PHP Annotated — October 2021

Roman Pronskiy

Greetings everyone!
Here are some highlights from the world of PHP over the last month.

• PHP 8.1 RC3 is out, and the first package that uses enumerations is already available!
• A community fork of Magento has been announced.
• In addition to PSRs, there will be a new type of recommendation called PERs.
• Symfony 6 will be fully typed — how to update?
• New optimized data structures and a standalone null type have been proposed for PHP 8.2.
• A PHP vulnerability with disable_functions has been published, though it is not actually a real vulnerability.

You can read more about this news in the October edition of PHP Annotated. As usual, we’ve carefully selected a variety of excellent articles, tools, videos, and streams for you.

⚡️ News

• PHP 8.1 RC 3

  The third release candidate was delivered on schedule. For an overview of the new features in PHP 8.1, take a look at the What’s new in PHP 8.1 and PHP 8.1: before and after posts. A comprehensive list of changes is available on PHP.Watch.

  The migration guide for PHP 8.1 is now also available.

  You can try PHP 8.1 from docker, for example with the php:8.1-rc-cli image, on Mac via homebrew, or you can just poke around at 3v4l.org.

  The first package that uses enumerations from PHP 8.1 is already available!
  alexanderpas/php-http-enum – Enums with the status codes and text of HTTP-response messages.

• PHP 8.0.11, 7.4.24 and 7.3.31

  Updates to supported branches with the security fix CVE-2021-21706.

  This fix addresses a bug that was causing ZipArchive::extractTo to extract the zip archive outside the target directory with certain file path names on Windows.

• The Future of Magento

  This letter from members of the Magento community announced that there would be a Magento fork run by a community organization. The goal is to ensure the long-term open-source life of Magento.

  Previously, Adobe had announced that they are planning to decompose Magento into microservices. How exactly this will happen is unclear. That’s why a fork will be created. It will be compatible with Adobe’s Magento, as long as the latter is open.

• PhpStorm 2021.3 Early Access Program Is Open

  The PhpStorm 2021.3 Early Access Program is in full swing. Every week we publish new builds that allow you to try the new features before the official release.

  The upcoming major release will include full support for PHP 8.1, many improvements for generics, new options for deployment, an updated debugger interface, and much more.

• PER Workflow – PHP-FIG

  PHP-FIG has approved the idea of PHP Evolving Recommendations. In addition to PSR standards, there will now be PERs, which are recommendations that can be perpetually changed and supplemented. For example, in the case of code styles, it will be possible to add new rules to reflect new language features.

• “Vulnerability” (not) in PHP to bypass disable_functions

  A researcher recently published a method to bypass the constraints set by the disable_functions directive in php.ini.

  You can use disable_functions to forbid the use of certain functions in PHP scripts. For instance, you can forbid system, exec, proc_open and shell_exec to block calls to external programs.
  You cannot forbid eval(), by the way, because it’s not a function, but rather a language construct.

  The bypass problem cannot be called a vulnerability, because disable_functions is not a security feature and relying on it for security is a bad idea.

  
  Learn more about what counts as a security problem in PHP and what doesn’t: wiki.php.net/security.

  And if you’re interested in understanding the problem in more detail, there is a cool breakdown of how disable_functions works and how such exploits are built. And another one even explains how you can automatically search for such problems.

  Also, check out this analysis of a real RCE vulnerability found in fiveai/Cachet, a popular Laravel project: Code Execution via Laravel Configuration Injection.

• composer/composer 2.1.9

  This update fixes a vulnerability on Windows (CVE-2021-41116). Windows users should definitely update.

• PHPOpenDocs.com

  Here’s an experiment in making a community site for PHP related content.

  It already has a useful sponsoring page with a list of contributors grouped by PHP version, as well as an Internals section with lots of links to resources about the structure of PHP code and how to start contributing to PHP core.

🐘 PHP Internals

• New data structures in PHP

  PHP has a universal array data structure that can be used as a list, an associative array, a queue, a stack, etc.

  Versatility is achieved by using a hash table under the hood. But this versatility comes at the cost of additional memory usage and subtle performance overhead.

  SPL has more-specialized data structures, but they have baggage of their own.

  Tyson Andre suggests adding new optimized data structures to PHP.

  One option to achieve that would be to add structures from the popular php-ds/ext-ds extension, but its author does not support this idea. This thread on GitHub sheds some light on the details of the debate.

  So for now there are two RFCs:

  • [RFC] final class Vector Vector structure – is a set of elements with consecutive indexes 0, 1, 2, etc. It requires half as much memory as current arrays and works faster than similar SPL structures.In terms of its API, it’s just a usual class with implementations of the
    ArrayAccess, IteratorAggregate, and Countable interfaces.

    $values = new Vector();
    for ($i = 0; $i

  • [RFC] final class Deque Deque is a doubly-linked queue, that is, elements can be added and removed both at the beginning and at the end.You could use it in the place of SplQueueue or SplDoublyLinkedList and see immediate improvements to performance and memory consumption.

