PHP Annotated — September 2021

PHP Annotated Monthly

Greetings everyone!
PHP 8.1 has reached the first release candidate and the list of changes has been finalized. We’ll see at least 5 more release candidates before the final release, which is planned for the end of November.

Meanwhile, discussions are already taking place in PHP internals regarding three more proposals for PHP 8.2: operator overloading, the $this type hint, and deprecating dynamic properties.

Beware of malware Composer packages! Two of them were recently discovered on Packagist.

PHP-FIG discusses adding a new type of standard to PSRs.

You can read more about this news in the September edition of PHP Annotated. As usual, we’ve carefully selected a variety of excellent articles, tools, videos, and streams for you.

⚡️ News

  • PHP 8.1.0 RC 1

    The final release is still two and a half months away with at least 5 release candidates coming.

    The final release of version 8.1 is still two and a half months off, with at least 5 release candidates on the way. Here’s a micro tutorial on how to install PHP 8.1 on macOS via Homebrew. Additionally, PHP 8.1 has ready-made Docker images.

    You can find a comprehensive description of what’s coming in PHP 8.1 at php.watch/versions/8.1 and on Brent Rooses’s blog, stitcher.io/blog/new-in-php-81.

  • PHP 8.0.10, PHP 7.4.23, PHP 7.3.30

    Security and bugfix updates for current branches.

  • The end of Swiftmailer

    The popular mail package Swiftmailer will only be supported until November. It will be replaced by symfony/mailer.

    Symfony/mailer’s features and concepts replicate Swiftmailer, so migrating should be fairly easy. Rector has a migration script, and it simply needs to rename classes.

  • PHP Evolving Recommendations (PERs)

    PHP-FIG currently releases only PSP standards. The problem is that some standards require constant refinement. For example, in the case of code styles, PSR-12 replaced PSR-2, and now it does not include new features from PHP 7.4-8.0.

    There is now a proposal to adopt a special type of recommendation called PER, which can be changed over time.

  • Malware Composer packages

    On Packagist, there was a package called symfont/process which did exactly the same thing as symfony/process, but it also gathered information about the machine, sent it to a third party, and opened a web shell.

    The attacker expected that users would potentially misspell the package name during installation and type symfont instead of symfony.

    The malware package has already been removed from both Packagist and GitHub, and an analysis of how it worked is available.

    Another backdoor was found in the laraveli/qr-code package. As you can see from the code, the malware was copying this type of web shell onto the machine.

    To protect yourself from attacks like these, you can add a local-php-security-checker to your CI pipeline or use the the-php-security-checker GitHub Action.

    For more complex cases, you can run the marcocesarato/PHP-Antimalware-Scanner.

  • The hautelook/alice-bundle repository was removed from GitHub

    The package has more than 8 million downloads, and the main contributor doesn’t know why he was removed from the maintainers list and the repository was apparently made private.

    A working fork is available on Théo’s GitHub profile: theofidry/AliceBundle.

🐘 PHP Internals

  • [RFC] Deprecate dynamic properties

    In current versions of PHP, if you try to write to a property that doesn’t exist, it will be automatically created.

    In modern code, writing to a nonexistent property is rarely done intentionally – it is usually a mistake.

    This RFC proposes to deprecate and subsequently remove the ability to create dynamic (undeclared) properties.

    class User {
        public $name;
    }
    
    $user = new User;
    
    // Assigns declared property User::$name.
    $user->name = "foo";
    
    // Oops, a typo:
    $user->nane = "foo";
    
    // PHP 8.2: Throws a warning but still creates a dynamic property.
    // PHP 9.0: Throws Error exception.
    

    This change would not apply to stdClass and its inheritors. The behavior of magical methods __get/__set would also be unaffected by this change.

    $obj = (object) []; // = new stdClass;
    
    // No deprecation warning
    $obj->foo = 1;
    
    class myStdClass extends stdClass {}
    $obj2 = new myStdClass;
    
    // No deprecation warning
    $obj2->bar = 1;
    

    With this change in PHP 9.0, it would be possible to reduce the size of objects by 8 bytes. For a single object, of course, this is nothing. But cumulatively for large applications it could result in a noticeable difference.

