> On Jun 25, 2024, at 10:36 AM, Gina P. Banyard <intern...@gpb.moe > <mailto:intern...@gpb.moe>> wrote: > > Hello internals, > > It is this time of year again where we proposed a list of deprecations to add > in PHP 8.4: > > https://wiki.php.net/rfc/deprecations_php_8_4 > <https://wiki.php.net/rfc/deprecations_php_8_4> > > As a reminder, this list has been compiled over the course of the past year > by various different people. > > And as usual, each deprecation will be voted in isolation. > > We still have a bit of time buffer, so if anyone else has any suggestions, > they are free to add them to the RFC. > > Some should be non-controversial, others a bit more.
strtok() ===== strtok() is found 35k times in GitHub: https://github.com/search?q=md5%28+language%3APHP+&type=code <https://github.com/search?q=md5%28+language%3APHP+&type=code> It is a commonly used as a "left part of string up to a character" in addition to its intended use for tokenizing. I would prefer not deprecated because of BC breakage, but IF it is deprecated I would suggest adding a one-for-one replacement function for the "left part of string up to a character" use-case; maybe `str_left("abc.txt",".")` returning `"abc"`. md5()/md5_file() ============= Just FYI, md5() is found 868k times and md5_file() 29.7k times in GitHub: https://github.com/search?q=md5%28+language%3APHP+&type=code <https://github.com/search?q=md5%28+language%3APHP+&type=code> https://github.com/search?q=md5_file%28+language%3APHP+&type=code <https://github.com/search?q=md5_file%28+language%3APHP+&type=code> That is a lot or broken code. However, if deprecated I would suggest adding `insecure_md5()` and `insecure_md5_file()` as a drop-in replacement which would be more obvious and easier than using hash() — so people would be more apt to use it — and that would signal they are obviously using an insecure function which increases the likelihood developers to go to the effort to actually fix the security issues in their code and/or not use md5 for security sensitive code to begin with. sha1()/sha1_file() ============= sha1() is found 167k times and sha1_file() 6.8k times in GitHub: https://github.com/search?q=sha1%28+language%3APHP+&type=code <https://github.com/search?q=sha1%28+language%3APHP+&type=code> https://github.com/search?q=sha1_file%28+language%3APHP+&type=code <https://github.com/search?q=sha1_file%28+language%3APHP+&type=code> Same arguments for md5()/md5_file(), e.g. if deprecated add `insecure_sha1()` and `insecure_sha1_file(). #jmtcw -Mike
