[PHP 5.5 Summit] PHP 5.5: The New Bits (php[architect])

PHP 5.5
The New Bits
1
Tuesday, September 17, 13

View Slide

•Community Engineer at Engine Yard
•Author of Zend PHP 5 Certification
Study Guide, Sitepoints PHP
Anthology: 101 Essential Tips, Tricks
& Hacks & PHP Master: Write
Cutting Edge Code
•A contributor to Zend Framework,
phpdoc, FRAPI and PHP internals
•@dshafik
Davey Shafik
2

View Slide

About These Slides
3

View Slide

About These Slides
• Two slides per “slide”
• Title Slide (for when I’m talking)
• Details slide (for later)
• Nobody likes it when you can read the slide just as
well as the speaker can
• I like slides that are useful
4
4

View Slide

The Small Stuff
5

View Slide

The Small Stuff
• PCRE (Perl Compatible Regular Expression) /e (eval) pattern modiﬁer
deprecated
• ext/mysql is now officially deprecated
• mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb() and mcrypt_ofb()
deprecated
• Drop Windows XP and 2003 support
• Remove php_logo_guid(), php_egg_logo_guid(),
php_real_logo_guid(), zend_logo_guid()
• Return previous handler when passing NULL to set_error_handler()
and set_exception_handler()
• Added optional second argument for assert() to specify custom
message
• Added boolval() 6
6

View Slide

The Small Stuff (Cont.)
• Added support for PBKDF2: hash_pbkdf2()
• json_encode() now supports a depth parameter (third argument)
• Enhancements to GD extension: imageflip(), support for WebP format
and easy cropping using imagecrop() and imagecropauto()
• foreach now supports non-scalar keys (as possibly returned by
Iterators)
• Zend OpCache now included. Recommended over APC
• PECL ext/APCu released to provide 100% backwards compatible APC
User Storage
7
7

View Slide

The Small Stuff (Cont.)
intlcal_get_keyword_values_for_locale()
intlcal_get_now()
intlcal_get_available_locales()
intlcal_get()
intlcal_get_time()
intlcal_set_time()
intlcal_add()
intlcal_set_time_zone()
intlcal_after()
intlcal_before()
intlcal_set()
intlcal_roll()
intlcal_clear()
intlcal_field_difference()
intlcal_get_actual_maximum()
intlcal_get_actual_minimum()
intlcal_get_day_of_week_type()
intlcal_get_first_day_of_week()
intlcal_get_greatest_minimum()
intlcal_get_least_maximum()
intlcal_get_locale()
intlcal_get_maximum()
intlcal_get_minimal_days_in_first_week()
intlcal_get_minimum()
intlcal_get_time_zone()
intlcal_get_type()
intlcal_get_weekend_transition()
intlcal_in_daylight_time()
intlcal_is_equivalent_to()
intlcal_is_lenient()
intlcal_is_set()
intlcal_is_weekend()
intlcal_set_first_day_of_week()
intlcal_set_lenient()
intlcal_equals()
intlcal_get_repeated_wall_time_option()
intlcal_get_skipped_wall_time_option()
intlcal_set_repeated_wall_time_option()
intlcal_set_skipped_wall_time_option()
intlcal_from_date_time()
intlcal_to_date_time()
intlcal_get_error_code()
intlcal_get_error_message()
intlgregcal_create_instance()
intlgregcal_set_gregorian_change()
intlgregcal_get_gregorian_change()
intlgregcal_is_leap_year()
intltz_create_time_zone()
intltz_create_default()
intltz_get_id()
intltz_get_gmt()
intltz_get_unknown()
intltz_create_enumeration()
intltz_count_equivalent_ids()
intltz_create_time_zone_id_enumeration()
intltz_get_canonical_id()
intltz_get_region()
intltz_get_tz_data_version()
intltz_get_equivalent_id()
intltz_use_daylight_time()
intltz_get_offset()
intltz_get_raw_offset()
intltz_has_same_rules()
intltz_get_display_name()
intltz_get_dst_savings()
intltz_from_date_time_zone()
intltz_to_date_time_zone()
intltz_get_error_code()
intltz_get_error_message()
datefmt_format_object()
datefmt_get_calendar_object()
datefmt_get_timezone()
datefmt_set_timezone()
datefmt_get_calendar_object()
intlcal_create_instance()
Tons of new ext/intl changes (75 new functions!)
8

View Slide

boolval()
9

View Slide

More on boolval()
• Identical to: (bool) $var
• Returns false for empty arrays and strings, and
zero.
• Everything else returns true (except false!)
10
var_dump(boolval([]));
bool(false)
var_dump(boolval(""));
bool(false)
var_dump(boolval(new stdClass()));
bool(true)
var_dump(boolval(["foo", "bar"]);
bool(true)
10

