PHP Annotated — September 2021

Greetings everyone!
PHP 8.1 has reached the first release candidate and the list of changes has been finalized. We’ll see at least 5 more release candidates before the final release, which is planned for the end of November.

Meanwhile, discussions are already taking place in PHP internals regarding three more proposals for PHP 8.2: operator overloading, the $this type hint, and deprecating dynamic properties.

Beware of malware Composer packages! Two of them were recently discovered on Packagist.

PHP-FIG discusses adding a new type of standard to PSRs.

You can read more about this news in the September edition of PHP Annotated. As usual, we’ve carefully selected a variety of excellent articles, tools, videos, and streams for you.

News

PHP 8.1.0 RC 1

The final release is still two and a half months away with at least 5 release candidates coming.

The final release of version 8.1 is still two and a half months off, with at least 5 release candidates on the way. Here’s a micro tutorial on how to install PHP 8.1 on macOS via Homebrew. Additionally, PHP 8.1 has ready-made Docker images.

You can find a comprehensive description of what’s coming in PHP 8.1 at php.watch/versions/8.1 and on Brent Rooses’s blog, stitcher.io/blog/new-in-php-81.

PHP 8.0.10, PHP 7.4.23, PHP 7.3.30

Security and bugfix updates for current branches.

The end of Swiftmailer

The popular mail package Swiftmailer will only be supported until November. It will be replaced by symfony/mailer.

Symfony/mailer’s features and concepts replicate Swiftmailer, so migrating should be fairly easy. Rector has a migration script, and it simply needs to rename classes.

PHP Evolving Recommendations (PERs)

PHP-FIG currently releases only PSP standards. The problem is that some standards require constant refinement. For example, in the case of code styles, PSR-12 replaced PSR-2, and now it does not include new features from PHP 7.4-8.0.

There is now a proposal to adopt a special type of recommendation called PER, which can be changed over time.

PERs are (will be/are intended for) situations where having a standard “build up” over time makes sense. Coding standards, type libraries, docblock tags, etc.

PSRs are a good fit for “we want to design a single agreed upon target we can rely on not changing.”

— Larry Garfield (@Crell) September 9, 2021

Malware Composer packages

On Packagist, there was a package called symfont/process which did exactly the same thing as symfony/process, but it also gathered information about the machine, sent it to a third party, and opened a web shell.

The attacker expected that users would potentially misspell the package name during installation and type symfont instead of symfony.

The malware package has already been removed from both Packagist and GitHub, and an analysis of how it worked is available.

Another backdoor was found in the laraveli/qr-code package. As you can see from the code, the malware was copying this type of web shell onto the machine.

To protect yourself from attacks like these, you can add a local-php-security-checker to your CI pipeline or use the the-php-security-checker GitHub Action.

For more complex cases, you can run the marcocesarato/PHP-Antimalware-Scanner.

The hautelook/alice-bundle repository was removed from GitHub

The package has more than 8 million downloads, and the main contributor doesn’t know why he was removed from the maintainers list and the repository was apparently made private.

I have no idea: the repository seem to have been made private and I have been removed from the maintainers (although I can still see the repo)

— Théo Fidry (@tfidry) September 9, 2021

A working fork is available on Théo’s GitHub profile: theofidry/AliceBundle.

PHP Internals

[RFC] Deprecate dynamic properties

In current versions of PHP, if you try to write to a property that doesn’t exist, it will be automatically created.

In modern code, writing to a nonexistent property is rarely done intentionally – it is usually a mistake.

This RFC proposes to deprecate and subsequently remove the ability to create dynamic (undeclared) properties.

class User {
public $name;
}

$user = new User;

// Assigns declared property User::$name.
$user->name = „foo“;

// Oops, a typo:
$user->nane = „foo“;

// PHP 8.2: Throws a warning but still creates a dynamic property.
// PHP 9.0: Throws Error exception.

This change would not apply to stdClass and its inheritors. The behavior of magical methods __get/__set would also be unaffected by this change.
$obj = (object) []; // = new stdClass;

// No deprecation warning
$obj->foo = 1;

class myStdClass extends stdClass {}
$obj2 = new myStdClass;

// No deprecation warning
$obj2->bar = 1;

With this change in PHP 9.0, it would be possible to reduce the size of objects by 8 bytes. For a single object, of course, this is nothing. But cumulatively for large applications it could result in a noticeable difference.

There is also a discussion on whether it makes sense to alias stdClass to DynamicObject.

[RFC] User Defined Operator Overloads

In this RFC, Jordan LeDoux essentially proposes to define a different magic method for each operator, e.g. __add() for `+` or __equals() for `==`.
Using these methods would make it possible to describe the desired behavior of operators applied to objects.

$a = new Number(8);
$b = new Number(6);
$c = new Number(4);

// Instead of this
$posRoot = $b->mul(-1)->add($b->pow(2)->sub($a->mul($c)->mul(4))->sqrt())->div($a->mul(2));

// It would be possible do it like this
$posRoot = ((-1 * $b) + ($b ** 2 – 4 * $a * $c)->sqrt()) / (2 * $a);

If the proposal is accepted, it would become possible to implement the behavior of scalar objects in userland code.

[RFC] $this return type

Nikita brought up the idea of using $this as the return value type. This would cause the interpreter to check that an object is the same as the one that is returned.

