PHP 7.4.0: Downloads, Changelog, News

Release Information

Release
7.4.0
PHP Version
PHP 7.4
Release Date
Release Type
Security Update
Release Status
EOL, Use PHP 7.4.33
Branch Status
Unsupported

PHP 7.4 reached EOL on , and all releases of this version no longer receive security or bug fixes. Using PHP 7.4.0 is not recommended. PHP 7.4.33 is the latest version in the series.

Downloads

Source Code

Git Clone
Use Git to clone the 7.4.0 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-7.4.0
How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (./buildconf), configuring the build ./configure, and running make.
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.

Windows binaries

Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.

Docker/Podman Containers

PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:7.4.0-cli-alpine

Debian-based: More compatible with other components, complete, and are widely used.
docker pull php:7.4.0-cli
PHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:7.4.0-fpm-alpine

Debian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:7.4.0-apache

Debian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:7.4.0-fpm

ChangeLog

Core

  • Implemented RFC: Deprecate curly brace syntax for accessing array elements and string offsets. https://wiki.php.net/rfc/deprecate_curly_braces_array_access
  • Implemented RFC: Deprecations for PHP 7.4. https://wiki.php.net/rfc/deprecations_php_7_4
  • Fixed bug #52752 (Crash when lexing).
  • Fixed bug #60677 (CGI doesn't properly validate shebang line contains #!).
  • Fixed bug #71030 (Self-assignment in list() may have inconsistent behavior).
  • Fixed bug #72530 (Use After Free in GC with Certain Destructors).
  • Fixed bug #75921 (Inconsistent: No warning in some cases when stdObj is created on the fly).
  • Implemented FR #76148 (Add array_key_exists() to the list of specially compiled functions).
  • Fixed bug #76430 (METHOD inconsistent outside of method).
  • Fixed bug #76451 (Aliases during inheritance type checks affected by opcache).
  • Implemented FR #77230 (Support custom CFLAGS and LDFLAGS from environment).
  • Fixed bug #77345 (Stack Overflow caused by circular reference in garbage collection).
  • Fixed bug #77812 (Interactive mode does not support PHP 7.3-style heredoc).
  • Fixed bug #77877 (call_user_func() passes $this to static methods).
  • Fixed bug #78066 (PHP eats the first byte of a program that comes from process substitution).
  • Fixed bug #78151 (Segfault caused by indirect expressions in PHP 7.4a1).
  • Fixed bug #78154 (SEND_VAR_NO_REF does not always send reference).
  • Fixed bug #78182 (Segmentation fault during by-reference property assignment).
  • Fixed bug #78212 (Segfault in built-in webserver).
  • Fixed bug #78220 (Can't access OneDrive folder).
  • Fixed bug #78226 (Unexpected __set behavior with typed properties).
  • Fixed bug #78239 (Deprecation notice during string conversion converted to exception hangs).
  • Fixed bug #78335 (Static properties/variables containing cycles report as leak).
  • Fixed bug #78340 (Include of stream wrapper not reading whole file).
  • Fixed bug #78344 (Segmentation fault on zend_check_protected).
  • Fixed bug #78356 (Array returned from ArrayAccess is incorrectly unpacked as argument).
  • Fixed bug #78379 (Cast to object confuses GC, causes crash).
  • Fixed bug #78386 (fstat mode has unexpected value on PHP 7.4).
  • Fixed bug #78396 (Second file_put_contents in Shutdown hangs script).
  • Fixed bug #78406 (Broken file includes with user-defined stream filters).
  • Fixed bug #78438 (Corruption when __unserializing deeply nested structures).
  • Fixed bug #78441 (Parse error due to heredoc identifier followed by digit).
  • Fixed bug #78454 (Consecutive numeric separators cause OOM error).
  • Fixed bug #78460 (PEAR installation failure).
  • Fixed bug #78531 (Crash when using undefined variable as object).
  • Fixed bug #78535 (auto_detect_line_endings value not parsed as bool).
  • Fixed bug #78604 (token_get_all() does not properly tokenize FOO<?php with short_open_tag=0).
  • Fixed bug #78614 (Does not compile with DTRACE anymore).
  • Fixed bug #78620 (Out of memory error).
  • Fixed bug #78632 (method_exists() in php74 works differently from php73 in checking priv. methods).
  • Fixed bug #78644 (SEGFAULT in ZEND_UNSET_OBJ_SPEC_VAR_CONST_HANDLER).
  • Fixed bug #78658 (Memory corruption using Closure::bindTo).
  • Fixed bug #78656 (Parse errors classified as highest log-level).
  • Fixed bug #78662 (stream_write bad error detection).
  • Fixed bug #78768 (redefinition of typedef zend_property_info).
  • Fixed bug #78788 (./configure generates invalid php_version.h).
  • Fixed incorrect usage of QM_ASSIGN instruction. It must not return IS_VAR. As a side effect, this allowed passing left hand list() "by reference", instead of compile-time error.

