PHP Annotated – April 2024
Welcome to the April edition of PHP Annotated! We’ll recap the most interesting developments in the PHP community over the past couple of months, featuring handpicked news, articles, tools, and videos.
Highlights
- PHP statement on glibc/iconv vulnerability
The hype around CVE-2024-2961 in relation to PHP was extremely exaggerated. Many people were under the impression that the vulnerability existed within the language itself and that its impact on PHP developers was immense. However, this is not the case.
The vulnerability can be remotely exploited only if an application uses functions and stream filters from the
iconv
extension with non-validated encodings received from external sources.Your code would have to exhibit something quite unusual to be susceptible to such an attack:
iconv ('utf-8', $_REQUEST[‘charset’],' my -text’);
It’s better to be overly cautious and check for
iconv
usages.Don’t expect a patch release from PHP in this regard, as
glibc
is a dynamically linked library that’s not compiled with the interpreter. Updatingglibc
would be sufficient or at least apply a workaround. - PHP 8.1.28, PHP 8.2.18, and PHP 8.3.6 released
- Everything to know about the XZ backdoor
If you haven’t followed the story, here’s a brief summary of what happened.
Someone behind the JiaT75 GitHub account contributed toliblzma
for two years, building an SSH backdoor without other maintainers noticing. The hacker made more than 700 commits, only a few of which were malicious and hidden in test files.The odd behavior was accidentally discovered while doing some microbenchmarking of the XZ Util.
This attack is likely not an isolated incident. The OpenJS Foundation has already reported on failed credible takeover attempts of their projects.
If you maintain an open-source project, the article, Principles for Package Repository Security, is worth checking out.
- Joining Forces for Open Source Cybersecurity Standards
The PHP Foundation will collaborate with the Apache Software, Eclipse, Rust, and Python Software Foundations to establish standards for the European Union’s Cyber Resilience Act (CRA).
The CRA is the first law anywhere in the world regulating the software industry as a whole. It forces certain OSS projects to follow cybersecurity policies, report incidents and vulnerabilities, and cooperate with market surveillance authorities.
- PHP in 2024 by Brent Roose.
PHP Core
- ✅ RFC: Property hooks
Hooks have become one of the biggest additions to the PHP language in recent years. After much discussion, the authors of the proposal, Larry Garfield and Ilija Tovilo, updated the RFC’s details. And it’s now accepted.
This significantly reduces getter/setter boilerplate code:
class Foo { private int $runs = 0; public function getRuns(): int { return $this->runs; } public function setRuns(int $runs): void { if ($runs <= 0) throw new Exception(); $this->runs = $runs; } } $f = new Foo(); $f->setRuns($f->getRuns() + 1);
With property hooks, this can be simplified to:
class Foo { public int $runs = 0 { set { if ($value <= 0) throw new Exception(); $this->runs = $value; } } } $f = new Foo(); $f->runs++;
- 📣 RFC: new MyClass()->method() without parentheses
Valentin Udaltsov suggested removing unnecessary parentheses in object initialization expressions, which triggered a heated discussion on X (formerly Twitter).
new MyClass()->method()
without parentheseshttps://t.co/ZslOGSaIzXWhat are your thoughts? pic.twitter.com/J6uWKXdnYj
— Roman Pronskiy (@pronskiy) December 26, 2023
- 📣 RFC: array_find
Joshua Rüsweg proposed adding a new function to find the first element for which a predicate callback returns true.
$array = [ 'a' => 'dog', 'b' => 'cat', 'c' => 'cow', 'd' => 'duck', 'e' => 'goose']; // Find the first animal whose name begins with c: var_dump(array_find($array, function (string $value) { return str_starts_with($value, 'c'); })); // cat
- 📣 RFC: Casing of acronyms in class and method names
Tim Düsterhus proposed revisiting the prior decision of the Class Naming RFC and suggested treating acronyms like regular words and using PascalCase for class names. - 📣 RFC: Support object type in BCMath
BCMath currently supports only procedural functions. Saki Takamachi proposed adding support for object types in the module.use BCMath\Number; $num = new Number('1'); $num2 = new Number('2'); $result = $num + $num2; $result->value; // '3' var_dump($num > $num2); // false
It comes with operator overloading, as you see.
