PHP 5.5 The New Bits 1 Tuesday, September 17, 13 

•Community Engineer at Engine Yard •Author of Zend PHP 5 Certification Study Guide, Sitepoints PHP Anthology: 101 Essential Tips, Tricks & Hacks & PHP Master: Write Cutting Edge Code •A contributor to Zend Framework, phpdoc, FRAPI and PHP internals •@dshafik Davey Shafik 2 Tuesday, September 17, 13 

About These Slides 3 Tuesday, September 17, 13 

About These Slides • Two slides per “slide” • Title Slide (for when I’m talking) • Details slide (for later) • Nobody likes it when you can read the slide just as well as the speaker can • I like slides that are useful 4 4 Tuesday, September 17, 13 

The Small Stuff 5 Tuesday, September 17, 13 

The Small Stuff • PCRE (Perl Compatible Regular Expression) /e (eval) pattern modifier deprecated • ext/mysql is now officially deprecated • mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb() and mcrypt_ofb() deprecated • Drop Windows XP and 2003 support • Remove php_logo_guid(), php_egg_logo_guid(), php_real_logo_guid(), zend_logo_guid() • Return previous handler when passing NULL to set_error_handler() and set_exception_handler() • Added optional second argument for assert() to specify custom message • Added boolval() 6 6 Tuesday, September 17, 13 

The Small Stuff (Cont.) • Added support for PBKDF2: hash_pbkdf2() • json_encode() now supports a depth parameter (third argument) • Enhancements to GD extension: imageflip(), support for WebP format and easy cropping using imagecrop() and imagecropauto() • foreach now supports non-scalar keys (as possibly returned by Iterators) • Zend OpCache now included. Recommended over APC • PECL ext/APCu released to provide 100% backwards compatible APC User Storage 7 7 Tuesday, September 17, 13 

The Small Stuff (Cont.) intlcal_get_keyword_values_for_locale() intlcal_get_now() intlcal_get_available_locales() intlcal_get() intlcal_get_time() intlcal_set_time() intlcal_add() intlcal_set_time_zone() intlcal_after() intlcal_before() intlcal_set() intlcal_roll() intlcal_clear() intlcal_field_difference() intlcal_get_actual_maximum() intlcal_get_actual_minimum() intlcal_get_day_of_week_type() intlcal_get_first_day_of_week() intlcal_get_greatest_minimum() intlcal_get_least_maximum() intlcal_get_locale() intlcal_get_maximum() intlcal_get_minimal_days_in_first_week() intlcal_get_minimum() intlcal_get_time_zone() intlcal_get_type() intlcal_get_weekend_transition() intlcal_in_daylight_time() intlcal_is_equivalent_to() intlcal_is_lenient() intlcal_is_set() intlcal_is_weekend() intlcal_set_first_day_of_week() intlcal_set_lenient() intlcal_equals() intlcal_get_repeated_wall_time_option() intlcal_get_skipped_wall_time_option() intlcal_set_repeated_wall_time_option() intlcal_set_skipped_wall_time_option() intlcal_from_date_time() intlcal_to_date_time() intlcal_get_error_code() intlcal_get_error_message() intlgregcal_create_instance() intlgregcal_set_gregorian_change() intlgregcal_get_gregorian_change() intlgregcal_is_leap_year() intltz_create_time_zone() intltz_create_default() intltz_get_id() intltz_get_gmt() intltz_get_unknown() intltz_create_enumeration() intltz_count_equivalent_ids() intltz_create_time_zone_id_enumeration() intltz_get_canonical_id() intltz_get_region() intltz_get_tz_data_version() intltz_get_equivalent_id() intltz_use_daylight_time() intltz_get_offset() intltz_get_raw_offset() intltz_has_same_rules() intltz_get_display_name() intltz_get_dst_savings() intltz_from_date_time_zone() intltz_to_date_time_zone() intltz_get_error_code() intltz_get_error_message() datefmt_format_object() datefmt_get_calendar_object() datefmt_get_timezone() datefmt_set_timezone() datefmt_get_calendar_object() intlcal_create_instance() Tons of new ext/intl changes (75 new functions!) 8 Tuesday, September 17, 13 

boolval() 9 Tuesday, September 17, 13 

More on boolval() • Identical to: (bool) $var • Returns false for empty arrays and strings, and zero. • Everything else returns true (except false!) 10 var_dump(boolval([])); bool(false) var_dump(boolval("")); bool(false) var_dump(boolval(new stdClass())); bool(true) var_dump(boolval(["foo", "bar"]); bool(true) 10 Tuesday, September 17, 13 

