Nathan Dench

What’s new in PHP land? - Q3 2020

2020-11-16T00:00:00+10:00

I co-organise the BrisPHP Meetup and at the start of every meetup I give a quick talk on recent news and other interesting things that have been happening in the PHP world. This issue is all about PHP 8.0, Laravel 8 and Composer 2.

PHP Versions

PHP 8.0 is less than 2 weeks away, it will go live on the 26th of November!

Additionally, security support left for PHP 7.2 ends on the 30th of November Updating to 7.3 or 7.4 is quite seamless, so make sure you do ASAP!

Shorter attributes

RFC

Setting a new record for the number of accepted RFCs for a single feature, we have a new syntax for attributes. The 4th accepted attribute RFC changes attributes from @@ to #[].

The main reason behind changing this again are:

The @@ syntax turned out to be harder than originally anticipated (due to @ already being a valid token on it’s own)
The @@ syntax removed the ability to group annotations, which was in a previously accepted RFC
The @@ syntax does not have a closing delimiter, which is inconsistent with other language features
The #[] gives forward compatibility, ie. annotations can exist in code that is run on older language versions

The RFC shows an example of a doctrine entity with the new syntax:

<?php

use Doctrine\ORM\Attributes as ORM;
use Symfony\Component\Validator\Constraints as Assert;
 
#[
  ORM\Entity,
  ORM\Table("user")
]
class User
{
    #[ORM\Id, ORM\Column("integer"), ORM\GeneratedValue]
    private $id;
 
    #[ORM\Column("string", ORM\Column::UNIQUE)]
    #[Assert\Email(["message" => "The email '' is not a valid email."])]
    private $email;
}

Match expression

RFC

This new expression is a direct competitor of the switch statement. It gives all the advantages with none of the disadvantges, namely:

no type coercion
exception if the parameter does not match any branch
no need for a break -> can’t fallthrough to the next branch

The example from the RFC shows how much clearer a match is when compared to a switch:

<?php

// Before
switch ($this->lexer->lookahead['type']) {
    case Lexer::T_SELECT:
        $statement = $this->SelectStatement();
        break;
 
    case Lexer::T_UPDATE:
        $statement = $this->UpdateStatement();
        break;
 
    case Lexer::T_DELETE:
        $statement = $this->DeleteStatement();
        break;
 
    default:
        $this->syntaxError('SELECT, UPDATE or DELETE');
        break;
}
 
// After
$statement = match ($this->lexer->lookahead['type']) {
    Lexer::T_SELECT => $this->SelectStatement(),
    Lexer::T_UPDATE => $this->UpdateStatement(),
    Lexer::T_DELETE => $this->DeleteStatement(),
    default => $this->syntaxError('SELECT, UPDATE or DELETE'),
};

Named parameters

RFC

Named parameters allow us to pass parameters to functions by their name instead of their position in the parameter list. You can combine both of these approaches, but you cannot specify a positional paramater after a named one. A simple example from the RFC shows the main advantages:

<?php

// Without named parameters
htmlspecialchars($string, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);

// With named parameters
htmlspecialchars($string, double_encode: false);

Using named arguments makes the code more readable, ie. the boolean flag is self-documented. It also makes it possible to skip over parameters which have default values.

Value objects or DTOs often either have large parameter lists with many default values, or take a single $options associative array which is then parsed in the constructor. Using named parameters can greatly improve the API of any large value object.

Laravel 8

Laravel 8 has been released and it contains a bunch of cool new features:

Jetstream -> scaffolding to make it quicker to start a new Laravel project. Comes with user management and API support built in, and your choice of Liveware or Inertia for the frontend
New app/Models directory in the application skeleton to help organise your models
Squash migrations into a single SQL file
Improved rate limiting with much more flexibility
Time testing helpers to easily manipulate the current time in tsets

Job batching, with support for then, try, catch, finally

  <?php

  $batch = Bus::batch([
      new ProcessPodcast(Podcast::find(1)),
      new ProcessPodcast(Podcast::find(2)),
      new ProcessPodcast(Podcast::find(3)),
      new ProcessPodcast(Podcast::find(4)),
      new ProcessPodcast(Podcast::find(5)),
  ])->then(function (Batch $batch) {
      // All jobs completed successfully...
  })->catch(function (Batch $batch, Throwable $e) {
      // First batch job failure detected...
  })->finally(function (Batch $batch) {
      // The batch has finished executing...
  })->dispatch();

Model factories are now class based

  <?php
  // database/factories/UserFactory.php

  // Old way
  $factory->define(App\User::class, function (Faker $faker) {
      return [
          'name' => $faker->name,
          'email' => $faker->unique()->safeEmail,
          'email_verified_at' => now(),
          'password' => 'not a real password',
          'remember_token' => Str::random(10),
      ];
  });


  // New way
  class UserFactory extends Factory
  {
      /**
       * The name of the factory's corresponding model.
       *
       * @var string
       */
      protected $model = User::class;

      /**
       * Define the model's default state.
       *
       * @return array
       */
      public function definition()
      {
          return [
              'name' => $this->faker->name,
              'email' => $this->faker->unique()->safeEmail,
              'email_verified_at' => now(),
              'password' => 'not a real password',
              'remember_token' => Str::random(10),
          ];
      }
  }

  <?php

  // Old way
  $users = factory(App\User::class, 3)->make();

  // Nwe way
  $users = User::factory()->count(3)->make();

Composer 2

Composer version 2 is now available! It’s most anticipated feature being a massive preformance improvement:

Using Nginx like an AWS load balancer in local dev

2020-09-30T00:00:00+10:00

A typical production web application is set up behind a load balancer, with the SSL connection terminating at the load balancer. The web server then has an nginx reverse proxy accepting a plain HTTP connection and proxying through to the application.

Without having a load balancer in your local development environment, the nginx setup is the same, but the application is accessed over a HTTP connection. This creates a separation between production and development which can become a problem. Especially if you’re building an integration which requires the application be served over a HTTPS connection.

In this post, we’ll add another nginx reverse proxy in the front which will accept and terminate the SSL connection.

Creating the SSL certificate

Creating a self signed certificate is easy, however some tools will still not trust it even if you add it as a trusted root certificate. To get around this, we have to create a root Certificate Authority (CA) which we will use to sign our SSL certificate. Once we add the root CA certificate to our system, then everything will trust our SSL certificate.