CLI

  • The built-in CLI server now reports the request method in log files.

COM

  • Deprecated registering of case-insensitive constants from typelibs.
  • Fixed bug #78650 (new COM Crash).
  • Fixed bug #78694 (Appending to a variant array causes segfault).

CURL

  • Fixed bug #76480 (Use curl_multi_wait() so that timeouts are respected).
  • Implemented FR #77711 (CURLFile should support UNICODE filenames).
  • Deprecated CURLPIPE_HTTP1.
  • Deprecated $version parameter of curl_version().

Date

  • Updated timelib to 2018.02.
  • Fixed bug #69044 (discrepency between time and microtime).
  • Fixed bug #70153 (\DateInterval incorrectly unserialized).
  • Fixed bug #75232 (print_r of DateTime creating side-effect).
  • Fixed bug #78383 (Casting a DateTime to array no longer returns its properties).
  • Fixed bug #78751 (Serialising DatePeriod converts DateTimeImmutable).

Exif

  • Fixed bug #78333 (Exif crash (bus error) due to wrong alignment and invalid cast).
  • Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
  • Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)

Fileinfo

  • Fixed bug #78075 (finfo_file treats JSON file as text/plain).
  • Fixed bug #78183 (finfo_file shows wrong mime-type for .tga file).

Filter

  • The filter extension no longer has the --with-pcre-dir on Unix builds, allowing the extension to be once more compiled as shared using ./configure.

FFI

  • Added FFI extension.
  • Fixed bug #78488 (OOB in ZEND_FUNCTION(ffi_trampoline)).
  • Fixed bug #78543 (is_callable() on FFI\CData throws Exception).
  • Fixed bug #78716 (Function name mangling is wrong for some parameter types).
  • Fixed bug #78762 (Failing FFI::cast() may leak memory).
  • Fixed bug #78761 (Zend memory heap corruption with preload and casting).
  • Implement FR #78270 (Support __vectorcall convention with FFI).
  • Added missing FFI::isNull().

FPM

  • Implemented FR #72510 (systemd service should be hardened).
  • Fixed bug #74083 (master PHP-fpm is stopped on multiple reloads).
  • Fixed bug #78334 (fpm log prefix message includes wrong stdout/stderr notation).
  • Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043)

GD

  • Implemented the scatter filter (IMG_FILTER_SCATTER).
  • The bundled libgd behaves now like system libgd wrt. IMG_CROP_DEFAULT never falling back to IMG_CROP_SIDES.
  • The default $mode parameter of imagecropauto() has been changed to IMG_CROP_DEFAULT; passing -1 is now deprecated.
  • Added support for aspect ratio preserving scaling to a fixed height for imagescale().
  • Added TGA read support.
  • Fixed bug #73291 (imagecropauto() $threshold differs from external libgd).
  • Fixed bug #76324 (cannot detect recent versions of freetype with pkg-config).
  • Fixed bug #78314 (missing freetype support/functions with external gd).

GMP

  • Fixed bug #78574 (broken shared build).

Hash

Iconv

  • Fixed bug #78342 (Bus error in configure test for iconv //IGNORE).
  • Fixed bug #78642 (Wrong libiconv version displayed).

Libxml

  • Fixed bug #78279 (libxml_disable_entity_loader settings is shared between requests (cgi-fcgi)).

InterBase

  • Unbundled the InterBase extension and moved it to PECL.

Intl

  • Raised requirements to ICU ≥ 50.1.
  • Changed ResourceBundle to implement Countable.
  • Changed default of $variant parameter of idn_to_ascii() and idn_to_utf8().

