The PHP development team for php script | php language announces the immediate availability of PHP 7.2.0. This release marks the second feature update to the PHP language 7 series.

whats new in php script 7.2 ?

lets discuss it…

PHP RFC: Convert numeric keys in object/array casts

The PHP dialect has two center information composes which are accumulations of key/esteem sets.

The first of these, the exhibit, is a requested guide of number or string keys to self-assertive esteems. There is no cover amongst whole number and string keys in exhibits; if a string fits the arrangement/^(0|(- ?[1-9][0-9]*))$/and is sufficiently little (PHP_INT_MIN ≤ n ≤ PHP_INT_MAX), it is changed over to a number key. Such strings are named numeric strings.

The second of these, the protest, is a requested guide of string property names to subjective esteems. Number property names are not allowed because these are changed over to string property names. Articles have some different traits, yet they don’t concern us here.

In the Zend Engine, both PHP clusters and PHP objects are inside spoken to utilizing similar information structure, the HashTable.1 The HashTable is, much like the exhibit, a requested guide of number or string keys to discretionary esteems. Be that as it may, not at all like clusters, there is no certification that string and number keys don’t cover; for example, a HashTable can all the while contain the different keys “123” and 123, which may relate to various esteems.

Since exhibits and protests have distinctive limitations versus the basic HashTable write on what sorts of keys they can have, the Zend Motor must authorize their confinements at a layer above HashTables, in the code executing clusters and questions themselves. This implies if that code is circumvent and the hidden HashTables are adjusted specifically, clusters and questions can exist with an invalid inside state.

1Nitpick: objects with just pronounced properties needn’t bother with their own HashTable, however even they utilize a HashTable for looking into properties, it’s simply part of the class as opposed to the protest itself.

from that above it has problem.

Different edge cases in the Zend Engine exist where cluster HashTables can contain numeric string keys, and question HashTables can contain whole number keys. In such cases, these keys are blocked off from PHP script code, on the grounds that the code taking care of exhibits will never search for numeric string keys in the HashTable (as clusters delineate to whole number keys), and the code taking care of items will never search for number keys in the HashTable (as articles outline to string keys).

This RFC concentrates on a particular edge case, that of protest exhibit throws and cluster to-question throws. As of now, when utilizing (question) or settype() to change over a protest an exhibit, or when utilizing (cluster) or settype() to change over an exhibit to a question, the internal HashTable is naïvely duplicate or reference without its keys being changed to mirror the confinements on exhibit keys and question property names, prompting difficult to reach cluster keys or question properties sometimes. For instance, $arr = [0 => 1, 1 => 2, 2 => 3]; $obj = (object)$arr; produces a protest with blocked off properties named 0, 1 and 2, while $obj = new stdClass; $obj->{‘0’} = 1; $obj->{‘1’} = 2; $obj->{‘2’} = 3; $arr = (array)$obj; produces a cluster with the unavailable keys “0”, “1” and “2”. A similar issue likewise happens when utilizing get_object_vars().

PHP RFC: Counting of non-countable objects

This RFC proposes adding a warning when calling count() with a parameter that is a scalar, null, or an object that doesn’t implement Countable.

PHP RFC: Object typehint

This code will make code easier to understand.

This RFC proposes that object should be used as a parameter type and as a return type. Any object would pass the type check.

Passing a value that is not an object to a parameter that is declared as type object would fail the type check, and a TypeError would be thrown.

Similarly, if a function is declared as returning an object but does not return an object, again a TypeError would be thrown.

As it would be used internally, object would become a reserved classname, unavailable for use as a class name in userland code.

For class methods that use object as either a parameter or return type, the inheritance checks would use contravariance for parameter types, and covariance for return types.

PHP RFC: Migration Hash Context from Resource to Object

Since PHP5, objects have been the preferred structure for wrapping internal data, however some clod created the hash extension to use resources. This RFC seeks to rectify that error by migrating the Hash extension to use an object implementation for hash contexts instead of a resource.

Convert the opaque resource to an opaque object. This is the lightest touch change to ensure that existing code should continue to function unless it has explicit is_resource() checks. These checks can be easily replaced with is_resource|is_object checks instead.

PHP RFC: Argon2 Password Hash

Argon2, the recommended password hashing algorithm by the Password Hashing Competition, is a modern algorithm for securely hashing passwords. Argon2 addresses several key downsides of existing algorithms in that it is designed for the highest memory filling rate, and effective use multiple computing units while still providing defense against tradeoff attacks. Unlike Bcrypt, which just takes a single cost factor, Argon2 is parameterized by three distinct factors:

  1. A memory cost that defines memory usage of the algorithm
  2. A time cost that defines the execution time of the algorithm and the number of iterations
  3. And a parallelism factor, which defines the number of parallel threads

Argon2 comes in two distinct flavors, Argon2i and Argon2d. Argon2i is optimizing for password hashing and password based key derivation. Argon2d is faster and uses data-dependent memory access, making it highly resistant against GPU cracking attacks and suitable for applications with no threats from side-channel timing attacks (such as cryptocurrencies).