- ✅ RFC: Deprecate GET/POST sessions
PHP currently supports two ways of accepting session token IDs: via cookies or using GET/POST request parameters.Using URL parameters (GET) and hidden form input fields (POST) has many drawbacks, both in terms of security and usability.
Accepting session token IDs using GET or POST parameters will be deprecated in PHP 8.4 and removed in PHP 9.
- ✅ RFC: Release cycle update
Security support for major PHP versions has increased by one year. The lifespan of each PHP version will be 4 years: 2 years of bug fixes and 2 years of security fixes.
The changes apply immediately to all currently supported branches, and the PHP 8.1 branch will receive an additional year of security fixes.
- ✅ RFC: Deprecate implicitly nullable parameter types
- ✅ RFC: Dedicated StreamBucket class
- ✅ RFC: Grapheme cluster for str_split function: grapheme_str_split
- 📣 RFC: Add openStream() to XML{Reader,Writer}
- PHP 8.4 release managers announced
Following tradition, PHP 8.4 will have 2 rookie release managers: Saki Takamachi, a PHP core developer sponsored by the PHP Foundation, and Calvin Buckley. They will be assisted by veteran release manager Eric Mann.
- If you’re interested in building PHP extensions, here are some fresh tutorials:
- 📺 Writing PHP Extensions: Creating a Skeleton by Derick Rethans.
- 📺 How to Write a PHP Extension with Zig by Mateusz Charytoniuk.
PhpStorm
- PhpStorm 2024.1 is out and includes:
- Full line local AI-powered code completion
- Support for Symfony’s AssetMapper and PHPUnit 11.0
- A new terminal (Beta)
- Improvements for Pest
- Jeffrey Way’s PhpStorm Setup in 2024.
Tools
- Modelflow AI – A set of PHP packages that integrates various AI models and embeddings into a unified interface.
- CodeWithKyrian/transformers-php – A toolkit for PHP developers to add machine learning capabilities to their projects easily. Intro post: Announcing TransformersPHP.
- distantmagic/resonance – A framework specifically designed for building web applications with AI and ML capabilities. It’s based on Swoole and has built-in web and WebSocket servers.
- tempestphp/highlight – Fast, extensible, server-side code highlighting for web and terminal. Intro post: I wrote a code highlighter from scratch. See how to use it with Twig and Symfony.
- pronskiy/phpup – A single-file binary with zero dependencies that includes Composer and other PHP tools. It’s inspired by rustup and allows installing a per-project PHP based on your
composer.json
. - maglnet/ComposerRequireChecker – A CLI tool to check whether a specific composer package uses imported symbols that aren’t part of its direct composer dependencies.
- Can I PHP? – A Raycast extension that enables checking if a certain function or method is available in different versions of PHP.
- opencodeco/codespaces-php – A GitHub Codespaces template for PHP that allows you to start developing a PHP project in no time on a remote machine. Try it out!
- php-forge/foxy – A BUN/NPM/Yarn/PNpM bridge for Composer that’s compatible with Yii assets, Symfony Webpack Encore, and Laravel Mix.
- nazmulpcc/php-webview – A WebView extension for PHP. This is a PoC, but in theory, it could be a nice basis for NativePHP.
- buttress/phpx – An experimental
DOMDocument
wrapper that generates safe HTML with ergonomic syntax. - luzrain/phpstreamserver – A PHP application server and process manager written in PHP on top of revoltphp/event-loop. It’s somewhat similar to php-pm/php-pm.
- JBZoo/CSV-Blueprint – A strict and automated line-by-line CSV validation tool based on customizable YAML schemas.
- shipmonk-rnd/composer-dependency-analyser – A tool for the fast detection of composer dependency issues, such as unused dependencies, shadow dependencies, and misplaced dependencies.
- paragonie/phpecc – A pure PHP elliptic curve cryptography library.
- libvips/php-vips – An extremely fast image manipulation package that’s ~5 times faster than Imagick or GD and consumes less memory. It’s a good FFI example.
