PHP Annotated – February-March 2024

Roman Pronskiy

Welcome to the February–March edition of PHP Annotated! We’ll recap the most interesting developments in the PHP community over the past couple of months, featuring handpicked news, articles, tools, and videos.

Highlights

• PHP 8.2.16 and PHP 8.3.3 released
  

  🐛 These are bug-fix updates.

• Composer 2.7 and CVE-2024-24821: Code execution and possible privilege escalation

  Composer has been patched for vulnerability CVE-2024-24821, which, under certain conditions, caused arbitrary code execution leading to local privilege escalation, lateral user movement, or malicious code execution when Composer was invoked within a directory with tampered files.

• Doctrine ORM 3 and DBAL 4 released

  These releases, which make the tools slimmer and more efficient, are the culmination of over a decade of hard work by dozens of contributors and the Doctrine maintainers.

• Rector 1.0 is here

  The first stable release of the tool for automated upgrades and refactoring includes a new Zen config, a new custom-rule command, automated PHP sets, and streamlined integration with new projects.

• PHP version stats: January 2024

  This regular overview of the usage of various PHP versions is based on the data that clients send to packagist.org (for example, when they run a composer update command).

  In short, here is how the usage distribution has changed over the last six months:
  PHP 7.* – 20.3% (29.7% in 2023)
  PHP 8.* – 78.2% (69% in 2023)

• PHPUnit 11

  This version streamlines test double creation, deprecates PHPDoc annotations in favor of PHP 8 attributes, and phases out less necessary features.

PHP Core

• Release Managers for PHP 8.4

  PHP is seeking three engineers to handle the release of the upcoming PHP 8.4 branch. Candidates must commit to a 3.5-year term and possess a strong knowledge of PHP, Git, and C.
  Applications will be accepted through March 31.

• The PHP Foundation: Impact and Transparency Report 2023

  The foundation now contracts 10 engineers to work on PHP’s core and infrastructure, receives sponsorships from major PHP companies, and has secured investment from a German government-backed fund.

  In 2024, the foundation group has several significant projects planned, including a new tool for installing PHP extensions, a security audit, and an update to the documentation.

  I, Roman Pronskiy, am sponsored by JetBrains to serve as an operations manager for the foundation. Check out my talk at Laracon EU to learn more about the foundation:

• Welcome to The PHP Foundation discussions!

  As an experiment, the PHP Foundation has launched GitHub discussions in direct response to the community’s request for a more open and accessible communication platform.

• 📺 Let’s talk about PECL

  The PHP Foundation is working on a new tool for installing PHP extensions. In this video, Brent Roose, James Titcumb, and Roman Pronskiy discuss everything there is to know about it.

• RFC: Property hooks
  

  Hooks have become one of the biggest and most discussed RFCs in PHP in the last few years. After a round of discussions, the authors of the proposal, Larry Garfield and Ilija Tovillo, significantly updated the details.

  Some notable changes from the full list:

  • As noted a while ago, the $field has been removed.
  • The $foo => expression shorthand has been removed. The legal shorthands are now:

    public string $foo {
      get => evaluates to a value;
      set => assigns this value;
    }
    

  • The set shorthand (with => ) now means “write this value instead”. The non-shorthand version (set { } ) always returns void, so you have to assign the value yourself.
  • Added an FAQ regarding the property-centric approach rather than the method-centric approach.
  • Added an FAQ item explaining why a ‘virtual’ keyword is not feasible.
• 📊 RFC: Deprecate implicitly nullable parameter types
  Currently, using null as a default value of a function parameter is allowed, and it does not generate an error even if the parameter has a type declaration and is not nullable.

  Moreover, there is a slight inconsistency in allowing optional parameters before required ones. For example, the following signature is valid:

  function foo(T1 $a, T2 $b = null, T3 $c) {} // Currently valid
  

  Máté Kocsis and Gina P. Banyard propose to deprecate such declarations and require explicit nullable marks. This is a BC break, but the migration is relatively straightforward and can be automated.

  function foo(T $var = null) {} // Deprecated warning if RFC accepted
  function foo(?T $var = null) {} // OK
  

  Note: This change impacts quite a few open-source projects. You can use this script or this regexp to check if your project is also affected.

