Re: [RFC] Deprecations for PHP 8.4

From: Date: Tue, 25 Jun 2024 18:06:17 +0000
Subject: Re: [RFC] Deprecations for PHP 8.4
References: 1  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
 
> On Jun 25, 2024, at 10:36 AM, Gina P. Banyard <[email protected] <mailto:[email protected]>> wrote:
> 
> Hello internals,
> 
> It is this time of year again where we proposed a list of deprecations to add in PHP 8.4:
> 
> https://wiki.php.net/rfc/deprecations_php_8_4
> <https://wiki.php.net/rfc/deprecations_php_8_4>
> 
> As a reminder, this list has been compiled over the course of the past year by various
> different people.
> 
> And as usual, each deprecation will be voted in isolation.
> 
> We still have a bit of time buffer, so if anyone else has any suggestions, they are free to add
> them to the RFC.
> 
> Some should be non-controversial, others a bit more.

strtok()
=====
strtok() is found 35k times in GitHub:

https://github.com/search?q=md5%28+language%3APHP+&type=code
<https://github.com/search?q=md5%28+language%3APHP+&type=code>

It is a commonly used as a "left part of string up to a character" in addition to its
intended use for tokenizing.  

I would prefer not deprecated because of BC breakage, but IF it is deprecated I would suggest adding
a one-for-one replacement function for the  "left part of string up to a character"
use-case; maybe str_left("abc.txt",".") returning
"abc".


md5()/md5_file()
=============
Just FYI, md5() is found 868k times and md5_file() 29.7k times in GitHub:

https://github.com/search?q=md5%28+language%3APHP+&type=code
<https://github.com/search?q=md5%28+language%3APHP+&type=code>
https://github.com/search?q=md5_file%28+language%3APHP+&type=code
<https://github.com/search?q=md5_file%28+language%3APHP+&type=code>

That is a lot or broken code.

However, if deprecated I would suggest adding insecure_md5() and
insecure_md5_file()  as a drop-in replacement which would be more obvious and easier
than using hash() — so people would be more apt to use it — and that would signal they are
obviously using an insecure function which increases the likelihood developers to go to the effort
to actually fix the security issues in their code and/or not use md5 for security sensitive code to
begin with.

sha1()/sha1_file()
=============
sha1() is found 167k times and sha1_file() 6.8k times in GitHub:

https://github.com/search?q=sha1%28+language%3APHP+&type=code
<https://github.com/search?q=sha1%28+language%3APHP+&type=code>