5.4.02012-03-01stableThe PHP development team is proud to announce the immediate availability of PHP [5.4.0](http://php.net/downloads.php#v5.4.0). This release is a major leap forward in the 5.x series, and includes a large number of new features and bug fixes.
**The key features of PHP 5.4.0 include:**
- New language syntax including [Traits](http://php.net/traits), [shortened array syntax](http://docs.php.net/manual/language.types.array.php) and [more](http://docs.php.net/manual/migration54.new-features.php)
- Improved performance and reduced memory consumption
- Support for multibyte languages now available in all builds of PHP at the flip of a runtime switch
- [ Built-in webserver](http://php.net/manual/features.commandline.webserver.php) in CLI mode to simplify development workflows and testing
- Cleaner code base thanks to the removal of multiple deprecated language features
- Many more improvements and fixes
**Changes that affect compatibility:**
- [Register globals](http://www.php.net/manual/security.globals.php), [magic quotes](http://www.php.net/manual/security.magicquotes.php) and [safe mode](http://www.php.net/manual/features.safe-mode.php) were removed
- The [break](http://php.net/manual/control-structures.break.php)/[continue](http://php.net/manual/control-structures.continue.php) $var syntax was removed
- The ini option [allow_call_time_pass_reference](http://www.php.net/manual/ini.core.php#ini.allow-call-time-pass-reference) was removed
- The PHP [default_charset](http://www.php.net/manual/ini.core.php#ini.default-charset) is now "UTF-8" within the distributed php.ini files, but still defaults to ""
**Extensions moved to [PECL](http://pecl.php.net):**
- [ext/sqlite](http://www.php.net/manual/ref.sqlite.php) ([ext/sqlite3](http://www.php.net/manual/book.sqlite3.php) and [ext/pdo_sqlite](http://www.php.net/manual/ref.pdo-sqlite.php) are not affected)
PHP 5.4 will be the last series to support Windows XP and Windows 2003. We will not provide binary packages for these Windows versions after PHP 5.4.
For users upgrading from PHP 5.3 there is a migration guide available [here](http://php.net/migration54), detailing the changes between PHP 5.3 and PHP 5.4.0.
For a full list of changes in PHP 5.4.0, see the [ChangeLog](/ChangeLog-5.php#5.4.0).break/continue $var syntax.Safe mode and all related ini options.register_globals and register_long_arrays ini options.import_request_variables().allow_call_time_pass_reference.define_syslog_variables ini option and its associated function.highlight.bg ini option.Session bug compatibility mode (session.bug_compat_42 and session.bug_compat_warn ini options).session_is_registered(), session_register() and session_unregister() functions.y2k_compliance ini option.magic_quotes_gpc, magic_quotes_runtime and magic_quotes_sybase ini options. get_magic_quotes_gpc, get_magic_quotes_runtime are kept but always return false, set_magic_quotes_runtime raises an E_CORE_ERROR.Removed support for putenv("TZ=..") for setting the timezone.Removed the timezone guessing algorithm in case the timezone isn't set with date.timezone or date_default_timezone_set(). Instead of a guessed timezone, "UTC" is now used instead.ext/sqlite. (Note: the ext/sqlite3 and ext/pdo_sqlite extensions are not affected)Added short array syntax support ([1,2,3]), see UPGRADING guide for full details.Added binary numbers format (0b001010).Added support for Class::{expr}() syntax.Added multibyte support by default. Previously php had to be compiled with --enable-zend-multibyte. Now it can be enabled or disabled through zend.multibyte directive in php.ini.Removed compile time dependency from ext/mbstring.Added support for Traits.Added closure $this support back.Added array dereferencing support.Added callable typehint.Added indirect method call through array. [#47160](http://bugs.php.net/47160).Added DTrace support.Added class member access on instantiation (e.g. (new foo)->bar()) support.<?