You can use the following script to create the root CA and private encryption keys.

create_root_cert_and_key.sh:

#!/usr/bin/env bash

##########################################################################
# Create a root CA certificate that devs can add as trusted.
# We use this root certificate to create other ssl certificates which are
# not "self signed".
# Adapted from https://stackoverflow.com/a/43666288/1393498
##########################################################################

if [ -f rootCA.pem ]; then
  echo 'rootCA.pem already exists!'
  exit
fi

if [ -f rootCA.key ]; then
  echo 'rootCA.key already exists!'
  exit
fi

if [ -f certificate.key ]; then
  echo 'certificate.key already exists!'
  exit
fi

# Create the root CA's private key and certificate
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

# Create a private key to be used to sign other certificates
openssl genrsa -out certificate.key 2048

echo
echo "###################################################################"
echo Done!
echo "###################################################################"
echo "You can generate new certificates with create_cert_for_domain.sh"
echo "Be sure to add the generated rootCA as trusted to your system"
echo
echo "For Mac:"
echo "    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem"
echo
echo "For Arch:"
echo "    sudo trust anchor --store rootCA.pem"
echo
echo "For Ubuntu:"
echo "    sudo cp rootCA.pem /usr/local/share/ca-certificates/myRootCA.crt"
echo "    sudo update-ca-certificates"

Running this script will generate:

rootCA.key
- your root CA private encryption key
- used to sign SSL certificates
- must be kept a secret
- anyone with access to this can serve you any content over HTTPS, and your system will trust it
rootCA.pem
- certificate for your root CA
- will be added to your system as a trusted root CA
certificate.key
- private encryption key used for any SSL certificates you generate
- must be kept a secret

You can now use the following script to create an SSL certificate for any domain.

create_cert_for_domain.sh:

#!/usr/bin/env bash

##########################################################################
# Create an ssl certificate which is signed by our own root CA.
# The certificate is not "self signed" and easier for tools to trust.
# Note: We need to add the root CA as "trusted" for it to work.
# Adapted from https://stackoverflow.com/a/43666288/1393498
##########################################################################

if [ ! -f rootCA.pem ]; then
  echo 'rootCA.pem does not exist'
  echo 'Create it with "create_root_cert_and_key.sh"'
  exit
fi

if [ ! -f rootCA.key ]; then
  echo 'rootCA.key does not exist'
  echo 'Create it with "create_root_cert_and_key.sh"'
  exit
fi

if [ ! -f certificate.key ]; then
  echo 'certificate.key does not exist'
  echo 'Create it with "create_root_cert_and_key.sh"'
  exit
fi

if [ -z "$1" ]
then
  echo "Please supply a subdomain to create a certificate for"
  echo "e.g. www.mysite.com"
  exit
fi

DOMAIN=$1
SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=${DOMAIN}"
NUM_OF_DAYS=825
EXT_FILE_PATH=/tmp/__v3.ext

# An extension is used to pass metadata into the certificate
# It specifies the subjectAltName, # which is required by some 
# tools in order to trust the certificate (eg. Chrome)
cat > ${EXT_FILE_PATH} <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = ${DOMAIN}
DNS.2 = *.${DOMAIN}
EOF

# Create the certificate and the certificate signing request
openssl req -new -newkey rsa:2048 -sha256 -nodes -key certificate.key -subj "$SUBJECT" -out ${DOMAIN}.csr

# Sign the certificate as the root CA
openssl x509 -req -in ${DOMAIN}.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ${DOMAIN}.crt -days ${NUM_OF_DAYS} -sha256 -extfile ${EXT_FILE_PATH}

echo
echo "###################################################################"
echo Done!
echo "###################################################################"
echo "To use these files on your server, simply copy both ${DOMAIN}.csr"
echo "and certificate.key to your webserver (Nginx example)"
echo
echo "    ssl_certificate /etc/ssl/certs/${DOMAIN}.crt;"
echo "    ssl_certificate_key /etc/ssl/private/certificate.key;"

Running this script with example.com will generate:

example.com.csr
- a Certificate Signing Request
- used to sign example.com.crt
- this step would be skipped if you used a self-signed certificate
example.com.crt
- your SSL certificate, signed by your root CA
- your root CA is not trusted yet, so it still will not work

Set up nginx like an AWS load balancer

When behind an AWS load balancer, you’ll want your nginx configuration to look like this: (see my post on setting up https redirects in AWS for more details on this)

server {
    listen 80;
    server_name _;
    if ($http_x_forwarded_proto = "http") {
        return 301 https://$host$request_uri;
    }

    # the rest of your nginx configuration
}

While in dev, it will look very similar:

server {
    listen 80;
    server_name _;

    # the rest of your nginx configuration
}

But now, add a reverse proxy to our dev configuration to handle the HTTPS connection:

server {
    listen 80;
    server_name _;
    if ($http_x_forwarded_proto = "http") {
        return 301 https://$host$request_uri;
    }

    # the rest of your nginx configuration
}

server {
   listen 443 ssl;
   server_name sunfish.local;
   ssl_certificate /etc/ssl/certs/example.com.crt;
   ssl_certificate_key /etc/ssl/private/certificates.key;

   location / {
      proxy_pass http://localhost;
      # Pass through the existing Host header, otherwise the application will 
      # think it's accessed via localhost
      proxy_set_header Host $host;
      # Set the same X-Forwarded-* headers that an AWS load balancer sets
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-forwarded-Port $server_port;
   }
}

Now you can access your development environment over HTTPS, however your certificate will not be trusted. You can tell Chrome/Firefox to ignore this, however it’s harder to make other tools ignore it without completely disabling SSL verification.

Trusting your root CA

On your system, you need to install the generated root CA certificate as a trusted certificate. As mentioned in the create_root_cert_and_key.sh script above, you can do that with the following commands. Be sure to do this on all systems that need to access the development environment, this may include:

your physical dev computer
the virtual machine/container your application runs in
all of the above for each developer on your team

For Mac:

$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem

For Arch:

$ sudo trust anchor --store rootCA.pem

For Ubuntu:

# It's important to give the certificate the .crt extension here
# otherwise it will not be picked up by `update-ca-certificates`
$ sudo cp rootCA.pem /usr/local/share/ca-certificates/myRootCA.crt
$ sudo update-ca-certificates

Conclusion

Now you can successfully access your local development environment over HTTPS without any warnings from any tools, and your dev environment is one step closer to production!