Here is how it compares with self and static by Ben Ramsey:

self – The return value must be an instance of the same class that sets this type declaration.
static – The return value must be an instance of the same class that calls the method with this type declaration.
$this – The return value must be the same instance as the instance that calls the method with this type declaration.

class Test {
public function method(): $this {
return $this;
}

public function not_this(): $this {
return new self(); // Fatal Error
}
}

[RFC] Deprecate partially supported callables

The following callables are currently accepted by the callable, the is_callable() function, and call_user_func(), but are not supported byn $callable().

„self::method“
„parent::method“
„static::method“
[„self“, „method“]
[„parent“, „method“]
[„static“, „method“]
[„Foo“, „Bar::method“]
[new Foo, „Bar::method“]

This RFC proposes to deprecate in PHP 8.2 and remove in PHP 9.0 support for these callables.

Normal callables like „function“, „Foo::method“, [„Foo“, „method“], or [new Foo, „method“] would not be affected by this proposal because for them, calling with braces will work as expected:

class Foo {
function method() {
echo ‚method‘;
}
}
[new Foo, „method“]();
// > method

All PHP RFCs on GitHub

As an experiment, Ben Ramsey, the PHP 8.1 release manager, exported all 838 RFCs ever discussed to Git, along with the change history for each.

Tools

whsv26/functional – The author ran into problems with existing PHP implementations of collections and wrote his own package.
phabelio/phabel – This transpiler for PHP makes it possible to use features from the latest PHP versions in older environments, or when backward compatibility must be maintained. You can also start adding support for features that don’t yet exist, such as the async/await keywords.
 
Similar tools already exist, like marcioAlmada/yay or preprocess.io. And Rector can also do backports. But the special thing about Phabel is the transparent integration with Composer.
phparkitect/arkitect – A tool for defining and checking architectural rules for your project.
niklongstone/regex-reverse – Generates a random string that satisfies a given regular expression.
azjezz/psl – What a standard PHP library might look like.
github-php/sponsors – A package for working with the GitHub Sponsors API. You can organize access control by checking whether the user is a sponsor.
koriym/Koriym.Attributes – A simple tool that allows you to read PHPDoc annotations and PHP 8 attributes through a single interface. The more advanced spiral/attributes is also available for the same tasks.
grep.app – A handy tool for quick code searches on GitHub.
mrsuh/php-generics — PHP generics written in PHP. This is an interesting and functional attempt to implement syntax-level generics in PHP.

Symfony

kafkiansky/symfony-middleware – PSR-15-compatible middlewares for Symfony.
lexik/LexikTranslationBundle – This allows you to import translations into the database and provides an interface for easy editing.
Helpers for testing your applications based on Symfony components: zenstruck/mailer-test, zenstruck/console-test, zenstruck/messenger-test, zenstruck/browser.
Symfony Messenger in microservices: message contracts and resilience – Interesting read about microservices and asynchronous communication.
Ultimate Guide to Symfony Components – Which ones you should use in your projects, and when you should use them.
How to dynamically validate some data with Symfony Validator.
Symfony plugin for PhpStorm has just got support for PHP8 Doctrine metadata attributes.

Laravel

State of Laravel 2021 survey results and a video review of the results from Laravel Daily.
lepikhinb/laravel-fluent – This package provides an expressive way to define model attributes. It automatically builds casts at runtime and adds native autocompletion to the models’ properties.
Creating a RoadRunner plugin for Laravel Octane.
Testing Laravel – Spatie’s paid testing course, with free episodes available: Testing Middleware,
Cool Laravel Testing Techniques, and Testing a Form.
The Queue Component in Laravel – A continuation of the series of videos about the framework for those who are just starting out.
Planning & Kickstarting the Laravel Application – An interesting stream from Mohamed Said, a member of the Laravel core team. In the stream, he writes an app and comments on the steps he takes to do so.
 
Christoph Rumpel built a cool website, larastreamers.com, where you can get notifications about all the upcoming streams.
PHP Roundtable: 10 Years Laravel with Taylor Otwell, Matt Stauffer, and Eric Barnes.

Yii

Yii news 2021, issue 3

Misc

A couple of posts from Larry Garfield with helpful test-writing techniques: Fun with PHPUnit Data Providers and Advanced PHPUnit shenanigans.
Test tip from Matthias Noback: Write self-contained tests.
On using PSR abstractions – Matthias Noback discusses whether it’s better to tie your code to PSRs, make wrappers, or write your own interfaces. Brent Roose has a response to this.
Creating a public/private multi-monorepo for PHP projects.
All about match expressions from PHP 8.0.
A couple of videos about Xdebug 3 from Derick Rethans: Profiling: Analysing Data, Activation and Triggers.

Podcasts

devmode #89 – Should Craft CMS use Yii3 or Laravel? – CraftCMS is a commercial CMS based on Yii2. In this podcast, its developers discuss the Craft CMS ecosystem and its potential transition to Laravel.
PHP Internals News #94 – Nikita Popov discusses RFC Unwrap Reference After Foreach.
PHP Internals News #93 Jordan LeDoux discusses the already revoked RFC Never For Parameter Types.

Thanks for reading. We hope you have a great day!

If you have any interesting or useful links to share via PHP Annotated, please leave a comment on this post or send me a tweet.

Subscribe to PHP Annotated

Your JetBrains PhpStorm team
The Drive to Develop

The PhpStorm Blog : The Lightning-Smart IDE for PHP Programming | JetBrains Blog
Read More

Generated by Feedzy