NULL with set_(error|exception)_handler 11 Tuesday, September 17, 13 

More on set_(error|exception)_handler 12 • Passing NULL sets the handler to default var_dump(set_error_handler(function()  {  }));    NULL   var_dump(set_error_handler(null));    object(Closure)#1  (0)  {    }   var_dump(set_error_handler(null));    NULL 12 Tuesday, September 17, 13 

assert() Descriptions 13 Tuesday, September 17, 13 

More on assert() • New argument to provide a description of failure 14 assert_options(ASSERT_ACTIVE, IS_ASSERT_ACTIVE); function foo($bar, $bat) { assert( $bar < $bat, "Second arg is more than first" );' } foo(2, 1); Warning: assert(): Second arg is less than first failed in on line <#> 14 Tuesday, September 17, 13 

list() support in foreach 15 Tuesday, September 17, 13 

list() support in foreach 16 • Allows assignment of nested array values (1st level) to multiple variables, within the foreach declaration $result = [ [ 'name' => 'Davey Shafik', 'email' => '[email protected]', ], [ 'name' => 'Helgi Þormar Þorbjörnsson', 'email' => '[email protected]', ] ]; foreach ($result as list($name, $email)) { echo $name, ': ', $email . PHP_EOL; } 16 Tuesday, September 17, 13 

empty() supports any expression 17 Tuesday, September 17, 13 

empty() supports any expression 18 • Prior to 5.5, empty() only allowed variables as input. Now it can be called on any expression, e.g. function calls if (empty(some_function()) { // Do something } 18 Tuesday, September 17, 13 

String/Array Dereferencing 19 Tuesday, September 17, 13 

String/Array Dereferencing 20 • PHP 5.4 added support for function dereferencing, 5.5 adds the same feature to constant strings and arrays // Added in PHP 5.4: someFunction()[$key]; // Now available in PHP 5.5 "somestring"[$key]; // And: ["foo", "bar", "baz"][$key]; // Note: $key can be any valid expression! 20 Tuesday, September 17, 13 

String/Array Dereferencing 21 • Possible use case: randomizing data // Random(-ish) Greeting: $hi = ["Hi", "Hello", "Hola"][rand(0,2)]; 21 Tuesday, September 17, 13 

Simple Password Hashing 22 Tuesday, September 17, 13 

Simple Password Hashing • Makes password hashing super easy • Purpose: to make sure everyone uses safe password storage • Uses the excellent bcrypt (currently) • Salting is automatic, but can be supplied • The resulting hash itself identifies the algorithm, salt and options options when passed to password_verify() • You may pass an array with salt and cost as third argument to password_hash() 23 23 Tuesday, September 17, 13 

Simple Password Hashing (cont.) 24 $options = [ 'cost' => 20, 'salt' => 'bcryptuses22characters' ]; $hash = password_hash("testing", PASSWORD_DEFAULT, $options); $hash = password_hash("testing", PASSWORD_DEFAULT); if (password_verify("testing", $hash)) { // valid } Specify Options: 24 Tuesday, September 17, 13 

PASSWORD_DEFAULT • Default hashing algorithm • Currently bcrypt • Will change over time to whatever is newer, stronger • Recommend that DB columns are 255 chars, as the length may change from the current 60 chars with bcrypt • Combine with password_needs_rehash() for better security 25 25 Tuesday, September 17, 13 

Simple Password Hashing (cont.) • Also provides two helper functions: • password_needs_rehash() will determine if the hash uses the current algorithm, cost and salt, returning true if it doesn’t match. • password_get_info() returns an array providing information about a hash such as algorithm, cost and salt. 26 26 Tuesday, September 17, 13 

password_needs_rehash() if (password_verify("testing", $hash)) { // valid if (password_needs_rehash("testing", PASSWORD_DEFAULT)) { // re-hash with password_hash() and store } } 27 Tuesday, September 17, 13 

More on password security 28 Tuesday, September 17, 13 

More on password security • A strong salt makes a dictionary attack much more difficult • A high cost means it takes a long time (say, 1/10th second) to generate a single password, making brute force attacks too slow to be effective • The cost is what makes SHA-1 and MD5 poor options because they are designed to be fast, this is the enemy of security. • Additionally, MD5 suffers from too many easy collisions (e.g. two different strings that create the same hash) 29 Goal: Make both dictionary and brute force attacks difficult. 29 Tuesday, September 17, 13 

Hashing Rates 30 Algorithm Hashes/ second MD5 SHA-1 SHA-512 bcrypt MD5 180 Billion/ second 65% Faster 99.9997% Faster 99.9999996% Faster SHA-1 63 Billion/ second 185% Slower 99.9994% Faster 99.999887% Faster SHA-512 364,000/ second 49.5M% Slower 17.3M% Slower 80.49% Faster bcrypt 71,000/ second 253.5M% Slower 88.7M% Slower 412% Slower Data Source: http://passwords12.at.ifi.uio.no/ 30 Tuesday, September 17, 13 

Thank You Feedback: http://joind.in/9288 Twitter: @dshafik Email: [email protected] Slides: http://daveyshafik.com/slides 31 Tuesday, September 17, 13