Changelog v1.8

Harro Verton edited this page May 17, 2016 · 10 revisions

This keeps track of important changes to the 1.x branch.

When you decide to upgrade to a new version, pay attention to the changes documented in this changelog, and the upgrade procedures documented.

Important fixes, changes, notes. Read them carefully.

This version provides full compatibility with PHP 7. To achieve this, the \Fuel\Error class had to be renamed to \Fuel\Errorhandler. The new error handler has full support for PHP 7's new Error exceptions. If your application calls the Error class directly, or has extended the Error class, make sure you make the appropriate changes after you have upgraded!

The oil installer has been updated to use composer to install Fuel, and to provide better support for MacOS.

Backward compatibility notes

  • The included PHPSecLib version has been swapped by the composer package. If your application creates instances of PHPSecLib classes, check your code for compatibility issues, for example with the use of namespaces.
  • Database hacks in the generic PDO code have been removed, and replaced by platform drivers containing the replacement for this hacks. At this moment, platform drivers for "SQLite" and "SQLSrv" exist.

Removed code (because it was deprecated in v1.7.3 or earlier)

  • The old "mysql" DB driver has been removed because of removal in recent PHP versions. You can keep using mysqli if for some reason you don't want to use PDO. A new "mysql" driver has been introduced that uses PDO underneath. This should be transparent for most applications.

Security related

  • Because of the swap to the composer PHPSecLib package, the pbkdf2() method that was added to the code by the Fuel team is no longer available. Fuel itself now uses the PHP hash_pbkdf2() function. If you are using a PHP version < 5.5.0, this function is emulated in base.php.
  • When using file based session, an additional check has been added to make sure the session file is loaded from the configured path.
  • The Security::clean_input() now has support for ArrayAccess and Traversable classes, and now fully recurses into these classes and arrays for a full deep clean.
  • Security::generate_token() now uses random_bytes(), openssl_random_pseudo_bytes() if available, and uses hash_algos() with SHA to generate the token hash.

System changes

  • The database classes have been refactored. Database_Query is now properly extendable, and DBUtil schema manipulations have been abstracted in order to support multiple DB platforms.
  • The framework now supports generic HTTP status 400 messages through the new HttpBadRequestException exception.
  • When a database migration is run, and the database schema is ahead of the migration configuration file, the status is synced before any migrations are run. This makes sure migrations don't run twice, which may happen when you update multiple application instances using a shared clustered database.
  • You can now correctly use "hybrid" controller (like "\Controller\Something_Class") names as documented.
  • new function get_composer() allows direct access to the Composer Autoloader instance.
  • The core's "base.php" code has been optimized for PHP 5.6+.
  • A new route keyword ":everything" has been added, which complements ":any" by also matching with "nothing".

