Skip to content

Fix PHP 8.1+ deprecations: null passed to string functions#2231

Open
mumnik wants to merge 1 commit intofuel:1.9/developfrom
ticketshoplv:fix/php84-null-string-deprecations
Open

Fix PHP 8.1+ deprecations: null passed to string functions#2231
mumnik wants to merge 1 commit intofuel:1.9/developfrom
ticketshoplv:fix/php84-null-string-deprecations

Conversation

@mumnik
Copy link
Contributor

@mumnik mumnik commented Mar 7, 2026

Summary

PHP 8.1 deprecated passing null to built-in string functions (strlen(), strpos(), strtolower(), preg_match(), explode(), etc.). These deprecations become TypeError in PHP 9.0.

This PR adds (string) casts where nullable values can reach string functions across 8 core files:

  • html.phpanchor() and mail_to_safe() can receive null $href/$email
  • input.phpserver(), headers(), is_ajax() pass potentially null $index to strtoupper()/strtolower()
  • str.phpFixes a logic bug in truncate(): strlen($string !== mb_strlen($string)) had wrong parentheses, passing a boolean to strlen() instead of comparing lengths. Also fixes is_html()
  • security.phpInput::method() return cast in CSRF check
  • format.php$string and $json parameters in XML/JSON processing
  • validation.php$rules parameter in add_field()
  • controller/rest.phpHTTP_AUTHORIZATION header value from Input::server()
  • request/driver.php$method and $mime parameters

Bug fix in Str::truncate()

// Before (broken — passes boolean to strlen):
if (MBSTRING and strlen($string !== mb_strlen($string)))

// After (correct — compares string lengths):
if (MBSTRING and strlen((string) $string) !== mb_strlen((string) $string))

This bug meant the multibyte offset correction in truncate() never executed.

Test plan

  • Tested on PHP 8.4.8 with a production FuelPHP 1.9 application
  • All 8 files pass php -l syntax check
  • No deprecation warnings in runtime output
  • Backward compatible — (string) cast on a string is a no-op

@mumnik
Fix PHP 8.1+ deprecations: null passed to string functions
6fb3513 
PHP 8.1 deprecated passing null to built-in string functions like
strlen(), strpos(), strtolower(), preg_match(), explode(), etc.
This will become a TypeError in PHP 9.0.

Changes:
- html.php: Cast $href and $email to (string) in anchor() and mail_to_safe()
- input.php: Cast $index to (string) in server(), headers(), is_ajax()
- str.php: Fix parenthesis bug in truncate() — strlen($string !== mb_strlen($string))
  was comparing a boolean, now correctly: strlen($string) !== mb_strlen($string)
  Also cast $string in is_html()
- security.php: Cast Input::method() return to (string) in CSRF check
- format.php: Cast $string and $json to (string) in XML/JSON processing
- validation.php: Cast $rules to (string) in add_field()
- controller/rest.php: Cast HTTP_AUTHORIZATION header to (string)
- request/driver.php: Cast $method and $mime to (string)

Tested on PHP 8.4.8 with a production FuelPHP 1.9 application.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 7, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mumnik