Links that helped me

What’s new in PHP land? - Q2 2020

2020-06-30T00:00:00+10:00

I co-organise the BrisPHP Meetup and at the start of every meetup I give a quick talk on recent news and other interesting things that have been happening in the PHP world. Recently, we’ve had an absolute ton of progress on PHP 8.0.

In fact, there has been so much progress on PHP 8.0 that I am under no illusions on how the PHP core team kept entertained during COVID-19 lockdows! I’ve selected my favourite and most important changes for this post.

PHP

Jordi Boggiano released the latest PHP Version Stats back in May.

The main change here has been a 14% uptick in PHP 7.4 usage, with most of that coming out of the 7.2 and 7.3 usage as of November last year.

Backing this statement up, we can see that 7.0 has less usage than 5.6 but only just. The good news is that 5.6 usage is still trending downward, albeit very slowly.

PHP 8.0

It appears that PHP core developers kept themselves entertained during COVID isolation by pushing forward on PHP 8.0. Back in March there was only a handful of implemented features but now the list is huge and it’s still growing.

We have a release date of November 26! The first alpha version is already out and the feature freeze comes in on August 4.

Attributes

The accepted RFC and another accepted RFC proposing ammendments.

You might know these by another name, “Annotations”. We currently have a widely used third-party implementation: Doctrine Annotations. For this reason, it’s been decided to use the name “Attributes” to avoid conflicts.

The good news is, we finally have Attributes baked into the language and we don’t have to use docblocks to execute code! You can define an attribute in many places including classes, methods, properties, parameters and more.

Attributes have the following syntax:

<?php

<<ExampleAttribute>>
class Foo
{
    <<ExampleAttribute>>
    public const FOO = 'foo';
 
    <<ExampleAttribute>>
    public $x;
 
    <<ExampleAttribute>>
    public function foo(<<ExampleAttribute>> $bar) { }
}

A more concrete and recognisable example is a Doctrine entity:

<?php

use Doctrine\ORM\Attributes as ORM;
use Symfony\Component\Validator\Constraints as Assert;
 
<<ORM\Entity>>
class User
{
    <<ORM\Id>><<ORM\Column("integer")>><<ORM\GeneratedValue>>
    private $id;
 
    <<ORM\Column("string", ORM\Column::UNIQUE)>>
    <<Assert\Email(array("message" => "The email '' is not a valid email."))>>
    private $email;
 
    <<ORM\ManyToMany(Phonenumber::class)>>
    <<ORM\JoinTable("users_phonenumbers")>>
    <<ORM\JoinColumn("user_id", "id")>>
    <<ORM\InverseJoinColumn("phonenumber_id", "id", JoinColumn::UNIQUE)>>
    private $phonenumbers;
}

Attributes are PHP classes with the <<Attribute>> attribute:

<?php

namespace Doctrine\ORM\Attributes;
 
<<Attribute>>
class Column
{
    public $type;
 
    public function __construct(string $type)
    {
        $this->type = $type;
    }
}

Shortly after the Attributes RFC was accepted, an ammendments RFC was proposed and accepted which allows Attributes to be grouped:

<?php

// Ungrouped
<<Attr1>><<Attr2>>
class Example
{
    <<Attr2("foo")>>
    <<Attr2("bar")>>
    public function test()
    {
    }
}

// Grouped
<<Attr1, Attr2>>
class Example
{
    <<Attr2("foo"),
      Attr2("bar")>>
    public function test()
    {
    }
}

And to validate Attributes and ensure they are only used in the correct location:

<?php

namespace Doctrine\ORM\Attributes;
 
<<Attribute(Attribute::TARGET_PROPERTY)>>
class Column
{
    public $type;
 
    public function __construct(string $type)
    {
        $this->type = $type;
    }
}

And now there is another RFC proposing a diffreent syntax. Voting on this RFC closes on July 1 and it looks like we’ll get the @@Attribute syntax which is much nicer than <<Attribute>>` and allows nested attributes:

<?php

use Doctrine\ORM\Attributes as ORM;
use Symfony\Component\Validator\Constraints as Assert;
 
@@ORM\Entity
class User
{
    @@ORM\Id
    @@ORM\Column("integer")
    @@ORM\GeneratedValue
    private $id;
 
    @@ORM\Column("string", ORM\Column::UNIQUE)
    @@Assert\Email(array("message" => "The email '' is not a valid email."))
    private $email;
 
    @@ORM\ManyToMany(Phonenumber::class)
    @@JoinTable(
        "users_phonenumbers",
        @@JoinColumn("User_id", "id"),
        @@JoinColumn("phonenumber_id", "id"),
    )
    private $phonenumbers;
}

Attributes are fetched with Reflection methods. Very similar, but much easier than fetching annotations from the doc block because they don’t need to be manually parsed.

<?php

$reflector = new \ReflectionClass(User::class);
$idProperty = $reflector->getProperty('id');
$attrs = $idProperty->getAttributes();

foreach ($attrs as $attriubute) {
    $attribute->getName(); // "Doctrine\ORM\Attributes\Column"
    $attribute->getArguments(); // ["integer"]
    $attribute->newInstance();
        // object(Doctrine\ORM\Attributes\Colunm)#1 (2) {
        //  ["type":"User":private]=> string(11) "integer"        
        // }
}

JIT

RFC

Probably the most anticipated feature of PHP 8 is the JIT, which is a Just In Time compiler. Initially PHP was going to get a JIT in version 7, however there was a lot of tweaks and fixes required to effectively implement a JIT and it just so happeded that those tweaks and fixes provided most of the performance gains. As a result, those gains were released on their own in PHP 7 and the JIT moved back to PHP 8.

To understand the benefit provided by JIt, you need to know how PHP code is executed:

PHP code is first broken down into tokens using a process called “Lexing”, these tokens are then parsed into an Abstract Syntax Tree (AST) which allows the compiler to understand the code. The compiler takes the AST and produces OPcodes which are then passed to the Zend VM to get executed on the CPU. Since PHP 5.5 we’ve been able to cache these OPcodes after the compilation step to prevent having to lex and parse the same code many times, but the Zend VM still has to interperet the OPcodes and execute them.