    There is also a discussion on whether it makes sense to alias stdClass to DynamicObject.

  • [RFC] User Defined Operator Overloads

    In this RFC, Jordan LeDoux essentially proposes to define a different magic method for each operator, e.g. __add() for `+` or __equals() for `==`.
    Using these methods would make it possible to describe the desired behavior of operators applied to objects.

    $a = new Number(8);
    $b = new Number(6);
    $c = new Number(4);
    
    // Instead of this
    $posRoot = $b->mul(-1)->add($b->pow(2)->sub($a->mul($c)->mul(4))->sqrt())->div($a->mul(2));
    
    // It would be possible do it like this
    $posRoot = ((-1 * $b) + ($b ** 2 - 4 * $a * $c)->sqrt()) / (2 * $a);
    

    If the proposal is accepted, it would become possible to implement the behavior of scalar objects in userland code.

  • [RFC] $this return type

    Nikita brought up the idea of using $this as the return value type. This would cause the interpreter to check that an object is the same as the one that is returned.

    Here is how it compares with self and static by Ben Ramsey:

    • self – The return value must be an instance of the same class that sets this type declaration.
    • static – The return value must be an instance of the same class that calls the method with this type declaration.
    • $this – The return value must be the same instance as the instance that calls the method with this type declaration.
    class Test {
        public function method(): $this {
            return $this;
        }
    
        public function not_this(): $this {
            return new self(); // Fatal Error
        }
    }
    
  • [RFC] Deprecate partially supported callables

    The following callables are currently accepted by the callable, the is_callable() function, and call_user_func(), but are not supported byn $callable().

    "self::method"
    "parent::method"
    "static::method"
    ["self", "method"]
    ["parent", "method"]
    ["static", "method"]
    ["Foo", "Bar::method"]
    [new Foo, "Bar::method"]
    

    This RFC proposes to deprecate in PHP 8.2 and remove in PHP 9.0 support for these callables.

    Normal callables like "function", "Foo::method", ["Foo", "method"], or [new Foo, "method"] would not be affected by this proposal because for them, calling with braces will work as expected:

    class Foo {
        function method() {
            echo 'method';
        }
    }
    [new Foo, "method"]();
    // > method
    
  • All PHP RFCs on GitHub

    As an experiment, Ben Ramsey, the PHP 8.1 release manager, exported all 838 RFCs ever discussed to Git, along with the change history for each.

🛠 Tools

  • whsv26/functional – The author ran into problems with existing PHP implementations of collections and wrote his own package.
  • phabelio/phabel – This transpiler for PHP makes it possible to use features from the latest PHP versions in older environments, or when backward compatibility must be maintained. You can also start adding support for features that don’t yet exist, such as the async/await keywords.
     
    Similar tools already exist, like marcioAlmada/yay or preprocess.io. And Rector can also do backports. But the special thing about Phabel is the transparent integration with Composer.
  • phparkitect/arkitect – A tool for defining and checking architectural rules for your project.
  • niklongstone/regex-reverse – Generates a random string that satisfies a given regular expression.
  • azjezz/psl – What a standard PHP library might look like.
  • github-php/sponsors – A package for working with the GitHub Sponsors API. You can organize access control by checking whether the user is a sponsor.
  • koriym/Koriym.Attributes – A simple tool that allows you to read PHPDoc annotations and PHP 8 attributes through a single interface. The more advanced spiral/attributes is also available for the same tasks.
  • grep.app – A handy tool for quick code searches on GitHub.
  • mrsuh/php-generics — PHP generics written in PHP. This is an interesting and functional attempt to implement syntax-level generics in PHP.

Symfony

Laravel

Yii

💡 Misc

🔈 Podcasts


Thanks for reading. We hope you have a great day!

If you have any interesting or useful links to share via PHP Annotated, please leave a comment on this post or send me a tweet.

Subscribe to PHP Annotated

Your JetBrains PhpStorm team
The Drive to Develop

image description