's safe to do and offers more flexibility, especially for legacy code that is untyped. It's also possible to "narrow" a return type by adding a return type in a subclass when the parent had none. Ironically that makes PHP 7.2 more backward compatible with PHP 5.x code than previous versions of PHP 7!

There's a handful of other improvements, too. The PHP 7.2 Upgrading guide has a complete list.

Give it a try

Sound interesting? It's of course available on Platform.sh already, and trivially easy to experiment with. In your .platform.app.yaml file, simply change the "0" or "1" on your type line to a "2":