We’re happy to announce the first release candidate of PHP 7.2 is available on all WordPress Apps. PHP 7.2 brings even more speed improvements while adding great new security features such as the Sodium cryptography extension and the Argon2i password hashing algorithm.
Most apps that are compatible with PHP 7.1 will be compatible with PHP 7.2.
The main change to be aware of is the removal of the mcrypt extension. If your apps use mcrypt, be sure to install the mcrypt PECL extension for PHP 7.2.
If your apps rely on PECL extensions or third-party PHP extensions, such as ionCube, you’ll need to wait for the extension developer to add PHP 7.2 support.
The good news is that most PECL extensions that support PHP 7.1 already support PHP 7.2.
Switching to PHP 7.2
As always, your servers and apps using PHP 7.2 will automatically receive updates as new PHP 7.2 releases become available. When PHP 7.2.0 is released, all apps using PHP 7.2 RC will automatically begin using PHP 7.2.0.
The major news for developers using PHP 7.2 is the addition of great password hashing and cryptography tools in PHP.
Argon2i for Secure Password Hashing
PHP 7.2 adds support for the Argon2i password hashing algorithm. Argon2i was the winner of the Password Hashing Competition and is being widely adopted as the modern standard for password hashing.
Hashing passwords with Argon2i is now as simple as:
Verifying passwords hashed with Argon2i is the same as before:
Sodium Extension for Safe Cryptography
PHP 7.2 adds the Sodium extension, giving PHP scripts access to the Sodium cryptography library (sometimes called libsodium). Sodium is a modern crypto library that makes tasks such as encryption, decryption, signature generation, and signature checking easy and safe.
The PHP documentation team is still working on the documentation for the Sodium extension. For now, see this guide to using the PECL Sodium extension that was available before PHP 7.2.
Note: The new PHP Sodium extension included in PHP 7.2 uses the standard PHP function naming convention where all functions are named sodium_FUNC_NAME. The previous PECL Sodium extension described in the guide linked above used a namespace where functions were available as \Sodium\FUNC_NAME. If you’re using the Sodium extension guide linked above, be sure to change all function names to the new format for the Sodium extension.
Removed Extension: mcrypt
The mcrypt cryptography extension has been removed from PHP 7.2 and instead moved to an unofficial PECL extension.
The reason for the removal of mcrypt is that libmcrypt, the underlying library the extension provides an interface to, has not been maintained since 2007. With the addition of the Sodium extension to PHP, there are now simpler and safer cryptography tools available in PHP.
The mcrypt extension should no longer be used for new development.
- It is now possible to remove argument type annotations when overriding an inherited method.
- It is now allowed to override an abstract method with another abstract method in a child class.
- A trailing comma in group use statements is now allowed.
- The “object” type annotation is now supported.
- The SQLite3 extension can now write to BLOBs.
- For regular expressions, the PREG_UNMATCHED_AS_NULL flag was added to allow distinguishing between unmatched subpatterns and empty matches by reporting NULL and “” (empty string), respectively.
With the release of PHP 7.2, the developers of PHP announced that the following functionality will be removed in a future PHP version. You should avoid writing new code with deprecated functionality.
- The __autoload() mechanism has been deprecated, use spl_autoload_register() instead.
- The (unset) cast has been deprecated. This does not affect the unset($var) language construct.
- The create_function() function has been deprecated, use anonymous functions instead.
- The each() function has been deprecated, use a foreach loop instead.
- The $errcontext error handler argument has been deprecated. However, using it does not trigger a deprecation warning for technical reasons.
- Calling parse_str() without the result argument has been deprecated.
- Calling assert() with a string argument has been deprecated, use an ordinary expression instead.