-
Gentle reminder. Most of the time, you don't need fancy CSV library to parse a huge filehttps://t.co/So2KXBTd6e pic.twitter.com/GyxvYVjKHE
— Gregoire Pineau (@lyrixx) April 23, 2024
Symfony
- livetechhelper/symfony-bref-starter – A starter kit for Symfony projects using Bref and serverless architecture, enabling easy deployments with a near infinite scale.
- strangebuzz/MicroSymfony – A supercharged Symfony 7.0 application skeleton.
- Parthenon Is Now Open Source – Symfony SaaS boilerplate including users, payments, admin panel, and more.
- Avoiding Pitfalls with Doctrine ORM: The Impact of Type Hints by Dawid Wołosowicz.
- How I Use The Doctrine ORM QueryBuilder by Kerrial Newham.
- How to debug ANY Symfony command simply passing
-x
by Adamo Crespi. - Creating your Own Makers in Symfony 7 by Raziel Rodrigues.
- Contributing to Symfony MakerBundle by Jérôme Gangneux.
- Messenger: consume all transports on Symfony 6.4 by Grzegorz Korba.
Laravel
- Introducing the Context Facade in Laravel by Paul Redmond.
- Laravel Herd for Windows is now released.
- Encryption and the in-between by James Brooks.
- hotmeteor/receiver – A drop-in webhook handling library for Laravel.
- hotmeteor/spectator – OpenAPI testing for PHP.
- Run a WordPress blog alongside your Laravel app by Adam Campbell.
- Generate Code Coverage in Laravel With PCOV by Paul Redmond.
Other Frameworks
- WordPress 6.5 “Regina” is released.
- Studio by WordPress.com – A desktop application to run a local dev environment for WordPress. AFAICT, it is based on WebAssembly and uses WordPress Playground under the hood.
- Speculative Loading – This plugin by WordPress Core Performance Team adds support for the Speculation Rules API, which allows defining rules by which certain URLs are dynamically prefetched or prerendered based on user interaction.
- WordPress/Requests – The user-friendly WordPress HTTP client package for PHP.
Misc
- Introduction to Swoole (and Asynchronous PHP) by Mateusz Charytoniuk.
- Testing Patterns by Brent Roose.
- Measuring the DOM Namespace Reconciliation Performance Fix by Benjamin Eberlei.
How to achieve a 94% performance boost by relying on an optimization in the DOM extension in PHP 8.3 made by Niels Dossche. - Building PHP docker images in a better way with Wolfi-OS by Soner Sayakci.
A better way to build PHP Docker images that doesn’t require compiling required, uses smaller images than Alpine, and has no incompatibilities or performance problems with PHP. - php.hospital – Insights and common pitfalls when modernizing legacy PHP.
- Finalize Classes – Automated and Safe by Tomas Votruba.
Conferences
These PHP events are all worth a visit, and some are still accepting presentation proposals:
- phpday 2024 – Verona, Italy, May 16–17.
- International PHP Conference – Berlin, Germany, May 27–31.
- SymfonyOnline June 2024 – June 6–7.
- SymfonyLive Berlin 2024 – Berlin, Germany, June 20–21.
- PHPers Summit – Poznań, Poland, June 21. CFP 🆕
- CakeFest – Luxembourg, July 24–26. 🆕
- Laracon 2024 – Dallas, TX, USA, August 27–28. CFP
- PHP Serbia 2024 – Belgrade, Serbia, September 2024. 🆕
- Laracon AU – Brisbane, Australia, November 7–8. CFP 🆕
Fun
-
1) it is possible to call a method 'as', because relaxed keywords #PHP methods
2) it is possible to import a method from a trait, and alias it to itself.It is possible to write 'as as as ' in #PHP and make sense.#phptip #phptrick pic.twitter.com/uooMazwmVp
— Damien Seguy (@dseguy@phpc.social) (@faguo) March 14, 2024
More gems at php-tips.readthedocs.io.
-
#PHP Challenge : Can you rewrite function to be more "clear" ?
Code here👉 https://t.co/ixgQROuCyh pic.twitter.com/kK3iVdPVYy— Frédéric Bouchery 🌟 (@FredBouchery) April 10, 2024
If you’re wondering when the next PHP meetup is happening near you, check out the calendar on php.net.
If you have any interesting or useful links to share via PHP Annotated, please leave a comment on this post or let us know on X (formerly Twitter).