With the JIT enabled, the Zend VM will identify sections of code that are executed many times. These “hot” code parts will be compiled directly into machine code and stored alongside the OPcodes. The next time that section of code is executed, it can bypass the Zend VM and be executed directly on the CPU.

The main performance gains from the JIT will likely be to non-web code. Web related code is often bound by I/O calls (ie. databases, filesystems, etc) and the JIT will only speed up CPU bound code. However, the JIT does open the doors for PHP to be used for many things you wouldn’t want to use it for in the past. Think image and data manipulation, long running processes and even machine learning.

Construction property promotion

RFC

Classes carry a lot of boilerplate code in PHP, one way of cutting this down is with property promotion. This allows you to declare and define a property directly in the constructor.

<?php

// Without property promotion
class User
{
    public string $name;

    public string $email;

    /** @var string[] */
    public array $phoneNumbers;

    public function __construct(
        string $name, 
        string $email, 
        array $phoneNumbers
    ) {
        $this->name = $name;
        $this->email = $email;
        $this->phoneNumbers = $phoneNumbers;

    }
}

// With property promotion
class User
{
    public function __construct(
        public string $name, 
        public string $email, 
	/** @var string[] */
        public array $phoneNumbers,
    ) {}
}

A few caveats:

Can be used to declare/assign public, protected and private properties
Only allowed in constructors
Can skip types if you like
Can only have simple default values like before, ie. no calling functions
Can combine promoted and non-promoted properties in the same class
Can have doc commments and annotations on promoted properties
Cannot promote properties in abstract classes, but you can in traits
Cannot use varidic propreties, eg. public string ...$names because $names is actually an array, not a string.

Type improvements

Mixed type RFC

Static return type RFC

Union type RFC

There have been quite a few type improvements in PHP 8. We can now use union types, the mixed type and the static return type.

<?php

class Dog
{
    public function breed(): static
    {
        return new static();
    }

    abstract public function speak(): mixed;
}

class Husky extends Dog
{
    public function speak(): Growl|Howl|Bark // Liskov substitution since PHP7.4
    {
        if ($this->isHungry()) {
            return new Growl();
	}

	if ($this->isExcited()) {
	    return new Howl();
	}

	return new Bark();
    }
}

$zara = new Husky();

// Typed as "Husky" using `static' return type
// Typed as "Dog" using `self` return type
$puppy = $zara->breed(); 

String functions

str_contains RFC

str_starts_with & str_ends_with RFC

It’s only taken 25 years, but PHP finally has canonical functions to check if a string contains, starts with or ends with another string.

<?php

$string = "abc";

// New way
if (str_contains($string, "b")) {
}

// Old way
// Note: Need to ensure strict comparison here, in case the 
// position is at index 0
if (strpos($string, "b") !== false) {
}


// New way
if (str_starts_with($string, "ab")) {
}

// Old way
$prefix = "ab";
if (substr($string, 0, strlen($prefix)) ==$prefix) {
}


// New way
if (str_ends_with("abc", "bc")) {
}

// Old way
$suffix = "bc"
if (substr($haystack, -strlen($suffix)) == $suffix) {
}

Exceptions

Non-capturing catches RFC

Throw expression RFC

There are also a couple of changes to to the way we can use exceptions. The ablility to catch an exception and ignore the actual exception object. This is useful when the type of the exception is enough information for you to determine how to handle it and you don’t need the rest of the data contained in the exception object.

<?php

try {
    changeImportantData();
} catch (PermissionException $ex) {
    echo "You don't have permission to do this";
}

Internally, PHP thinks of different constructs as either “expressions” or “statements”. There are some places that you’re not allowed to use “statements”, only expressions. Throwing exceptions has been considered a “statement” which means you aren’t able to throw exceptions in certain places, like arrow functions and ternaries. So the following examples will work correctly as of PHP 8.0, but will throw a FatalError in previous versions.

<?php

$fn = fn() => throw new \Exception('oops');

$value = isset($_GET['value'])
    ? $_GET['value']
    : throw new \InvalidArgumentException('value not set');

get_debug_type()

get_debug_type() is an alternative to gettype() which actually returns something useful:

Value	get_debug_type()	gettype()
0	int	integer
0.1	float	double
true	bool	boolean
"hello world"	string
[]	array
null	null	NULL
new Foo\Bar()	Foo\Bar	object
new class() {}	class@anonymous	object
tmpfile()	resource (stream)	resource
curl_init()	resource (curl)	resource
curl_close($ch)	resource (closed)

Weakmaps

RFC

In PHP 7.4 we got support for Weak References. This allows us to store a reference to some object without preventing the garbage collector from deleting it. Weak References on their own are of limited usefulness, so now we have WeakMaps which allow us to build caches:

<?php

class Foo 
{
    private WeakMap $cache;
 
    public function getSomethingWithCaching(object $obj): object
    {
        return $this->cache[$obj]
           ??= $this->computeSomethingExpensive($obj);
    }
}

This is very useful for the likes of ORMs, which often implment their own caching.

Breaking changes

There are been quite a few breaking changes in 8.0, ranging from won’t affect much at all, to will probably make it hard to upgrade (especially for older projects). Here are some that I think are worth mentioning:

Ensure correct signatures of magic methods RFC
- Until now, it was possible to declare public function __get(string $name): void
Method signatures in abstract methods defined in traits are now enforced RFC
- Previously, you could completely change the method signature of an abstract method that comes from a trait
curl_*() methods accept and return CurlHandle objects instead of resource
- Use $handle !== false instead of !is_resource($handle)
- This snuck through without an RFC…

Composer 2

Composer version 2 is just around the corner. The alpha2 version is out and you can test it. It comes with a few great new features, here are my favourites.

Faster download times
- All downloads now run in parallel and offer quite a speed boost.
Platform check - ensure the current platform is supported
- vendor/composer/platform_check.php is created during composer install
- It ensures the the platform running the code is suppored (ie. has correct PHP version and extensions)
--ignore-platform-req [req] to selectively ignore specfic platform requirements instead of all of them
- eg. Ignore only the PHP version requirement and nothing else with --ignore-platform-req php
--dry-run for add/remove
- This was previously only available on update
PEAR repository type is removed
- You can no longer install custom PEAR packages
- You can still install PEAR packages hosted on php.net

You can find out more about Composer v2 here.