= is now always available regardless of the short_open_tag setting.Implemented Zend Signal Handling (configurable option --enable-zend-signals, off by default).Improved output layer, see README.NEW-OUTPUT-API for internals.Improved unix build system to allow building multiple PHP binary SAPIs and one SAPI module the same time. [#53271](http://bugs.php.net/53271), [#52419](http://bugs.php.net/52419).Implemented closure rebinding as parameter to bindTo.Improved the warning message of incompatible arguments.Improved ternary operator performance when returning arrays.Changed error handlers to only generate docref links when the docref_root INI setting is not empty.Changed silent conversion of array to string to produce a notice.Changed default value of "default_charset" php.ini option from ISO-8859-1 to UTF-8.Changed silent casting of null/''/false into an Object when adding a property into a warning.Changed E_ALL to include E_STRICT.Disabled windows CRT warning by default, can be enabled again using the ini directive windows_show_crt_warnings.: Binary number literal returns float number though its value is small enough.55378Improved parse error messages.Replaced zend_function.pass_rest_by_reference by ZEND_ACC_PASS_REST_BY_REFERENCE in zend_function.fn_flags.Replaced zend_function.return_reference by ZEND_ACC_RETURN_REFERENCE in zend_function.fn_flags.Removed zend_arg_info.required_num_args as it was only needed for internal functions. Now the first arg_info for internal functions (which has special meaning) is represented by zend_internal_function_info structure.Moved zend_op_array.size, size_var, size_literal, current_brk_cont, backpatch_count into CG(context) as they are used only during compilation.Moved zend_op_array.start_op into EG(start_op) as it's used only for 'interactive' execution of single top-level op-array.Replaced zend_op_array.done_pass_two by ZEND_ACC_DONE_PASS_TWO in zend_op_array.fn_flags.op_array.vars array is trimmed (reallocated) during pass_two.Replaced zend_class_entry.constants_updated by ZEND_ACC_CONSTANTS_UPDATED in zend_class_entry.ce_flags.Reduced the size of zend_class_entry by sharing the same memory space by different information for internal and user classes. See zend_class_entry.info union.Reduced size of temp_variable.Inlined most probable code-paths for arithmetic operations directly into executor.Eliminated unnecessary iterations during request startup/shutdown.Changed $GLOBALS into a JIT autoglobal, so it's initialized only if used. (this may affect opcode caches!)Improved performance of @ (silence) operator.Simplified string offset reading. $str[1][0] is now a legal construct.Added caches to eliminate repeatable run-time bindings of functions, classes, constants, methods and properties.Added concept of interned strings. All strings constants known at compile time are allocated in a single copy and never changed.ZEND_RECV now always has IS_CV as its result.ZEND_CATCH now has to be used only with constant class names.ZEND_FETCH_DIM_? may fetch array and dimension operands in different order.Simplified ZEND_FETCH_*_R operations. They can't be used with the EXT_TYPE_UNUSED flag any more. This is a very rare and useless case. ZEND_FREE might be required after them instead.Split ZEND_RETURN into two new instructions ZEND_RETURN and ZEND_RETURN_BY_REF.Optimized access to global constants using values with pre-calculated hash_values from the literals table.Optimized access to static properties using executor specialization. A constant class name may be used as a direct operand of ZEND_FETCH_* instruction without previous ZEND_FETCH_CLASS.zend_stack and zend_ptr_stack allocation is delayed until actual usage.Added an optimization which saves memory and emalloc/efree calls for empty HashTables.Added ability to reset user opcode handlers.Changed the structure of op_array.opcodes. The constant values are moved from opcode operands into a separate literal table.Fixed (disabled) inline-caching for ZEND_OVERLOADED_FUNCTION methods.(Interface implementation / inheritence not possible in abstract classes).43200Added optional argument to debug_backtrace() and debug_print_backtrace() to limit the amount of stack frames returned.Added hex2bin() function.number_format() no longer truncates multibyte decimal points and thousand separators to the first byte. [#53457](http://bugs.php.net/53457).Added support for object references in recursive serialize() calls. [#36424](http://bugs.php.net/36424).Added support for SORT_NATURAL and SORT_FLAG_CASE in array sort functions (sort, rsort, ksort, krsort, asort, arsort and array_multisort). [#55158](http://bugs.php.net/55158).Added stream metadata API support and stream_metadata() stream class handler.User