• 📣 RFC: Add OOP methods to cURL objects

  Sara Golemon proposes adding simple OOP interfaces to the cURL extension to provide a bit more pleasant out-of-the-box HTTP client experience for PHP.

  try {
    (new \CurlHandle)->setOpt(YOUR_VOTE, true)->exec();
  } catch (\CurlHandleException $exception) {
  }
  

• ✅ RFC: Opt-in DOM spec-compliance
• ✅ RFC: RFC1867 for non-POST HTTP verbs
  A new request_parse_body() function, designed to allow handling form data for PUT and PATCH requests, will be available as of PHP 8.4.
• ✅ RFC: Add http_(get|clear)_last_response_headers() function
• ✅ RFC: Multibyte for ucfirst, lcfirst functions, mb_ucfirst mb_lcfirst
• ❌ RFC: Final by default anonymous classes

PhpStorm

• The New Terminal (Beta) Is Now in JetBrains IDEs by Anastasia Shabalina.
• AI for PHP: How to Make AI Assistant Generate Test Implementations by Brent Roose.
• hammer-tools/php-hammer – This plugin for PhpStorm brings a set of useful inspections and quick-fixes.

Tools

• php-static-analysis/attributes – Attributes used for static analysis.

  An idea that popped up in a Twitter thread has now received a proper implementation, making it possible to specify type metadata for functions and classes in PHP 8 attributes instead of PHPDoc tags.

  

  Read the Using PHP Attributes instead of Annotations for Static Analysis blog post by Carlos Granados to learn more about the motivation behind this idea, as well as its use cases and limitations.

• typhoon-php/typhoon – Ultimate type system and reflection for PHP. It includes abstraction for the PHP static type system, and Typhoon Reflection, an alternative to native PHP Reflection.
• xepozz/internal-mocker – A tool for mocking internal PHP functions and classes.
• yiisoft/hydrator – Create and populate objects with support for type casting, mapping, and resolving dependencies.
• coollabsio/coolify – An open-source and self-hostable alternative to Heroku, Netlify, and Vercel.
• opencodeco/phpctl – A Docker (containers) based development environment for PHP. See this Introduction to PHPCTL for details.
• hydephp/hyde – A static site generator with the power of Laravel and the simplicity of Markdown.
• swoole/phpy – A library that allows you to use Python functions and libraries in PHP or use PHP packages in Python.
• SRWieZ/thumbhash – A ThumbHash implementation in PHP that allows you to generate unique, human-readable identifiers from image files.
• rryqszq4/ngx-php – An embedded PHP language module for the NGINX web server. According to benchmarks, it’s currently the fastest possible way to run PHP – faster than Swoole, RoadRunner, and FrankenPHP.
• crazywhalecc/static-php-cli – The tool makes it possible to build standalone PHP binaries for Linux, macOS, FreeBSD, and, with the latest update, Windows too!

Symfony

• Upgrading Symfony Websites to AssetMapper by Javier Eguiluz.
• makinacorpus/DbToolsBundle – A Symfony bundle for backing up, restoring, and anonymizing your data.
• Getting Symfony app ready for Swoole, RoadRunner, and FrankenPHP (no AI involved) by Sergii Dolgushev.
• 🔈 Beyond Blocks podcast Episode 10: Twig, Symfony and SymfonyCasts with Ryan Weaver and Oliver Davies.
• Asynchronous state machine with Symfony Workflows by Danil.
• Decoupling Logic Through Custom Events in Symfony by Nikolay Nikolov.
• The average age of PHP code lines in Symfony:
  

  The average age of PHP code lines in @symfony
  75% of the lines are edited within the past 4 years. That’s pretty amazing for a codebase that it’s 15 years old!

  Also interesting to see some components that were more or less feature complete from the start (Mime, RateLimiter,…) pic.twitter.com/55UQkNLLU9

  — Wouter de Jong (@wouterj@phpc.social) (@wouterjnl) February 7, 2024

Laravel

• Laravel 11 is coming
  Learn more about the Laravel 11 release from Paul Redmond’s series of articles:
  • Dive into the Streamlined Directory Structure in Laravel 11
  • Eager Load Limit is Coming to Laravel 11
  • Model Casts are moving to methods in Laravel 11
  • The once() Memoization Helper is Coming to Laravel 11
  • New Laravel 11 Apps Include a Health Check Endpoint
• Laravel Reverb announced
  The Laravel team has announced a PHP native implementation of the WebSocket protocol.
  It is based on the ReactPHP async framework.
  

