Deprecated or Removed Security-Related Functionality
Explore PHP 8's deprecated and removed security-related features that affect functionality and safety. Understand changes to stream filters, custom error handling, backtraces, PDO default error modes, and the removal of track_errors. This lesson helps you avoid security risks and ensure your PHP code runs correctly after migration.
Any changes to functionality that affect security are extremely important to note. Ignoring these changes can very easily lead not only to breaks in our code but also open our websites to potential attackers. We cover a variety of security-related changes in functionality present in PHP 8. Let’s start the discussion by examining filters.
Examining PHP 8 stream-filter changes
PHP input/output (I/O) operations depend upon a subsystem known as streams. One of the interesting aspects of this architecture is the ability to append a stream filter to any given stream. The filters we can append can be either custom-defined stream filters registered using stream_filter_register(), or predefined filters included with our PHP installation.
An important change of which we need to be aware is that in PHP 8, all mcrypt.* and mdecrypt.* filters have been removed, as well as the string.strip_tags filter. If we’re not sure which filters are included in our PHP installation, we can either run phpinfo() or, better yet, stream_get_filters().
Here’s the stream_get_filters() output running in PHP 8:
We’ll notice from the PHP 8 output that some filters have been removed. Any code that uses any of the three filters listed will break ...