wrappers can now define a stream_truncate() method that responds to truncation, e.g. through ftruncate(). [#53888](http://bugs.php.net/53888).Improved unserialize() performance.Changed array_combine() to return empty array instead of FALSE when both parameter arrays are empty. [#34857](http://bugs.php.net/34857).Fixed invalid free in call_user_method() function.Fixed crypt_blowfish handling of 8-bit characters.CVE-2011-2483(Incorect lexing of 0x00*+<NUM>).61095(Buffer overflow on htmlspecialchars/entities with $double=false).60965(Possible invalid handler usage in windows random functions).60895(unserialize() Does not invoke __wakeup() on object).60879(Segfault when running symfony 2 tests).60825(TRAITS - PHPDoc Comment Style Bug).60809(httpd.worker segfault on startup with php_value).60627(Segmentation fault with $cls->{expr}() syntax).60613(Segmentation fault with Cls::{expr}() syntax).60611(Invalid read and writes).60558(Traits Segfault).6053660444(non-existent sub-sub keys should not have values).60362(No string escape code for ESC (ascii 27), normally \e).60350(ob_get_status(true) no longer returns an array when buffer is empty).60321(Segfault when using ob_gzhandler() with open buffers).60282(invalid read/writes when unserializing specially crafted strings).60240(header() cannot detect the multi-line header with CR(0x0D)).60227(Notice when array in method prototype error).60174(Conjunction of ternary and list crashes PHP).60169(proc_open's streams may hang with stdin/out/err when the data exceeds or is equal to 2048 bytes).60120(__halt_compiler() works in braced namespaces).60099(SIGALRM cause segfault in php_error_cb).60038(GCC does not provide __sync_fetch_and_add on some archs).55874(Interruption in substr_replace()).55871(Missing initial value of static locals in trait methods).55825(Behavior of unserialize has changed).55801(memory corruption in parse_ini_string).55622(Digest Authenticate missed in 5.4) .55758(multiple NULL Pointer Dereference with zend_strndup())55748CVE-2011-4153(TOCTOU issue in getenv() on Windows builds).55749(undefined reference to `__sync_fetch_and_add_4' on Linux parisc).55707(Omitting a callable typehinted argument causes a segfault).55705(is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).55475(ZTS build broken with dtrace).55471(recursive mkdir fails with current (dot) directory in path).55124(Function registered by header_register_callback is called only once per process).55084Implement [#54514](http://bugs.php.net/54514) (Get php binary path during script execution).(tempnam() by-pass open_basedir with nonexistent directory).52624(iconv() returns part of string on error).52211(Include fails with toplevel symlink to /).51860Added $_SERVER['REQUEST_TIME_FLOAT'] to include microsecond precision.Added max_input_vars directive to prevent attacks based on hash collisions.Added header_register_callback() which is invoked immediately prior to the sending of headers and after default headers have been added.Added http_response_code() function. [#52555](http://bugs.php.net/52555).(Corrupted $_FILES indices lead to security concern).55500(Insufficient validating of upload name leading to corrupted $_FILES indices).54374(possible integer overflow in content_length).60205Added friendly log messages. [#55109](http://bugs.php.net/55109).Added built-in web server that is intended for testing purpose.Added command line option --rz <name> which shows information of the named Zend extension.Interactive readline shell improvements(Memory leak when access a non-exists file).60591(PHP Errors are not reported in browsers using built-in SAPI).60523(Segfault after two multipart/form-data POST requests, one 200 RQ and one 404).60477Implement [#60390](http://bugs.php.net/60390) (Missing $_SERVER['SERVER_PORT']).