What’s new in PHP land? - Q1 2020

2020-03-05T00:00:00+10:00

PHP

Let’s start with some PHP Version Stats released December last year by Jordi Boggiano.

We can see PHP 5.6 is still hanging around a bit, bit it has dropped a bit. PHP 7 versions are definitely taking the majority of the market, however with 7.2+ being the only supported versions, there is still a large number of projects on unsupported versions :’(.

Here it’s easy to see that PHP 7.4 is picking up just as fast as all previous versions that have been released.

PHP 8.0

There are already lots of other posts about the features in PHP 8.0, but I’m going to list the changes that have happened in the last few months.

Static return type

I use fluent methods a lot and not having the static return type really gets me. Here’s an example:

<?php

interface FooInterface {
    public function doSomething(): static;
}

class Foo implements FooInterface {
    public function doSomething(): static {
        // Do some things

        return $this;
    } 
}

At the moment, we can’t need to use self as the return type, which gives us a fatal error because Foo::self !== FooInterface::self and is not compatible. The static return type lets us benefit from late static binding and makes this work as you would expect.

Take a look at the RFC for more information.

Allow `$object::class`

I also use FQCN’s a lot, to populate exception/log messages and as keys in an array, etc. Since PHP 5.5 we’ve been able to use Foo\Bar::class to get the FQCN, but if you have an instance of Foo\Bar you must use \get_class($foo) instead.

<?php

$foo = new Foo\Bar();

// Works in 5.5+
var_dump(Foo\Bar::class);
var_dump(get_class($foo));

// Works in 8.0+
var_dump($foo::class);

Here’s a link to the RFC if you’re interested.

Stringable interface

Any object that implements __toString() in an 8.0 world will implicitly impliment the stringable interface:

<?php

interface Stringable
{
    public function __toString(): string;
}

This allows you to use the union type string|Stringable when it becomes available in 8.0. The goal is that eventually everyone will explicitly implement the interface but for BC reasons, it will be automatically added during compile time.

Take a peek at the RFC.

Frameworks

Symfony

Symfony claimed a big achievement last year. It has the most contributors out of any backend framework. Not in just PHP frameworks, but any backend framework, in any language.

Laravel

Laravel released version 6.5 with some new features:

Added LazyCollection::remember()
New string helpers
Improvements to the QueryBuilder
Added unless condition to Blade custom if directives

Phalcon

Phalcon released version 4.0.0 in December, with an impressive list of highlights:

PHP 7.2 minimum version
PHP 7.4 support
Removed unsupported code
PSR 7, 11, 13, 16, 17
Rewrote all documentation

CakePHP

December also brought CakePHP 4.0.0 with a matching list of impressive highlights:

PHP 7.2 minimum version
Streamlined APIs by removing deprecated methods
More typing/type hints
Improved error messages
A refreshed application skeleton
New database types
Middleware for CSP headers
Improvements to the FormHelper

WordPress

Version 5.3 of WordPress is now live:

PHP 7.4 support
Date/Time component fixes
Improved block editor
Automatic image rotation
Improved site health checks

Tools

Codeception

December was the month of 4.0, with Codeception also releasing version 4.0 which splits the core into modules allowing each module to upgrade individually and adds support for Symfony 5.

PHPUnit

PHPUnit 9 was released in Februrary which cleaned up a lot of old code. It only only supports PHP 7.3+, uses more strict types and removed a lot of old functions/options that have newer alternatives.

Xdebug

While it might not be 4.0, Xdebug did release version 2.9 in December. The main part of this release was to dramatically speed up code coverage by 250%!. That’s incredible.

What’s new in PHP land? - Q4 2019

2019-11-06T00:00:00+10:00

PHP

PHP 7.4

There are no new features going into PHP 7.4, and for very good reason. It’s going to be released at the end of this month!

PHP 7.4 Release Countdown

I can’t wait for the new version, my favourite new features are:

Typed properties
Preloading
Arrow functions

See my previous posts for more info on these and other new features:

PHP 8.0

There have been two new features accepted in PHP 8.0 this quarter.

Union types

The Union Types 2.0 RFC brings forward the idea of union types, or typing a variable to be one of two or more different types. You can use union types everywhere that existing types are currently accepted.

DISCLAIMER: At the time of writing this one still had a few days left of voting. However, an overwhelming majority of votes are in favour so I’ll risk it for the biscuit and call it.

Example:

<?php

class Number {
    private int|float $number;
 
    public function setNumber(int|float $number): void {
        $this->number = $number;
    }
 
    public function getNumber(): int|float {
        return $this->number;
    }
}

We already have a union type in order to allow for nullables. So ?int and int|null will be equivalent. But you will not be able to use the question mark when there are multiple possible types. For example ?int|float is invalid.

Additionally, an false psuedo type is being added to account for the many places in the core that a function returns false on error. For example strpos() can be typed as int|false. Note that false cannot be typed on it’s own, it must be part of a union type.

Reclassifying engine warnings

Nikita Popov suggested we should increase the error level for some internal warnings and notices because they represent bad programming errors. There were 23 changes proposed, of which 3 were voted on separately because they were controversial, while the remaining 20 were voted on as one. See the RFC for the full list of reclassifications, I’ll list the controversion ones here:

Undefined variables
- Being promoted from a Notice to a Warning
- Attempt was made to get it as an Error exception, but it did not have enough votes
Undefined array index
- Being promoted from a Notice to a Warning
Division by zero
- Being promoted from a Warning to a DivisionByZeroError exception

There were 20 non-controversial changes proposed:

Promoting 8 Warnings to Error exceptions
Promoting 7 Notices to Warnings
Promoting 5 Warnings to TypeError exceptions

P++

The idea was floated in the internal mailing list about creating a second “dialect” of PHP with some suggesting the name “P++”. The idea was to have the same PHP engine running both the normal version of PHP and a strict type-safe version. It was raised because there has been a lot of internal discussion about whether or not PHP should become more strict moving forward, for which there are almost equal amounts of people for and against.

In the end, the idea was withdrawn after considerable discussion both internally and from many randoms on the internet. With the outcome being that PHP would slowly introduce more strict features by making them optional.

