PHP Annotated – April 2024

PHP Annotated Monthly
Welcome to the April edition of PHP Annotated! We’ll recap the most interesting developments in the PHP community over the past couple of months, featuring handpicked news, articles, tools, and videos.


  • PHP statement on glibc/iconv vulnerability

    The hype around CVE-2024-2961 in relation to PHP was extremely exaggerated. Many people were under the impression that the vulnerability existed within the language itself and that its impact on PHP developers was immense. However, this is not the case.

    The vulnerability can be remotely exploited only if an application uses functions and stream filters from the iconv extension with non-validated encodings received from external sources.

    Your code would have to exhibit something quite unusual to be susceptible to such an attack:

    iconv ('utf-8', $_REQUEST[‘charset’],' my -text’);

    It’s better to be overly cautious and check for iconv usages.

    Don’t expect a patch release from PHP in this regard, as glibc is a dynamically linked library that’s not compiled with the interpreter. Updating glibc would be sufficient or at least apply a workaround.

  • PHP 8.1.28, PHP 8.2.18, and PHP 8.3.6 released

    ❗️These security updates fixed CVE-2024-1874, CVE-2024-2756, and CVE-2024-3096. PHP 8.3.6 additionally fixes CVE-2024-2757.

  • Everything to know about the XZ backdoor
    If you haven’t followed the story, here’s a brief summary of what happened.
    Someone behind the JiaT75 GitHub account contributed to liblzma for two years, building an SSH backdoor without other maintainers noticing. The hacker made more than 700 commits, only a few of which were malicious and hidden in test files.

    The odd behavior was accidentally discovered while doing some microbenchmarking of the XZ Util.

    This attack is likely not an isolated incident. The OpenJS Foundation has already reported on failed credible takeover attempts of their projects.

    If you maintain an open-source project, the article, Principles for Package Repository Security, is worth checking out.

  • Joining Forces for Open Source Cybersecurity Standards

    The PHP Foundation will collaborate with the Apache Software, Eclipse, Rust, and Python Software Foundations to establish standards for the European Union’s Cyber Resilience Act (CRA).

    The CRA is the first law anywhere in the world regulating the software industry as a whole. It forces certain OSS projects to follow cybersecurity policies, report incidents and vulnerabilities, and cooperate with market surveillance authorities.

  • PHP in 2024 by Brent Roose.

PHP Core

  • RFC: Property hooks

    Hooks have become one of the biggest additions to the PHP language in recent years. After much discussion, the authors of the proposal, Larry Garfield and Ilija Tovilo, updated the RFC’s details. And it’s now accepted.

    This significantly reduces getter/setter boilerplate code:

    class Foo
        private int $runs = 0;
        public function getRuns(): int { return $this->runs; }
        public function setRuns(int $runs): void
          if ($runs <= 0) throw new Exception();
          $this->runs = $runs;
    $f = new Foo();
    $f->setRuns($f->getRuns() + 1);

    With property hooks, this can be simplified to:

    class Foo
        public int $runs = 0 {
            set {
                if ($value <= 0) throw new Exception();
                $this->runs = $value;
    $f = new Foo();
  • 📣 RFC: new MyClass()->method() without parentheses

    Valentin Udaltsov suggested removing unnecessary parentheses in object initialization expressions, which triggered a heated discussion on X (formerly Twitter).

  • 📣 RFC: array_find

    Joshua Rüsweg proposed adding a new function to find the first element for which a predicate callback returns true.

    $array = [ 'a' => 'dog', 'b' => 'cat', 'c' => 'cow', 'd' => 'duck', 'e' => 'goose'];
    // Find the first animal whose name begins with c: 
    var_dump(array_find($array, function (string $value) {
        return str_starts_with($value, 'c');
    })); // cat
  • 📣 RFC: Casing of acronyms in class and method names
    Tim Düsterhus proposed revisiting the prior decision of the Class Naming RFC and suggested treating acronyms like regular words and using PascalCase for class names.
  • 📣 RFC: Support object type in BCMath
    BCMath currently supports only procedural functions. Saki Takamachi proposed adding support for object types in the module.

    use BCMath\Number;
    $num = new Number('1');
    $num2 = new Number('2');
    $result = $num + $num2;
    $result->value; // '3'
    var_dump($num > $num2); // false

    It comes with operator overloading, as you see.

  • RFC: Deprecate GET/POST sessions
    PHP currently supports two ways of accepting session token IDs: via cookies or using GET/POST request parameters.

    Using URL parameters (GET) and hidden form input fields (POST) has many drawbacks, both in terms of security and usability.

    Accepting session token IDs using GET or POST parameters will be deprecated in PHP 8.4 and removed in PHP 9.

  • RFC: Release cycle update

    Security support for major PHP versions has increased by one year. The lifespan of each PHP version will be 4 years: 2 years of bug fixes and 2 years of security fixes.

    The changes apply immediately to all currently supported branches, and the PHP 8.1 branch will receive an additional year of security fixes.

  • RFC: Deprecate implicitly nullable parameter types
  • RFC: Dedicated StreamBucket class
  • RFC: Grapheme cluster for str_split function: grapheme_str_split
  • 📣 RFC: Add openStream() to XML{Reader,Writer}
  • PHP 8.4 release managers announced

    Following tradition, PHP 8.4 will have 2 rookie release managers: Saki Takamachi, a PHP core developer sponsored by the PHP Foundation, and Calvin Buckley. They will be assisted by veteran release manager Eric Mann.

  • If you’re interested in building PHP extensions, here are some fresh tutorials:





Other Frameworks



These PHP events are all worth a visit, and some are still accepting presentation proposals:


If you’re wondering when the next PHP meetup is happening near you, check out the calendar on

If you have any interesting or useful links to share via PHP Annotated, please leave a comment on this post or let us know on X (formerly Twitter).

Subscribe to PHP Annotated

Roman Pronskiy

Developer Advocate at @PhpStorm, Operations Manager at @The PHP Foundation.

Twitter | GitHub

image description