PHP 8.1 deprecation notices from wp_signon() with default parameters

[lenasterg]

This fixes a
PHP Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated in wp-includes\pluggable.php on line 598

[lenasterg]

Replying to lenasterg:

This fixes a
PHP Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated in wp-includes\pluggable.php on line 598

Pull request with the fix is the

​https://github.com/WordPress/wordpress-develop/pull/3491

Fix for PHP Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated in app\wp-includes\pluggable.php on line 598

Trac ticket: [](https://core.trac.wordpress.org/ticket/56850)

[TobiasBg]

Hi @lenasterg,

thanks for looking into this!

When getting this deprecation warning, can you see where that null value is coming from?
A password should only ever be a string, so it might make more sense to add a fix to the calling function.
With the suggested is_string() check, the issue is essentially just shifted further down, when the next operation on the still-null $password happens -- but then this check might just make debugging and finding the origin a bit harder.

[lenasterg]

Hi @TobiasBg

The null comes from https://core.trac.wordpress.org/browser/trunk/src/wp-includes/user.php#L95 from inside the function wp_signon.
The line 95

$user = wp_authenticate( $credentials['user_login'], $credentials['user_password'] );

where both $credentials['user_login'], &$credentials['user_password'] are NULL when a user access the wp-login.php page for first time.

The wp_signon function is called in https://core.trac.wordpress.org/browser/trunk/src/wp-login.php#L1231 with an empty array as $credentials argument.
Line 1231 is:
$user = wp_signon( array(), $secure_cookie );

[TobiasBg]

Thanks for the background on this, @lenasterg!

I'm not sure why the login form, needs to pass empty arguments here, but I assume that it would be "too late" to change this anyways, for backwards compatibility reasons (as the filter hooks that run during the request) might be overriding the calls to perform some custom authentication.
Your proposed changes do make sense, therefore.

It might be worth updating the function's docblock then as well, to clarify that null is a possible parameter value/type.

[SergeyBiryukov]

Thanks for the ticket! I was able to reproduce the issue.

• It looks like there are actually two deprecation notices here:
  • One from preg_replace() in wp_strip_all_tags() via sanitize_user() in wp_authenticate():

    Deprecated: preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated
    

  • One from trim() in wp_authenticate() itself:

    Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated
    

• The $credentials['user_login'] and $credentials['user_password'] parameters are passed by reference to the wp_authenticate action, and this is where they are ​created as `null` if they don't exist.
• Since the parameters are documented as strings in various places (wp_authenticate action, secure_signon_cookie filter, wp_authenticate() function, authenticate filter, etc.) is seems like a bug that they are created as null instead of an empty string. Documenting null as a possible value does not seem ideal, as it forces plugins to deal with the issue on their own instead of fixing it at the source.

I believe the correct solution would be to create these parameters as an empty string instead, along the lines of similar fixes in [54351] and [54368]. See 56850.diff​, which also includes a unit test.

Trac ticket: https://core.trac.wordpress.org/ticket/56850

[ocean90]

Another fix is in ​https://github.com/WordPress/wordpress-develop/pull/2804.

[SergeyBiryukov]

#57458 was marked as a duplicate.

[ocean90]

#57605 was marked as a duplicate.

[afragen]

What more needs to be done on this ticket to move it forward?

I can confirm that @SergeyBiryukov's PR fixes the issue.

[SergeyBiryukov]

In 55301:

Login and Registration: Set correct default values in wp_signon().

The $credentials['user_login'] and $credentials['user_password'] parameters are passed by reference to the wp_authenticate action, and are at that point ​created as null if they don't exist in the array.

This commit sets those values to an empty string, resolving two PHP 8.1 deprecation notices:

• One from preg_replace() in wp_strip_all_tags() via sanitize_user() in wp_authenticate():

  Deprecated: preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated
  

• One from trim() in wp_authenticate() itself:

  Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated
  

Includes documenting the $credentials parameter using hash notation.

Follow-up to [6643], [37697].

Props lenasterg, TobiasBg, ocean90, afragen, lkraav, SergeyBiryukov.
Fixes #56850.

Merged in r55301.

Thanks for the PR! Merged a slightly different solution in r55301.

[SergeyBiryukov]

#57636 was marked as a duplicate.