Security vulnerabilities

RCE through open php-fpm ports

If you have php-fpm configured to listen on a TCP port, and that port is exposed to the world, at attacker can trick php-fpm in executing an arbitrary php file on the system. As such, you should follow best practices and hide php-fpm behind a webserver such as nginx. See the bug report here.

Buffer overflow

PHP 7.3.10 fixed a heap buffer overflow vulnerability in the mb_eregi() function which could grant an attacker arbitrary code execution. A post by SC Magazine has more details.

RCE through PATH_INO in php-fpm

With a mis-configured php-fpm, it was possible to use a newline character (url encoded %0a) to break the PATH_INFO variable that nginx passes to php-fpm by unsetting it. This caused php-fpm to read a different php file and if crafted properly could allow remote code execution.

The “mis-configuration” of php-fpm is actually a fairly widely used configuration, documented in many places like StackOverflow and even the nginx docs. To fix the issue you can upgrade to the latest version of PHP or add some sanitisation to your nginx configuration.

See the bug report for more info.

Frameworks

Wordpress

Wordpress is talking about strictly enforcing SSL for auto updates. From what I can gather, getting either core WordPress updates or plugin/theme updates doesn’t necessarily happen over SSL at the moment, so they want to enforce it and also add checksum validation to enforce packgage integrity. While I think this should already have been a thing, I’m glad to see WordPress pushing forward on security.

Slim 4.0

Slim 4.0 was released in August and it has a bunch of changes to push the framework forward:

Decoupling a lot of dependencies so you’re not forced to install them
- Dependency injection
- Router
- Error handling
- PSR-7
Only supports PHP 7.1+
Removed a few “automagic” abilities to make the framework easier to understand

Symfony 5.0

Symofony 5.0 is due to be released this month along with 4.4. The 4.4 version will contain all the features for 5.0 with backward compatibility and a bunch of deprecations. This gives you an easy upgrade path because once you remove deprecations, your app will function perfectly on 5.0.

There aren’t as many groundbreaking features in 5.0 as there was in 4.0, but there’s a nice list of them here. My favourites are:

Encrypted secrets management which allows you to store secrets in the git repo (eg. database passwords).
Automatic password migrations to automatically rehash users passwords with the latest algorithm.
Testing email content allows to assert email bodies contain specific content.

Community

Client side PHP

Atymic has found a way to run PHP in the browser. This may seem a little insane, and it is. Because you need to:

Download PHP source
Build your app into a .phar
Complile your .phar and PHP source using web assembly
Make your users load this and run it

While this terrifies me, it also excites me that we’re still pushing the boundaries of PHP can (or even should) do.

Dependency graph support on GitHub

GitHub can now hook into your composer.json to give you automatic security notifications/updates as well as insights into your dependency tree.

What’s new in PHP land? - Q3 2019

2019-07-28T00:00:00+10:00

I co-organise the BrisPHP Meetup and at the start of every meetup I give a quick talk on recent news and other interesting things that have been happening in the PHP world. Recently, PHP 7.4 features have been finalised and development of PHP 8.0 continues.

PHP

Process changes

There have been a couple of RFC’s passed recently which change the way any future RFCs are voted on.

Abolish narrow margins changes benchmark for acceptance of all future RFS to a 2/3 majority. They did this because previously some RFCs could pass with a 50%+1 majority while others required 2/3 and the rules that goverened this were “misleading and confusing”.
Abolish short votes increases the minimum voting period for future RFCs from 1 week to 2 weeks because there is no reason to squeeze votes into a single week and they don’t want big features passed with only a week of voting.

PHP 7.4

PHP 7.4 is now in feature freeze with Beta 3 being released last week. Now it will go through a handful of release candidates before it’s final release date of November 28! There is actually quite a lot being released PHP 7.4, I’ve covered some of them my Q1 and Q2 posts so I’ll just cover the new ones here. Take a look at this very good overview on stitcher.io for more details.

Numeric literal separator

You can add an underscore (_) anywhere you like in a numeric literal to help increase readability. It applies to all supported numeric literal notations, see the RFC for more info.

<?php

$threshold = 1_000_000_000;  // a billion!
$testValue = 107_925_284.88; // scale is hundreds of millions
$discount = 135_00;          // $135, stored as cents

Throwing exceptions in __toString()

I didn’t know this but apparently you can’t throw exception in __toString(). Until now. This RFC points out that exceptions aren’t allowed in __toString() because string conversions are performed in many places that aren’t equipped to handle exceptions. However recoverable errors can still be thrown when converting un-convertable variables so there’s really no reason to prevent exceptions as well.

Properly calculating time differences across Daylight Saving Time transitions

Something else I recently learnt is that depending on how you create a DateTime, PHP might not be able to correctly calculate additions and subtractions across Daylight Saving Time transitions. And even if you do use the “correct” way, the result is still sometimes wrong because the edge case was not sufficiently unit tested. However, moving forward - if you create your dates the “correct” way, then all calculations will be correct.

// PHP only knows the offset, not the timezone 
// so it has no idea if or when to apply Daylight Savings Time
$type1 = new DateTime('2011-09-13 14:15:16 -0400');

// Internally PHP stores dates created using the timezone abbreviation the same as $type1 above
// ie. it only knows the offset
$type2 = new DateTime('2011-09-13 14:15:16 EDT');

// This is the only way to create a DateTime such that PHP is able to make correct calculations 
// across Daylight Savigs Time transitions, because internally it actually stores the timezone
// not the offset.
$type3 = new DateTime('2011-09-13 14:15:16', new DateTimeZone('America/New_York'));

// This is also correct because it uses `date_default_timezone` from php.ini
$type3 = new DateTime('2011-09-13 14:15:16');

Escaping “?” in PDO

Some databases, namely PostgreSQL use the question mark character in operators. However it’s currently impossible to use thes operators with PDO because all ? are treatedd as parameter placeholder. This RFC makes it possible to escape question marks by using a ??, which passes a single question mark to database:

<?php

$stmt = $pdo->prepare('SELECT * FROM tbl WHERE json_col ?? ?');
$stmt->execute(['foo']); 

Will execute the following query:

SELECT * FROM tbl WHERE json_col ? 'foo'

Since ?? is not valid syntax in PDO, there shouldn’t be any BC breaks. However, if you have defined ?? as a custom operator in your database, you will need to pass ???? though PDO in order to use it.