LDAP

  • Deprecated ldap_control_paged_result_response and ldap_control_paged_result

LiteSpeed

  • Updated to LiteSpeed SAPI V7.5 (Fixed clean shutdown).
  • Updated to LiteSpeed SAPI V7.4.3 (increased response header count limit from 100 to 1000, added crash handler to cleanly shutdown PHP request, added CloudLinux mod_lsapi mode).
  • Fixed bug #76058 (After "POST data can't be buffered", using php://input makes huge tmp files).

MBString

  • Fixed bug #77907 (mb-functions do not respect default_encoding).
  • Fixed bug #78579 (mb_decode_numericentity: args number inconsistency).
  • Fixed bug #78609 (mb_check_encoding() no longer supports stringable objects).

MySQLi

  • Fixed bug #67348 (Reading $dbc->stat modifies $dbc->affected_rows).
  • Fixed bug #76809 (SSL settings aren't respected when persistent connections are used).
  • Fixed bug #78179 (MariaDB server version incorrectly detected).
  • Fixed bug #78213 (Empty row pocket).

MySQLnd

  • Fixed connect_attr issues and added the _server_host connection attribute.
  • Fixed bug #60594 (mysqlnd exposes 160 lines of stats in phpinfo).

ODBC

  • Fixed bug #78473 (odbc_close() closes arbitrary resources).

Opcache

  • Implemented preloading RFC: https://wiki.php.net/rfc/preload.
  • Add opcache.preload_user INI directive.
  • Added new INI directive opcache.cache_id (Windows only).
  • Fixed bug #78106 (Path resolution fails if opcache disabled during request).
  • Fixed bug #78175 (Preloading segfaults at preload time and at runtime).
  • Fixed bug #78202 (Opcache stats for cache hits are capped at 32bit NUM).
  • Fixed bug #78271 (Invalid result of if-else).
  • Fixed bug #78341 (Failure to detect smart branch in DFA pass).
  • Fixed bug #78376 (Incorrect preloading of constant static properties).
  • Fixed bug #78429 (opcache_compile_file(FILE); segfaults).
  • Fixed bug #78512 (Cannot make preload work).
  • Fixed bug #78514 (Preloading segfaults with inherited typed property).
  • Fixed bug #78654 (Incorrectly computed opcache checksum on files with non-ascii characters).

OpenSSL

  • Added TLS 1.3 support to streams including new tlsv1.3 stream.
  • Added openssl_x509_verify function.
  • openssl_random_pseudo_bytes() now throws in error conditions.
  • Changed the default config path (Windows only).
  • Fixed bug #78231 (Segmentation fault upon stream_socket_accept of exported socket-to-stream).
  • Fixed bug #78391 (Assertion failure in openssl_random_pseudo_bytes).
  • Fixed bug #78775 (TLS issues from HTTP request affecting other encrypted connections).

Pcntl

  • Fixed bug #77335 (PHP is preventing SIGALRM from specifying SA_RESTART).

PCRE

  • Implemented FR #77094 (Support flags in preg_replace_callback).
  • Fixed bug #72685 (Repeated UTF-8 validation of same string in UTF-8 mode).
  • Fixed bug #73948
  • Fixed bug #78338 (Array cross-border reading in PCRE).
  • Fixed bug #78349 (Bundled pcre2 library missing LICENCE file).

PDO

PDO_Firebird

  • Implemented FR #65690 (PDO_Firebird should also support dialect 1).
  • Implemented FR #77863 (PDO firebird support type Boolean in input parameters).

PDO_MySQL

  • Fixed bug #41997 (SP call yields additional empty result set).
  • Fixed bug #78623 (Regression caused by "SP call yields additional empty result set").

PDO_OCI

  • Support Oracle Database tracing attributes ACTION, MODULE, CLIENT_INFO, and CLIENT_IDENTIFIER.
  • Implemented FR #76908 (PDO_OCI getColumnMeta() not implemented).

PDO_SQLite

  • Implemented sqlite_stmt_readonly in PDO_SQLite.
  • Raised requirements to SQLite 3.5.0.
  • Fixed bug #78192 (SegFault when reuse statement after schema has changed).
  • Fixed bug #78348 (Remove -lrt from pdo_sqlite.so).

Phar

  • Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN).

phpdbg

  • Fixed bug #76596 (phpdbg support for display_errors=stderr).
  • Fixed bug #76801 (too many open files).
  • Fixed bug #77800 (phpdbg segfaults on listing some conditional breakpoints).
  • Fixed bug #77805 (phpdbg build fails when readline is shared).

Recode

  • Unbundled the recode extension.