Specific classes

  • The Agent class now supports the definition of an HTTP proxy for downloading the browscap file.
  • An issue in the Agent class is fixed where loading the browscap file could fail if it was defined as type "local".
  • Arr::key_exists() now has support for classes implementing ArrayAccess.
  • Asset now has a new method add_type() to define new types besides "js", "css" and "img". You need to pass a closure that is used to render the HTML for the given type.
  • Asset is now more compatible with Windows platforms when it comes to generating paths and URL's (correct use of slash vs backslash).
  • The Cache file driver has been improved to solve some locking race conditions.
  • Config class no longer caches the result of config keys defined as a closure. Closures are now evaluated at runtime instead of at load time.
  • Fixed a bug in Controller_Rest that would cause the HTTP status code to be overwritten when detecting an incorrect return format in production mode.
  • Controller_Rest now returns HTTP status 200 by default.
  • When calling the Database method count_last_query(), any ORDER BY is now stripped from the COUNT query to improve performance.
  • Return type detection has been improved for DB::query() calls, for SQL statements like "DESCRIBE", "EXECUTE", "EXPLAIN" and "SHOW".
  • Date::range_to_array() could return unexpected values when using more complex intervals. This has been fixed.
  • Added support for "runtime-created functions" in Debug detailed output.
  • Fixed a bug in File::create_dir() that causes directory creation to fail if the directory had the same name as its parent.
  • Form::open() can now automatically add a CSRF key field when the config key "security.csrf_auto_token" is set.
  • Lang now has a new method set_lang(), which allows you to switch the active language, optionally reloading all already loaded language files in this new language.
  • Migrate can now detect circular dependencies (two migrations depending on each other), and will now bail out with a loop detection error message.
  • Migration tasks can now define before() and after() methods. If either returns false, the migration is skipped. In case of after(), that implies the migration is reverted.
  • Mongo_Db has a new dump() method to allow dumping a collection or collections for backup purposes.
  • The Response class now has a new set_headers() method to set multiple headers in one go.
  • Request_Curl now returns the complete "raw" response in the response variable "response", which can be accessed in case of a returned http status >= 400.
  • Request_Curl now allows you to use fully qualified option names to be set (those starting with "CURLOPT_").
  • The Router now also returns the path of the controller on a found route match.
  • The Security class can now throw an HttpBadRequestException instead of a generic Security Exception when CSRF validation fails.
  • The Session file driver has been improved to solve some locking race conditions, and an additional validation of the session payload on session load.
  • The "randomness" of generated session ID's has been improved by using Security::generate_token() to generate them.
  • The Str class now checks if mbstring functions are available before using them.
  • Theme is now more compatible with Windows platforms when it comes to generating paths and URL's (correct use of slash vs backslash).
  • Validation valid_date rule can now handle incomplete date/time formats properly by using defaults for missing values.
  • You can now control the behaviour of the View class on closures assigned to a View variable through the config key "filter_closures".
  • For View variables supporting the Sanitation interface, sanitation is disabled after rendering the view to return the object in its original state.


  • Auth: login drivers now uses the internal PHP function hash_pbkdf2() function to hash passwords.
  • Auth: the Opauth driver will now pass a "group_id" back in the result if the login provider supplies this value in its response.
  • Auth: the Opauth driver now has a get_instance() method to return the current Opauth instance.
  • Auth: migrations now use the configured "db_connection" from the simpleauth/ormauth config, if defined.
  • Auth: auth_check() now also accepts the name of the login driver (as a string), besides the login driver instance.
  • Auth: updated the Auth classes to support the PHPSecLib composer package.
  • Email: Fixed bug in text wrapping where spaces could be stripped from HTML tags.
  • Email: Added a check on the availability of mbstring extensions before its functions are used.
  • Oil: migrate now has a new "--installed" option, which only runs migrations for packages and modules defined in the "always_load" section of the config. You can use it in conjunction with "--modules" and "--packages" to include some manually loaded modules or packages.
  • Oil: new "--with-test" option to scaffolding will generate corresponding test classes for each class generated.
  • Oil: "fromdb" task has a new "migration" command that allows you to generate migrations from an existing database. NOTE: these need to be checked as not all details can be retrieved from an existing table!
  • Orm: Fixed SQL generation error when DB::expression() was used at the left-hand side of a query statement.
  • Orm: Fixed a decimal point positioning issue in the Typing observer.
  • Orm: Fixed a problem in the Temporal model where the incorrect primary key values where used when generating a WHERE clause.
  • Orm: Added the option to dump_tree() to include a path URI, mainly useful when working with nested sets.
  • Orm: The typing observer can now handle floats in all locales (the decimal point is comma problem).
  • Orm: Implemented a workaround for slow access of large array entries by reference (see
  • Orm: A bug that caused related data in a many-many relation to be incorrectly hydrated has been fixed.
  • Parser: It is now possible to load Mustache partials. If none are defined, the UTF-8 partial is loaded by default.
  • Parser: for View variables supporting the Sanitation interface, sanitation is disabled after rendering the view to return the object in its original state.
  • Parser: for jade templates, now the Talesoft Jade renderer is supported too, besides the already supported Everzet renderer.
  • Parser: fixed a bug that caused loading template files with multiple dots to fail.
  • Parser: Twig templates now have access to the Auth::get() method through "auth_get".
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.