Spread operator in array expansion

For a while now, you’ve been able to use the spread operator (...) to unpack an array and pass it’s values into a function:

<?php

$arr = ['a', 'b', 'c'];

// Takes a variable number of string arguments
function foo(string ...$strings): void
{
    // Do something with the strings
}

// Pass each element in the array as a separate argument
foo(...$arr);

Now you can do that inside an array, as a better alternative to array_merge:

<?php

$parts = ['apple', 'pear'];
$fruits = ['banana', 'orange', ...$parts, 'watermelon'];
// ['banana', 'orange', 'apple', 'pear', 'watermelon'];

See the RFC for details.

Deprecations

There has been a big list of deprecations in 7.4, allowing us to prepare for a lot of cruft being removed in 8.0. In fact, there is an RFC which includes 14 separate deprecations, which were all passed. These were all relatively undocumented or incorrect usage of functions, see the linked RFC for details. However there are a few separate RFCs to deprecate specific functionalty, which I’ll list below.

PHP short opening tags

PHP 7.0 completely removed most of alternative PHP opening tags, however, short opening tags (<?) were exempt. Now in 7.4 they will be deprecated and completely removed in 8.0 because they clash with XML opening tags and require an INI directive, making them non-portable. See the RFC for more information.

Nested ternaries without explicit parenthesis

Have you even seen a ternary this ungoodly?

<?php

return $a == 1 ? 'one'
     : $a == 2 ? 'two'
     : $a == 3 ? 'three'
     : $a == 4 ? 'four'
               : 'other';

If you have these in your codebase, they are “almost certainly bugs” according this RFC. This is because in PHP this is left-associative instead of right-associative like most other programming languages. Take a look at the following example:

<?php

// How PHP interprets the above ternary
return ((($a == 1 ? 'one'
     : $a == 2) ? 'two'
     : $a == 3) ? 'three'
     : $a == 4) ? 'four'
               : 'other';

// How most other languages interpret it
return $a == 1 ? 'one'
     : ($a == 2 ? 'two'
     : ($a == 3 ? 'three'
     : ($a == 4 ? 'four'
               : 'other')));

Array access curly brace syntax

Apparently you can use curly braces to access elements within an array, or characters in a string. This has been deprecated in 7.4 since it’s largely undocumented and has reduced functionality from normal array syntax. Here’s some examples taken from the RFC.

<?php 

/*
 * You can use curly braces to access items in arrays or string
 */
$array = [1, 2];
echo $array[1]; // prints 2
echo $array{1}; // also prints 2
 
$string = "foo";
echo $string[0]; // prints "f"
echo $string{0}; // also prints "f"

/*
 * You can NOT use curly braces to append to an array
 */
$array[] = 3;
echo $array[2]; // prints 3
 
$array{} = 3; // Parse error: syntax error, unexpected '}'

/*
 * You can NOT use curly braces to create an array
 */
$array = [1, 2]; // works
 
$array = {1, 2}; // Parse error: syntax error, unexpected '{''}'

PHP 8.0

In my Q2 post I covered most of the accepted features for 8.0. I did mention that arrow functions were coming it 8.0, but they were actually accepted for 7.4, so we get much sooner! There has also been one more accepted RFC for 8.0 and is to always generate fatal errors for incompatible method signatures. Currently, if you implement a method that has an incompatible method signature to the interface or abstract class it’s declared in, you get a fatal error. However, if the method was declared in a parent class and you’re overriding it, then you only get a warning. These will all throw fatal errors as of 8.0.

Cool stats

PHP versions stats

The May edition of PHP Versions Stats has been released by Packagist. When someone does a composer install, Composer tells packagist.org what PHP version is being run. This gives us a good understanding of what versions are in use, but it skews the data by ignoring all the projects that aren’t using Composer (eg. a lot of WordPress sites).

Framework trends

Tomas Votruba tracks trends in PHP framework installations by pulling data from the Packagist API. It really is fascinating to see just how many downloads each framework gets.

JetBrains dev ecosystem survey

JetBrains ran a developer ecosystem survey this year and they found some fascinating data about PHP:

57% of respondents use a supported version of PHP (7.2 or 7.3)
Only 14% of respondents use 5.x
50% of respondents use Laravel while only 23% use Symfony (this is quite different to the framework trends shown above)

Frameworks

ReactPHP

ReactPHP has release v1.0.0 as an LTS version with 24 months support. This is the first stable release of ReactPHP since it was created 7 years ago.

Symfony

SymfonyCloud moved from Early Access to General Availability. This provides a “batteries included” platform to host your Symfony applications.

Laravel

It’s been a big quarter for Laravel:

Laravel v6 was released. This doesn’t include any paradigm shifting features, but instead moves Laravel to using SemVer which is amazing.
Laravel Nova was released. Nova allows you to create beautiful customised admin panels with minimum effort.
Laravel Vapor was released which provides a serverless platform to host your Laravel applications.

What’s new in PHP land? - Q2 2019

2019-04-30T00:00:00+10:00

I co-organise the BrisPHP Meetup and at the start of every meetup I give a quick talk on recent news and other interesting things that have been happening in the PHP world. The biggest news recently is the development of PHP 7.4 and 8.0!

Language News

PHP 7.4 and 8.0 are both being developed in parallel with a number of really great features already implemented.

PHP 7.4 Features

There is quite a lot of features going into PHP 7.4, some of them I mentioned in my last PHP news post but here are some rew ones:

Covariance and contravariance

Currently, PHP is missing some really core object-oriented behaviours:

Contravariance
- replacing an object with it’s parent without breaking anything
- widening type parameters
Covariance
- replace an object with it’s children without breaking anything
- tightening type parameters

Fortunately, this feature is coming in 7.4, here are some examples from the rfc:

We can widen the type for method parameters, because anything that expects to be using the Concatable interface will successfully be able to use the Collection class when passing in Iterator types:

<?php

interface Concatable {
    function concat(Iterator $input); 
}
 
class Collection implements Concatable {
    // accepts all iterables, not just Iterator
    function concat(iterable $input) {/* . . . */}
}

We can tighten the return type because anything expecting the Factory interface can successfully use the UserFactory because it returns a subtype of object:

<?php

interface Factory {
    function make(): object;
}
 
class UserFactory implements Factory {
    function make(): User;
}

Weak References

Weak References allow you to keep a reference to an object without preventing the garbage collector from destroying it. Solutions for this already exist but have been rendered unusable by PHP 7.3. They’re useful for cache like structures, allowing the garbage collector to uncache things for you. Here’s an example:

<?php
function checkReference(WeakReference $ref): void
{
    if (null !== $ref->get()) {
        echo "Object still exists!\n";
        var_dump($ref->get());
    } else {
        echo "Object is dead!\n";
    }
}

$foo = new Foo();

$ref = WeakReference::create($foo);

checkReference($ref); // Object still exists!