PHP RFC: Improved SSL / TLS constants

This RFC proposes to change PHP’s TLS constants to sane values. This change has been avoided by the previous RFC for PHP 5.6 due to BC reasons. This RFCs favors better security instead of backwards compatibility with version intolerant and out of date servers.

PHP RFC: Deprecate (then Remove) Mcrypt

A survey of websites where people share cryptography code reveals a lot about how people use mcrypt. You’ll most likely find gems like this:

/**
 * Don't use this. It was copied from StackOverflow to demonstrate how
 * unsuccessful developers are at using the mcrypt extension:
 */
function fnEncrypt($sValue, $sSecretKey)
{
    return rtrim(
        base64_encode(
            mcrypt_encrypt(
                MCRYPT_RIJNDAEL_256,
                $sSecretKey, $sValue,
                MCRYPT_MODE_ECB,
                mcrypt_create_iv(
                    mcrypt_get_iv_size(
                        MCRYPT_RIJNDAEL_256,
                        MCRYPT_MODE_ECB
                    ),
                    MCRYPT_RAND)
                )
            ), "\0"
        );
}

function fnDecrypt($sValue, $sSecretKey)
{
    return rtrim(
        mcrypt_decrypt(
            MCRYPT_RIJNDAEL_256,
            $sSecretKey,
            base64_decode($sValue),
            MCRYPT_MODE_ECB,
            mcrypt_create_iv(
                mcrypt_get_iv_size(
                    MCRYPT_RIJNDAEL_256,
                    MCRYPT_MODE_ECB
                ),
                MCRYPT_RAND
            )
        ), "\0"
    );
}

Problems with this code:

  • It’s using ECB Mode
  • It also attempting to generate an IV for ECB mode (which is a waste of CPU since IVs aren’t used in ECB mode)
  • Using MCRYPT_RAND for IV generation, which isn’t a CSPRNG
  • fnEncrypt() will rtrim() null bytes off the encrypted value before base64 encoding it, which means a 1/256 chance of data corruption that prevents decryption
  • fnDecrypt() will rtrim() null bytes off the decrypted plaintext, which means if your plaintext message was raw binary (e.g. gzip compressed), it’s now corrupted
  • There is no MAC, so you transmit this over a network, it’s vulnerable to chosen-ciphertext attacks

Mcrypt has a lot of design warts and puts a lot of burden on the implementer to choose the right components (and stitch them together correctly). Blaming the implementer leads to error-prone cryptographic designs. Error-prone cryptographic designs leads to insecure applications.

If libmcrypt were still being maintained, we could work with the libmcrypt team to improve it. Unfortunately, it was abandoned in 2007, and contains unfixed bugs and patches that will never be merged.

Everything libmcrypt can do, openssl can do too (and often better), either out-of-the-box or via its support for pluggable ciphers.

For example: OpenSSL’s AES implementation (which mcrypt still called MCRYPT_RIJNDAEL_128 before it was abandoned) uses AES-NI on modern processors to deliver very fast AES that withstands cache-timing attacks. Mcrypt’s AES still used S-boxes.

Comparing libmcrypt to openssl, you will find that it is:

  • Less well-maintained
  • Less standards compliant (NULL byte padding can cause data loss on decryption; PKCS#7 padding, which openssl_encrypt() uses, does not)
  • More confusing for end-users (not that OpenSSL’s API and documentation are stellar)
  • Slower on modern hardware
  • Less resistant to active attackers
  • Less feature-rich (no public-key cryptography)

PHP RFC: Make Libsodium a Core Extension

As we move towards PHP script 7.0.0, we must look at the current state of cryptography in PHP script or php language. Libmcrypt hasn’t been touched in eight years (last release was in 2007), leaving openssl as the only viable option for PHP version 5.x and 7.0 users.

Meanwhile, libsodium bindings have been available in PECL for a while now, and has reached stability.

Libsodium is a modern cryptography library that offers authenticated encryption, high-speed elliptic curve cryptography, and much more. Unlike other cryptography standards (which are a potluck of cryptography primitives; i.e. WebCrypto), libsodium is comprised of carefully selected algorithms implemented by security experts to avoid side-channel vulnerabilities.

from all about it it has little bit fast effect

php 7.2 comparison

read also great tool for your webserver after your php language

 

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.