PHP Annotated Monthly

PHP Annotated — October 2021

PHP Annotated Monthly

Greetings everyone!
Here are some highlights from the world of PHP over the last month.

  • PHP 8.1 RC3 is out, and the first package that uses enumerations is already available!
  • A community fork of Magento has been announced.
  • In addition to PSRs, there will be a new type of recommendation called PERs.
  • Symfony 6 will be fully typed — how to update?
  • New optimized data structures and a standalone null type have been proposed for PHP 8.2.
  • A PHP vulnerability with disable_functions has been published, though it is not actually a real vulnerability.

You can read more about this news in the October edition of PHP Annotated. As usual, we’ve carefully selected a variety of excellent articles, tools, videos, and streams for you.

⚡️ News

  • PHP 8.1 RC 3

    The third release candidate was delivered on schedule. For an overview of the new features in PHP 8.1, take a look at the What’s new in PHP 8.1 and PHP 8.1: before and after posts. A comprehensive list of changes is available on PHP.Watch.

    The migration guide for PHP 8.1 is now also available.

    You can try PHP 8.1 from docker, for example with the php:8.1-rc-cli image, on Mac via homebrew, or you can just poke around at 3v4l.org.

    The first package that uses enumerations from PHP 8.1 is already available!
    alexanderpas/php-http-enum – Enums with the status codes and text of HTTP-response messages.

  • PHP 8.0.11, 7.4.24 and 7.3.31

    Updates to supported branches with the security fix CVE-2021-21706.

    This fix addresses a bug that was causing ZipArchive::extractTo to extract the zip archive outside the target directory with certain file path names on Windows.

  • The Future of Magento

    This letter from members of the Magento community announced that there would be a Magento fork run by a community organization. The goal is to ensure the long-term open-source life of Magento.

    Previously, Adobe had announced that they are planning to decompose Magento into microservices. How exactly this will happen is unclear. That’s why a fork will be created. It will be compatible with Adobe’s Magento, as long as the latter is open.

  • PhpStorm 2021.3 Early Access Program Is Open

    The PhpStorm 2021.3 Early Access Program is in full swing. Every week we publish new builds that allow you to try the new features before the official release.

    The upcoming major release will include full support for PHP 8.1, many improvements for generics, new options for deployment, an updated debugger interface, and much more.

  • PER Workflow – PHP-FIG

    PHP-FIG has approved the idea of PHP Evolving Recommendations. In addition to PSR standards, there will now be PERs, which are recommendations that can be perpetually changed and supplemented. For example, in the case of code styles, it will be possible to add new rules to reflect new language features.

  • “Vulnerability” (not) in PHP to bypass disable_functions

    A researcher recently published a method to bypass the constraints set by the disable_functions directive in php.ini.

    You can use disable_functions to forbid the use of certain functions in PHP scripts. For instance, you can forbid system, exec, proc_open and shell_exec to block calls to external programs.
    You cannot forbid eval(), by the way, because it’s not a function, but rather a language construct.

    The bypass problem cannot be called a vulnerability, because disable_functions is not a security feature and relying on it for security is a bad idea.


    Learn more about what counts as a security problem in PHP and what doesn’t: wiki.php.net/security.

    And if you’re interested in understanding the problem in more detail, there is a cool breakdown of how disable_functions works and how such exploits are built. And another one even explains how you can automatically search for such problems.

    Also, check out this analysis of a real RCE vulnerability found in fiveai/Cachet, a popular Laravel project: Code Execution via Laravel Configuration Injection.

  • composer/composer 2.1.9

    This update fixes a vulnerability on Windows (CVE-2021-41116). Windows users should definitely update.

  • PHPOpenDocs.com

    Here’s an experiment in making a community site for PHP related content.

    It already has a useful sponsoring page with a list of contributors grouped by PHP version, as well as an Internals section with lots of links to resources about the structure of PHP code and how to start contributing to PHP core.

🐘 PHP Internals

  • New data structures in PHP

    PHP has a universal array data structure that can be used as a list, an associative array, a queue, a stack, etc.

    Versatility is achieved by using a hash table under the hood. But this versatility comes at the cost of additional memory usage and subtle performance overhead.

    SPL has more-specialized data structures, but they have baggage of their own.

    Tyson Andre suggests adding new optimized data structures to PHP.

    One option to achieve that would be to add structures from the popular php-ds/ext-ds extension, but its author does not support this idea. This thread on GitHub sheds some light on the details of the debate.

    So for now there are two RFCs:

    • [RFC] final class Vector Vector structure – is a set of elements with consecutive indexes 0, 1, 2, etc. It requires half as much memory as current arrays and works faster than similar SPL structures.In terms of its API, it’s just a usual class with implementations of the
      ArrayAccess, IteratorAggregate, and Countable interfaces.
      $values = new Vector();
      for ($i = 0; $i
    • [RFC] final class Deque Deque is a doubly-linked queue, that is, elements can be added and removed both at the beginning and at the end.You could use it in the place of SplQueueue or SplDoublyLinkedList and see immediate improvements to performance and memory consumption.

      Deque is also relevant for long-running applications that use large arrays, because of their known issues with memory management.

    The implementations of these and other structures are available in the TysonAndre/pecl-teds extension.

  • [RFC] Allow null as standalone type

    George Peter Banyard proposes to add the ability to use null in type declarations.

    First, this is the missing piece for the completeness of the type system of PHP. There is a mixed type, never type was added, there are also unions and intersections, but a unit type is missing.

    Second, this type will cover some edge cases for type hinting and improve static analysis.

    For example, at the moment, you can use the pseudotype false in unions, but you cannot specify that the function returns false|null, only bool|null.

  • How opcache works

    Nikita Popov doesn’t always write blog posts, but when he does he describes the concepts clearly and in details.

🛠 Tools

  • Xdebug 3.1.0 – The popular PHP debugger has received an update. It comes with support for PHP 8.1, many fixes, and some rather minor features. Don’t miss this series of videos about Xdebug 3 by extension author Derick Rethans.
  • spiral/roadrunner 2.4 – This is a big update for the PHP application server in Golang. The release includes support for queues, key-value stores, and integration with Temporal. See details.
  • brick/date-time – A set of immutable classes for working with date and time.
  • php-runtime/runtime – The Runtime component separates the application bootstrap logic from the global state, and so allows you to run the application without changes in any environment, such as PHP-FPM, ReactPHP, Swoole, etc.
    This was originally a component for Symfony, but it turned out to be so good that it’s now a separate organization on GitHub.
  • rindow/rindow-neuralnetworks – A neural network training framework based on Python Keras. According to its documentation, GPU support is only available in experimental mode and only on Windows.
  • piko-framework/router – Yet another PHP router, this one is based on radix tree and, according to the benchmarks, is faster than the Symfony router.
  • nunomaduro/termwind – A PHP 8+ package for formatting the output of console programs with Tailwind CSS style syntax.
  • icanhazstring/random-issue-picker – If you want to participate in Hacktoberfest but don’t know where to start, here’s a tool that will pick a random issue on GitHub or GitLab for you.

Symfony

Laravel

💡 Misc

Thanks for reading!

If you have any interesting or useful links to share via PHP Annotated, please leave a comment on this post or send me a tweet.

Subscribe to PHP Annotated

Your JetBrains PhpStorm team
The Drive to Develop


Discover more