Upgrading to PHP 7

PHP has provided a simple yet capable web scripting language for as long as I can remember. In the last few years, it has matured from a home-brew scripting language to one with a formal specification. Part of this process included the adoption of PHP 7 where there are a number of critical changes to consider before migrating your PHP 5 applications.

During an upgrade earlier this year on one of my Ubuntu servers, there was a warning that my PHP 5 instance would not be included as part of the 16.04 install. Once the installation was complete it was simple to install PHP via apt; however, at this point it was PHP 7 and there are now functions in my application that no longer work.

This article is about the migration process of converting a legacy pre-PHP 5 application to support PHP 7 natively.

Short Tags. Previously it was possible to do something like this:


This has been disabled by default. The easiest solution is to update multi-line blocks to look like this:


There is a configuration option short_open_tag in php.ini which may be toggled to allow this interpretation, but going forward you should anticipate this will be less predominant and using the qualified <?php tag makes more sense.

Arrays Must be Checked. Previously it was possible to do the following:

if($_POST{"do_x"}) {
    $message = $_POST{"do_x"};

This use to be a popular technique for checking GET or POST variables. The correct way to do this now in PHP 7:

if(isset($_POST["do_x"])) {
    $message = $_POST["do_x"];

Legacy mysql Replaced with MySQLi. The mysql functions have been replaced with MySQLi, which invariably means you can simply rename something like mysql_connect() to mysqli_connect(). There are also slight nuances to some of these commands; for example, when connecting you must specify the database to use.

The venerable mysql_escape_string() has been deprecated and should be replaced using mysqli_real_escape_string(). Here is how this might have looked previously:

$firstName = mysql_escape_string($_GET{'firstName'});

This now would read as follows:

$db = mysqli_connect($host, $username, $password, $database);
$firstName = mysqli_real_escape_string($db, $_POST{'firstName'})

For my particular application, it was easier to declare a function mysql_escape_string() and have this simulate the escape logic using the new MySQLi invocation.

Regular Expressions. The eregi() function has been replaced with preg_match(). So a typical invocation that may have looked like so:

if( eregi( "config.php", $_SERVER['PHP_SELF'] ) ) {
    die_custom( "You can't access this file directly!" );

Now this reads as follows:

if(preg_match( "/config\.php/", $_SERVER['PHP_SELF'] ) ) {
    die_custom( "You can't access this file directly!" );

There are many other aspects to consider during your PHP 7 upgrade, fortunately the PHP site offers a Migrating from PHP 5.6.x to 7.0.x guide which provides excellent details on the changes developers should expect to find during their 7.0 upgrade.