    Deque is also relevant for long-running applications that use large arrays, because of their known issues with memory management.

  The implementations of these and other structures are available in the TysonAndre/pecl-teds extension.

• [RFC] Allow null as standalone type

  George Peter Banyard proposes to add the ability to use null in type declarations.

  First, this is the missing piece for the completeness of the type system of PHP. There is a mixed type, never type was added, there are also unions and intersections, but a unit type is missing.

  Second, this type will cover some edge cases for type hinting and improve static analysis.

  For example, at the moment, you can use the pseudotype false in unions, but you cannot specify that the function returns false|null, only bool|null.

• How opcache works

  Nikita Popov doesn’t always write blog posts, but when he does he describes the concepts clearly and in details.

🛠 Tools

• Xdebug 3.1.0 – The popular PHP debugger has received an update. It comes with support for PHP 8.1, many fixes, and some rather minor features. Don’t miss this series of videos about Xdebug 3 by extension author Derick Rethans.
• spiral/roadrunner 2.4 – This is a big update for the PHP application server in Golang. The release includes support for queues, key-value stores, and integration with Temporal. See details.
• brick/date-time – A set of immutable classes for working with date and time.
• php-runtime/runtime – The Runtime component separates the application bootstrap logic from the global state, and so allows you to run the application without changes in any environment, such as PHP-FPM, ReactPHP, Swoole, etc.
  This was originally a component for Symfony, but it turned out to be so good that it’s now a separate organization on GitHub.
• rindow/rindow-neuralnetworks – A neural network training framework based on Python Keras. According to its documentation, GPU support is only available in experimental mode and only on Windows.
• piko-framework/router – Yet another PHP router, this one is based on radix tree and, according to the benchmarks, is faster than the Symfony router.
• nunomaduro/termwind – A PHP 8+ package for formatting the output of console programs with Tailwind CSS style syntax.
• icanhazstring/random-issue-picker – If you want to participate in Hacktoberfest but don’t know where to start, here’s a tool that will pick a random issue on GitHub or GitLab for you.

Symfony

• Preparing your applications and bundles for Symfony 6 Symfony 5.4 and 6.0 will be released in November. The difference between them is that Symfony 5.4 will still contain all deprecated features, while in Symfony 6.0 they will all be removed.Additionally, both Symfony 5.4 and 6.0 will have PHP type declarations added to all method properties, arguments, and return values, where possible.

  Check out this detailed post by a member of the Symfony Core team to learn how to update apps that use Symfony components: Symfony 6: PHP 8 Native Types & Why We Need YOU.

• For Symfony Flex, you will no longer need flex.symfony.com. All recipes are now at github.com/symfony/recipes.
• A week of Symfony #771 (4-10 October 2021)

Laravel

• Working with fixture data in your tests.
• Strategies for decreasing the number of queries in a Laravel app.
• 📺 Laravel Worldwide Meetup #10: A Little Bit of AWS Lambda, and Pest to Perfection.
• 📺 Converting a PHPUnit testsuite to Pest
• 📺 Let’s Build an Online Store – A nice series of streams.

💡 Misc

• The Road to PHP: Static Analysis – A 10-day newsletter from Brent Roose about static analysis.
• Testing tips from Matthias Noback: One Class, One Test?, Testing Anything; Better Than Testing Nothing?, Write Unit Tests Like Scenarios.
• What happens when we clone objects?
• Interesting post about `Either` data structure.
• About creating an `Option` type in PHP.
• The €13.000 Video Course Launch That Made Me Believe In Myself Again – Christoph Rumpel shares some details about how he launched the masteringphpstorm.com course.
• Generative art with PHP – Ben Gillbanks explains how you can use code to create images, from simple avatars to pixel-art cities:
  
• A game on FFI: quasilyte/kphp-game
  KPHP is a PHP compiler. It compiles a limited subset of PHP to a native binary that runs faster than PHP.

  Folks from the KPHP team implemented experimental support for FFI, and made a little game with it as a demo.

  Remarkably, KPHP-FFI is compatible with FFI from traditional PHP, which means the game can also be run on regular PHP 7.4+.

  Read more about other FFI applications in this Complete guide to FFI in PHP.

Thanks for reading!

If you have any interesting or useful links to share via PHP Annotated, please leave a comment on this post or send me a tweet.

Subscribe to PHP Annotated

Your JetBrains PhpStorm team
The Drive to Develop

Subscribe to PHP Annotated

Subscribe form

By submitting this form, I agree to the JetBrains Privacy Policy Notification icon

By submitting this form, I agree that JetBrains s.r.o. ("JetBrains") may use my name, email address, and location data to send me newsletters, including commercial communications, and to process my personal data for this purpose. I agree that JetBrains may process said data using third-party services for this purpose in accordance with the JetBrains Privacy Policy. I understand that I can revoke this consent at any time in my profile. In addition, an unsubscribe link is included in each email.

Submit

Thanks, we've got you!