View Slide

NULL with
set_(error|exception)_handler
11

View Slide

More on set_(error|exception)_handler
12
• Passing NULL sets the handler to default
var_dump(set_error_handler(function() { }));
NULL

var_dump(set_error_handler(null));
object(Closure)#1 (0) {
}

var_dump(set_error_handler(null));
NULL
12

View Slide

assert() Descriptions
13

View Slide

More on assert()
• New argument to provide a description of failure
14
assert_options(ASSERT_ACTIVE, IS_ASSERT_ACTIVE);
function foo($bar, $bat) {
assert(
$bar < $bat,
"Second arg is more than first"
);'
}
foo(2, 1);
Warning: assert(): Second arg is less than first
failed in on line <#>
14

View Slide

list() support in foreach
15

View Slide

list() support in foreach
16
• Allows assignment of nested array values (1st level)
to multiple variables, within the foreach declaration
$result = [
[
'name' => 'Davey Shafik',
'email' => '[email protected]',
],
[
'name' => 'Helgi Þormar Þorbjörnsson',
'email' => '[email protected]',
]
];
foreach ($result as list($name, $email)) {
echo $name, ': ', $email . PHP_EOL;
}
16

View Slide

empty() supports any expression
17

View Slide

empty() supports any expression
18
• Prior to 5.5, empty() only allowed variables as input.
Now it can be called on any expression, e.g. function
calls
if (empty(some_function()) {
// Do something
}
18

View Slide

String/Array Dereferencing
19

View Slide

20
• PHP 5.4 added support for function dereferencing,
5.5 adds the same feature to constant strings and
arrays
// Added in PHP 5.4:
someFunction()[$key];
// Now available in PHP 5.5
"somestring"[$key];
// And:
["foo", "bar", "baz"][$key];
// Note: $key can be any valid expression!
20

View Slide

21
• Possible use case: randomizing data
// Random(-ish) Greeting:
$hi = ["Hi", "Hello", "Hola"][rand(0,2)];
21

View Slide

Simple Password Hashing
22

View Slide

Simple Password Hashing
• Makes password hashing super easy
• Purpose: to make sure everyone uses safe password
storage
• Uses the excellent bcrypt (currently)
• Salting is automatic, but can be supplied
• The resulting hash itself identiﬁes the algorithm, salt
and options options when passed to
password_verify()
• You may pass an array with salt and cost as third
argument to password_hash()
23
23

View Slide

Simple Password Hashing (cont.)
24
$options = [
'cost' => 20,
'salt' => 'bcryptuses22characters'
];
$hash = password_hash("testing", PASSWORD_DEFAULT, $options);
$hash = password_hash("testing", PASSWORD_DEFAULT);
if (password_verify("testing", $hash)) {
// valid
}
Specify Options:
24

View Slide

PASSWORD_DEFAULT
• Default hashing algorithm
• Currently bcrypt
• Will change over time to whatever is newer, stronger
• Recommend that DB columns are 255 chars, as the length may
change from the current 60 chars with bcrypt
• Combine with password_needs_rehash() for
better security
25
25

View Slide

Simple Password Hashing (cont.)
• Also provides two helper functions:
• password_needs_rehash() will determine if the hash uses
the current algorithm, cost and salt, returning true if it doesn’t
match.
• password_get_info() returns an array providing information
about a hash such as algorithm, cost and salt.
26
26

View Slide

password_needs_rehash()
if (password_verify("testing", $hash)) {
// valid
if (password_needs_rehash("testing", PASSWORD_DEFAULT)) {
// re-hash with password_hash() and store
}
}
27

View Slide

More on password security
28

View Slide

More on password security
• A strong salt makes a dictionary attack much more
difficult
• A high cost means it takes a long time (say, 1/10th
second) to generate a single password, making brute
force attacks too slow to be effective
• The cost is what makes SHA-1 and MD5 poor
options because they are designed to be fast, this is
the enemy of security.
• Additionally, MD5 suffers from too many easy
collisions (e.g. two different strings that create the
same hash)
29
Goal: Make both dictionary and brute force attacks difﬁcult.
29

View Slide

Hashing Rates
30
Algorithm
Hashes/
second
MD5 SHA-1 SHA-512 bcrypt
MD5
180 Billion/
second
65% Faster
99.9997%
Faster
99.9999996%
Faster
SHA-1
63 Billion/
second
185% Slower
99.9994%
Faster
99.999887%
Faster
SHA-512
364,000/
second
49.5M%
Slower
17.3M%
Slower
80.49%
Faster
bcrypt
71,000/
second
253.5M%
Slower
88.7M%
Slower
412% Slower
Data Source: http://passwords12.at.iﬁ.uio.no/
30

View Slide

Thank You
Feedback:
http://joind.in/9288
Twitter: @dshaﬁk
Email: [email protected]
Slides:
http://daveyshaﬁk.com/slides
31

View Slide

[PHP 5.5 Summit] PHP 5.5: The New Bits (php[architect])

[PHP 5.5 Summit] PHP 5.5: The New Bits (php[architect])

Davey Shafik

More Decks by Davey Shafik

Other Decks in Programming

Featured

Transcript