($_SERVER["PHP_SELF"] incorrect).60180(Router returns false, but POST is not passed to requested resource).60159(Last 2 lines of page not being output).60146(memory definitely lost in cli server).60115(If URI does not contain a file, index.php is not served).60112(memory leak when using built-in server).55759(SegFault when outputting header WWW-Authenticate).55755(request headers missed in $_SERVER).55747(Changing the working directory makes router script inaccessible).55726(cli-server missing _SERVER[REMOTE_ADDR]).55463(Built in web server not accepting file uploads).55450(cli-server could not output correctly in some case).55423Added apache compatible functions: apache_child_terminate(), getallheaders(), apache_request_headers() and apache_response_headers().Improved performance of FastCGI request parsing.Fixed reinitialization of SAPI callbacks after php_module_startup().Added partial syslog support (on error_log only). [#52052](http://bugs.php.net/52052).Added .phar to default authorized extensions.Added process.max to control the number of process FPM can fork. [#55166](http://bugs.php.net/55166).Dropped restriction of not setting the same value multiple times, the last one holds.Lowered default value for Process Manager. [#54098](http://bugs.php.net/54098).Enhanced security by limiting access to user defined extensions. [#55181](http://bugs.php.net/55181).Enhanced error log when the primary script can't be open. [#60199](http://bugs.php.net/60199).Removed EXPERIMENTAL flag.(FPM does not clear auth_user on request accept).60659(memory corruption when web server closed the fcgi fd).60629(Make Fails with "Missing Separator" error).55769(bcscale related crashes on 64bits platforms).60377Added support for CURLOPT_MAX_RECV_SPEED_LARGE and CURLOPT_MAX_SEND_SPEED_LARGE. [#51815](http://bugs.php.net/51815).(curl_copy_handle segfault when used with CURLOPT_PROGRESSFUNCTION).60439Added the + modifier to parseFromFormat to allow trailing text in the string to parse without throwing an error.Added Tokyo Cabinet abstract DB support.Added Berkeley DB 5 support.Added the ability to pass options to loadHTML.scandir() now accepts SCANDIR_SORT_NONE as a possible sorting_order value. [#53407](http://bugs.php.net/53407).Fixed possible memory leak in finfo_open().Fixed memory leak when calling the Finfo constructor twice.(C++ comment fails in c89).60094Added Jenkins's one-at-a-time hash support.Added FNV-1 hash support.Made Adler32 algorithm faster. [#53213](http://bugs.php.net/53213).Removed Salsa10/Salsa20, which are actually stream ciphers.(Tiger hash output byte order).60221Added Spoofchecker class, allows checking for visibly confusable characters and other security issues.Added Transliterator class, allowing transliteration of strings.Added support for UTS #46.Fixed memory leak in several Intl locale functions.Fixed build on Fedora 15 / Ubuntu 11.(grapheme_substr() returns false on big length).55562Added new json_encode() option JSON_UNESCAPED_UNICODE. [#53946](http://bugs.php.net/53946).Added JsonSerializable interface.Added JSON_BIGINT_AS_STRING, extended json_decode() sig with $options.Added support for JSON_NUMERIC_CHECK option in json_encode() that converts numeric strings to integers.Added new json_encode() option JSON_UNESCAPED_SLASHES. [#49366](http://bugs.php.net/49366).Added new json_encode() option JSON_PRETTY_PRINT. [#44331](http://bugs.php.net/44331).Added paged results support. [#42060](http://bugs.php.net/42060).Added Shift_JIS/UTF-8 Emoji (pictograms) support.Added JIS X0213:2004 (Shift_JIS-2004, EUC-JP-2004, ISO-2022-JP-2004) support.Ill-formed UTF-8 check for security enhancements.Added MacJapanese (Shift_JIS) and gb18030 encoding support.Added encode/decode in hex format to mb_[en|de]code_numericentity().Added user JIS X0213:2004 (Shift_JIS-2004, EUC-JP-2004, ISO-2022-JP-2004) support.Added the user defined area for CP936 and CP950.Fixed possible crash in mb_ereg_search_init() using empty pattern.(Characters lost while converting from cp936 to utf8).60306(Compile failure with freetds 0.91).60267MySQL: Deprecated mysql_list_dbs(). [#50667](http://bugs.php.net/50667).mysqlnd: Added named pipes support. [#48082](http://bugs.php.net/48082).MySQLi: Added iterator support in MySQLi. mysqli_result implements Traversable.PDO_mysql: Removed support for linking with MySQL client libraries older than 4.1.ext/mysql, mysqli and pdo_mysql now use mysqlnd by default.