  We’re only using the ratchet protocol handler. The interface between ReactPHP and the protocol handler has been written by us so the Ratchet server package isn’t required.

  — Joe Dixon (@_joedixon) February 6, 2024

• Laravel Herd
  This local dev environment now comes with Windows support and a Pro version. It does not require you to deal with any package managers at all, as it ships everything pre-built.

  Learn more about what’s new in the Pro version from Taylor Otwell’s talk at Laracon EU 2024.

• Dear Laravel package authors… – Muhammed Sari offers a few pieces of advice about how to make better packages.
• PHP Monitor 7.0 now available by Nico Verbruggen.
• How to Measure Performance in Laravel Apps by Martin Joo.
• Generating status badges using PHP by Freek Van der Herten.
• Validation in Laravel made easy by Benjamin Crozat.
• Curlwind – An nice tool that allows you to load Tailwind classes without any build steps whatsoever. You can find the source here: stevebauman/curlwind.
• HelgeSverre/extractor – AI-powered data extraction for your Laravel application.

Misc

• Processing One Billion Rows in PHP! by Florian Engelhardt.

  The One Billion Row Challenge (1BRC) is a fun exploration of how far modern Java can be pushed for aggregating one billion rows from a text file.

  Florian showed how you can get a nice result with PHP. He went from a naive approach to a sophisticated parallelization with ext-parallel.

• The infamous Repository Pattern in PHP by Doeke Norg.
• Make your app faster with PHP 8.3 by Sarah Morgan.
• Rook to XSS: How I hacked chess.com with a rookie exploit by Jake Skii.
• Tips for optimizing integration tests by Kamil Ruczyński.
• PHP Strict Types: Hard to get right by Robert Landers.
• Exploring developer experience with PHP, public APIs, and beer by Joey McKenzie.
• 📺 PHP UK Conference 2024 – All talk recordings.
• 📺 Understanding Composition over Inheritance by Andrew Cairns.
  Amazing explanation – this is a must-watch! And if you prefer reading, it’s also available as a blog post.
• My PHP Problems by Daniel Leech – This reads more like a PHP wish list, anyway great analysis.
• Stop using old-fashioned closures in modern PHP. There are 4* ways to replace them by Vlad Reshetylo.
• Finalize Classes – Automated and Safe by Tomas Votruba.

Conferences

These PHP events are all worth a visit, and some are still accepting presentation proposals:

• Laracon India – Udaipur, India, March 23–24.
• PHP[TEK] 2024 – Chicago, IL, USA, April 23–25.
• phpday 2024 – Verona, Italy, May 16–17.
• International PHP Conference – Berlin, Germany, May 27–31.
• PHPers Summit – Poznań, Poland, June 21. CFP 🆕
• Laravel Live Denmark 2024 – Copenhagen, Denmark, August 22–23, 2024.
• Laracon 2024 – Dallas, TX, USA, August 27–28, 2024. CFP 🆕

Fun

• Is PHP dead? 🤔 – Here’s a fun puzzle with some nice easter eggs. Can you find all 8?

• maybe if millennials spent less on avocado toast and more time learning php, they’d be able to afford to buy a house

  — I Am Devloper (@iamdevloper) February 2, 2024

• Whenever people ask me “can WordPress handle high traffic?” I used to send them the CNN or the Nasa website, but now I’ll just share the Taylor Swift website https://t.co/GE7L4a74xv

  — Jonathan Bossenger (@jon_bossenger) February 5, 2024

If you have any interesting or useful links to share via PHP Annotated, please leave a comment on this post or send us a tweet.

Subscribe to PHP Annotated

Roman Pronskiy

Developer Advocate at @PhpStorm, Operations Manager at @The PHP Foundation.

Twitter | GitHub

Subscribe to PHP Annotated

Subscribe form

By submitting this form, I agree to the JetBrains Privacy Policy Notification icon

By submitting this form, I agree that JetBrains s.r.o. ("JetBrains") may use my name, email address, and location data to send me newsletters, including commercial communications, and to process my personal data for this purpose. I agree that JetBrains may process said data using third-party services for this purpose in accordance with the JetBrains Privacy Policy. I understand that I can revoke this consent at any time in my profile. In addition, an unsubscribe link is included in each email.

Submit

Thanks, we've got you!