Password hashing
It's one of the simplest and most common actions on the internet, but there's a lot of outdated and plain wrong advice about how passwords should be hashed and stored. This new feature in PHP gives us a quick and correct way to this – and it's designed to update as technology advances and the recommendations change. It (currently) uses bcrypt and a salt to hash a password with a function called password_hash():
password_hash("topsecret", PASSWORD_DEFAULT)
This generates a hash which contains all the information needed to repeat the hash, but not to recover the password itself. When we want to compare the value that was used to create this hash with another password submssion, we just use the password_verify() function:
$hash = "$2y$10$cqcHCw42IE9N.GABOeSkEuQSDF3iKVKIsLljpVqwq0TEc5AJ6Gr3G";
$matching = password_verify("topsecret", $hash);
All we do here is compare the submitted version of the password with the hash we generated in the previous example, with minimal effort. Even better, this has been backported for older versions of PHP (5.3+), implemented in PHP so you can implement this in your current projects immediately – see https://github.com/ircmaxell/password_compat and thank @ircmaxell if you see him!
Generators
If you've used other languages, such as Python, you may have seen this feature already: it's 'new in PHP' rather than being 'new'. A generator is a special function that uses yield statements rather than a single return. The generator behaves like an iterator – when we foreach over it, it will return us a new value on each iteration. An example may make this clearer:
function moves() {
yield "hop";
yield "skip";
yield "jump";
}
This looks like a normal function, but with the yield statements, it's really a generator, and we can use it like this:
foreach (moves() as $m) {
echo "he does a " . $m;
}
OK, so most generators do something much more complicated, calculating values or doing something similar, but hopefully this gives you the impression of what this feature is for. Using a generator avoids having a large data structure generated by range() held in memory, for example, so it can be a really handy tool.
Try, catch ... and finally
Exceptions were introduced into PHP in PHP 5.0, and the vast majority of modern applications are using these now, but PHP 5.5 adds a new extension to this functionality with the finally clause. Again, it's not new – you may have seen this in other languages, notably Java. You can add it to your try/catch statements, and the finally clause will always be run. For example:
try {
$myFile = fopen("textfile.txt", "w+");
// do impressive and complicated things here
} catch (Exception $e) {
echo "Stuff went wrong: " $e->getMessage();
} finally {
// either way, close the file
fclose($myFile);
}
With this example, we have a try/catch wrapped around some code that might throw an exception: the try block is the part we hope will happen; the catch block will be entered immediately if an exception is thrown by the code in the try block. PHP 5.5 introduces the (optional; your existing code will still work) finally block that will be run after either of these blocks. In the example, we close the resource handle regardless of the outcome of the code.
APC, Zend Optimizer and OPcache
There have been some problems in PHP 5.4 with APC, the PHP opcode cache. The majority of production systems have this installed, and the release of a PHP 5.4 version was delayed, and eventually buggy (in a few very edge cases – for most people it will work fine). The opcode cache is important because PHP is an interpreted language; we don't compile it. We just write the code and when we want to run it, the interpreter parses it and turns it into opcodes and then into machine code. Since we usually run a PHP script many times without changing it, it makes sense to cache the opcodes – which is what the opcode cache does.
For PHP 5.5, Zend has donated its existing Zend Optimizer product – this is now called OPcache and forms part of PHP's core. The two will always be released together, so this and all future versions of PHP will have an opcode cache included (in PHP 5.5 it is not enabled by default though, so check your php.ini settings).
As a side note, if you were using the user cache in APC, this is still available separate from the opcode cache functionality – find it at https://github.com/krakjoe/apcu if you need it.
How to upgrade to PHP 5.5
The upgrade steps for modern versions of PHP are simpler than ever; if you had the experience of trying to upgrade applications between PHP 4 and PHP 5, then this will come as a pleasant surprise. There are a few key points, which taken together make the migrations easier:
- Since PHP 5.3 we've had an additional error reporting level, E_DEPRECATED. Enabling this on your current platform will show any language features in use that aren't available in the next version.
- PHP 5.4+ ships with a standalone web server built into it. This isn't intended for use in a live environment, but gives a really good idea of whether your code will work or not. Just grab the newest version of PHP and compile it, then use the web server for some gentle testing.
- It's recommended that you upgrade development and testing platforms first, then staging, before applying PHP 5.5 to a live server – and you're done. Since so many applications now run in a virtualised environment, it might be simpler to set up a new platform and deploy to that, switching over to it once everything looks good.
Today, the PHP language itself is developed in a way that's quite a contrast to its history. There's a target of a major release every year: PHP 5.4 was released in March 2012 and PHP 5.5 in June 2013. Upon the release of PHP 5.5, it was announced that PHP 5.3 would have 12 months of security fixes, and no additional features, bug fixes, or other development work. For PHP programmers, that means that instead of waiting five years between releases, we get the new and shiny stuff in smaller, much more manageable increments – and that we will need to upgrade our platforms much more often than we have up until now. Hopefully this article shows you how you might do that, and what you will find when you get there!
Lorna is an independent web development consultant, trainer and author based in Leeds, UK. She is a PHP specialist and works with teams to get the most out of their applications, their tools, and their people. Lorna is a regular conference speaker and lead developer at the Joind.in open source project.