Reflection

  • Fixed bug #76737 (Unserialized reflection objects are broken, they shouldn't be serializable).
  • Fixed bug #78263 (`ReflectionReference::fromArrayElement()` returns null while item is a reference).
  • Fixed bug #78410 (Cannot "manually" unserialize class that is final and extends an internal one).
  • Fixed bug #78697 (ReflectionClass::implementsInterface - inaccurate error message with traits).
  • Fixed bug #78774 (ReflectionNamedType on Typed Properties Crash).

Session

  • Fixed bug #78624 (session_gc return value for user defined session handlers).

SimpleXML

  • Implemented FR #65215 (SimpleXMLElement could register as implementing Countable).
  • Fixed bug #75245 (Don't set content of elements with only whitespaces).

Sockets

  • Fixed bug #67619 (Validate length on socket_write).
  • Fixed bug #78665 (Multicasting may leak memory).

sodium

  • Fixed bug #77646 (sign_detached() strings not terminated).
  • Fixed bug #78510 (Partially uninitialized buffer returned by sodium_crypto_generichash_init()).
  • Fixed bug #78516 (password_hash(): Memory cost is not in allowed range).

SPL

  • Fixed bug #77518 (SeekableIterator::seek() should accept 'int' typehint as documented).
  • Fixed bug #78409 (Segfault when creating instance of ArrayIterator without constructor).
  • Fixed bug #78436 (Missing addref in SplPriorityQueue EXTR_BOTH mode).
  • Fixed bug #78456 (Segfault when serializing SplDoublyLinkedList).

SQLite3

  • Unbundled libsqlite.
  • Raised requirements to SQLite 3.7.4.
  • Forbid (un)serialization of SQLite3, SQLite3Stmt and SQLite3Result.
  • Added support for the SQLite @name notation.
  • Added SQLite3Stmt::getSQL() to retrieve the SQL of the statement.
  • Implement FR ##70950 (Make SQLite3 Online Backup API available).

Standard

  • Implemented password hashing registry RFC: https://wiki.php.net/rfc/password_registry.
  • Implemented RFC where password_hash() has argon2i(d) implementations from ext/sodium when PHP is built without libargon: https://wiki.php.net/rfc/sodium.`argon.h`ash
  • Implemented FR GH-38301 (field enclosure behavior in fputcsv).
  • Implemented FR #51496 (fgetcsv should take empty string as an escape).
  • Fixed bug #73535 (php_sockop_write() returns 0 on error, can be used to trigger Denial of Service).
  • Fixed bug #74764 (Bindto IPv6 works with file_get_contents but fails with stream_socket_client).
  • Fixed bug #76859 (stream_get_line skips data if used with data-generating filter).
  • Implemented FR #77377 (No way to handle CTRL+C in Windows).
  • Fixed bug #77930 (stream_copy_to_stream should use mmap more often).
  • Implemented FR #78177 (Make proc_open accept command array).
  • Fixed bug #78208 (password_needs_rehash() with an unknown algo should always return true).
  • Fixed bug #78241 (touch() does not handle dates after 2038 in PHP 64-bit).
  • Fixed bug #78282 (atime and mtime mismatch).
  • Fixed bug #78326 (improper memory deallocation on stream_get_contents() with fixed length buffer).
  • Fixed bug #78346 (strip_tags no longer handling nested php tags).
  • Fixed bug #78506 (Error in a php_user_filter::filter() is not reported).
  • Fixed bug #78549 (Stack overflow due to nested serialized input).
  • Fixed bug #78759 (array_search in $GLOBALS).

Testing

  • Fixed bug #78684 (PCRE bug72463_2 test is sending emails on Linux).

Tidy

  • Added TIDYTAG* constants for HTML5 elements.
  • Fixed bug #76736 (wrong reflection for tidy_get_head, tidy_get_html, tidy_get_root, and tidy_getopt)

WDDX

  • Deprecated and unbundled the WDDX extension.

Zip

  • Fixed bug #78641 (addGlob can modify given remove_path value).
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.

Support PHP.Watch — If you find the articles, version information, Codex, and other PHP.Watch contributions useful, consider supporting through GitHub Sponsors. Your sponsorship helps dedicate more time to creating valuable content and improving the PHP community. Together, we can keep the momentum going — thank you for your support!

Thanks to the highest tier sponsor: @TomasVotruba for your generous support to keep PHP.Watch moving 💜