(mysql_pconnect leaks file descriptors on reconnect).55473(PS crash with libmysql when binding same variable as param and out).55653Added AES support. [#48632](http://bugs.php.net/48632).Added a "no_ticket" SSL context option to disable the SessionTicket TLS extension. [#53447](http://bugs.php.net/53447).Added no padding option to openssl_encrypt()/openssl_decrypt().Use php's implementation for Windows Crypto API in openssl_random_pseudo_bytes.On error in openssl_random_pseudo_bytes() made sure we set strong result to false.Fixed segfault with older versions of OpenSSL.Fixed possible attack in SSL sockets with SSL 3.0 / TLS 1.0. CVE-2011-3389.CVE-2011-3389(Crash when decoding an invalid base64 encoded string).61124(Fixed NULL pointer dereference in stream_socket_enable_crypto, case when ssl_handle of session_stream is not initialized.60279Increased maximum Oracle error message buffer length for new 11.2.0.3 size.Improved internal initalization failure error messages.(show normal warning text for OCI_NO_DATA).59985Fixed PDO objects binary incompatibility.Added nextRowset support.(Incorrectly merged PDO dblib patches break uniqueidentifier column type).60033(PDO DBLIB Fails with OOM).50755(segfaults if query column count less than param count).53280("bindValue" and "bindParam" do not work for PDO Firebird).48877(segfaults when passing lowercased column name to bindColumn).47415Added support for "extra" parameter for PGNotify().Changed third parameter of preg_match_all() to optional. [#53238](http://bugs.php.net/53238).(Enable callback support when built against libedit).54450Added ReflectionClass::newInstanceWithoutConstructor() to create a new instance of a class without invoking its constructor. [#55490](http://bugs.php.net/55490).Added ReflectionExtension::isTemporary() and ReflectionExtension::isPersistent() methods.Added ReflectionZendExtension class.Added ReflectionClass::isCloneable().(Reflection and Late Static Binding).60367(__toString() method triggers E_NOTICE "Array to string conversion").60357Expose session status via new function, session_status. [#52982](http://bugs.php.net/52982).Added support for object-oriented session handlers.Added support for storing upload progress feedback in session data.Changed session.entropy_file to default to /dev/urandom or /dev/arandom if either is present at compile time.(session.save_handler=user without defined function core dumps).60860Implement [#60551](http://bugs.php.net/60551) (session_set_save_handler should support a core's session handler interface).(invalid return values).60640Added OO API. [#53594](http://bugs.php.net/53594) (php-snmp rewrite).Sanitized return values of existing functions. Now it returns FALSE on failure.Allow ~infinite OIDs in GET/GETNEXT/SET queries. Autochunk them to max_oids upon request.Introducing unit tests for extension with ~full coverage. IPv6 support. ([#42918](http://bugs.php.net/42918))Way of representing OID value can now be changed when SNMP_VALUE_OBJECT is used for value output mode. Use or'ed SNMP_VALUE_LIBRARY(default if not specified) or SNMP_VALUE_PLAIN. ([#54502](http://bugs.php.net/54502))(SNMP module should not strip non-standard SNMP port from hostname).60749(php build fails with USE flag snmp when IPv6 support is disabled).60585(snmp_set_oid_output_format does not allow returning to default).53862(snmprealwalk (snmp v1) does not handle end of OID tree correctly).51336(snmp_set_quick_print() persists between requests).46065(Snmp buffer limited to 2048 char).45893(snmp v3 noAuthNoPriv doesn't work).44193Added new SoapClient option "keep_alive". [#60329](http://bugs.php.net/60329).Fixed basic HTTP authentication for WSDL sub requests.Added RegexIterator::getRegex() method.Added SplObjectStorage::getHash() hook.Added CallbackFilterIterator and RecursiveCallbackFilterIterator.Added missing class_uses(..) as pointed out by [#55266](http://bugs.php.net/55266).Immediately reject wrong usages of directories under Spl(Temp)FileObject and friends.FilesystemIterator, GlobIterator and (Recursive)DirectoryIterator now use the default stream context.(SplFileObject::setCsvControl does not expose third argument via Reflection).60201(Wrong value for splFileObject::SKIP_EMPTY).55807(spl_classes() not includes CallbackFilter classes)55287(memory copy issue in sysvshm extension).55750(Tidy::diagnose() NULL pointer dereference).54682(token_get_all with regards to __halt_compiler is not binary safe).54089Added XsltProcessor::setSecurityPrefs($options) and getSecurityPrefs() to define forbidden operations within XSLT stylesheets, default is not to enable write operations from XSLT. .54446XSL doesn't stop transformation anymore, if a PHP function can't be calledRe-implemented non-file related functionality.(ob_gzhandler always conflicts with zlib.output_compression).55544