// Somewhere else our object is removed
unset($foo);

checkReference($ref); // Object is dead!
// Cache miss, we'll have to re-create it

mb_str_split

We already have mb_split which allows splitting by a regex, but this allows splitting a multibyte string into set chunk sizes. Here’s an example from the rfc:

<?php 
print_r(mb_str_split("победа", 2));
 
--EXPECT--
 
Array
(
    [0] => по
    [1] => бе
    [2] => да
)

serialize() and unserialize()

We get two new magic methods which we can use instead of the current ways to serialize objects. These methods are added because the current ways being the Serializable interface and the __sleep() and __wakeup() methods are difficult to use and easily introduce bugs. See the rfc for more info.

<?php

// Returns array containing all the necessary state of the object.
public function __serialize(): array;
 
// Restores the object state from the given data array.
public function __unserialize(array $data): void;

PHP 8.0 features

Arrays starting with negative index

Currently, all the following result in unexpected behaviour:

<?php

$a = array_fill(-2, 3, true);

$b = [-2 => true, true, true];

$c = []
$c[-2] = true;
$c[] = true;
$c[] = true;

The keys following the negative number start at 0 and increment from there, ie. they skip the next negative numbers:

array(3) {
  [-2]=>
  bool(true)
  [0]=>
  bool(true)
  [1]=>
  bool(true)
}

Post 7.4 they will work as you would expect:

array(3) {
  [-2]=>
  bool(true)
  [-1]=>
  bool(true)
  [0]=>
  bool(true)
}

See the rfc for more info.

Consistent type errors for internal functions

Most of the internal PHP functions will throw a warning and return null (or some other ridiculous value) when you pass in parameters of an illegal type. This rfc will bring internal functions into alignment with user-defined functions and make them throw a TypeError.

JIT compiler

The performance improvements in PHP 7 were initiated by attempts to implement a JIT compiler, but were ultimately not released because the improvements made without it were much more substantial. However, we are now in a place where the performance of PHP can no longer be improved without JIT so this rfc will bring it into 8.0.

Arrow functions v2

Update Arrow function have actually been accepted for 7.4!

Arrow functions are finally coming to PHP! They will dramatically improve the syntax of closures from this:

<?php

function array_values_from_keys($arr, $keys) {
    return array_map(function ($x) use ($arr) { return $arr[$x]; }, $keys);
}

To this:

<?php

function array_values_from_keys($arr, $keys) {
    return array_map(fn($x) => $arr[$x], $keys);
}

Other news

PSR 14 accepted

PSR 14 was accepted. It defines a standard for event dispatchers and listeners:

<?php

namespace Psr\EventDispatcher;

interface EventDispatcherInterface
{
    /**
     * Provide all relevant listeners with an event to process.
     *
     * @param object $event
     *   The object to process.
     *
     * @return object
     *   The Event that was passed, now modified by listeners.
     */
    public function dispatch(object $event);
}

<?php

namespace Psr\EventDispatcher;

interface ListenerProviderInterface
{
    /**
     * @param object $event
     *   An event for which to return the relevant listeners.
     * @return iterable[callable]
     *   An iterable (array, iterator, or generator) of callables.  Each
     *   callable MUST be type-compatible with $event.
     */
    public function getListenersForEvent(object $event) : iterable;
}

<?php

namespace Psr\EventDispatcher;

interface StoppableEventInterface
{
    /**
     * Is propagation stopped?
     *
     * This will typically only be used by the Dispatcher to determine if the
     * previous listener halted propagation.
     *
     * @return bool
     *   True if the Event is complete and no further listeners should be called.
     *   False to continue calling listeners.
     */
    public function isPropagationStopped() : bool;
}

PHPUnit 8 released

Containing mainly deprecations and dropping support for PHP 7.1, PHPUnit 8 was released.

Laravel gets Psalm support

The best static analyser (IMO) has released support for Laravel. It’s been a long time coming, mainly because of all the magic and static calls in Laravel, but it’s here and it will drastically improve your codebase.

SQL injection in Laravel

There were a couple of SQL injection vulnerabilities discovered in Laravel. Both of them come down to the developer passing untrusted data into query builders so if you follow best practices and don’t do this, then you’re fine.

The first one has been “fixed” by adding a warning to the documentation to let the developer know not to pass in untrusted data. Here is an example from the laravel blog post on the issue:

Rule::unique('users')->ignore($user->id);

If instead of using $user->id in the above function call, you use some user provided data, then you are vulnerable to an SQL injection.

The second one, described in a stitcher.io post relates to querying JSON data in SQL.

You write this:

Blog::query()
    ->addSelect('title->en');

Laravel converts it to this:

SELECT json_extract(`title`, '$."en"') FROM blogs;

But again, if you get 'title->en' from user supplied input, you’re vulnerable. Although, this particular vulnerability is fixed in Laravel 5.8.11.

It’s important to note, that while it is the frameworks job to help you build fast and secure applications, quite a lot of responsibility still falls on the developer to make sure they’re following best practices.

Remote code execution in TCPDF

A severe security vulnerability was found in TCPDF allowing an attacker to achieve the holy grail of attacks - a remote code execution. While this vulnerability was fixed in version 6.2.20, it was accidentally reintroduced so you have to use version 6.2.22 to be safe.

WordPress minimum PHP version

WordPress has ended support for 5.2 5.5 so you must now be using 5.6 or above. While this is absolutely great news that we’re finally raising the bar, we should keep in mind that version 5.6 has been unsupported since the beginning of the year. Let’s hope they will soon enforce a minimum supported version!

Symfony gets push capabilities

Symfony has released the Mercure component which allows integration with a Mercure Hub - an open protocol for servers to publish updates to clients. You either have to run your own Mercure Hub or use a third party service.

You then subscribe to topics using the vanilla JavaScript EventSource and publish updates to the topics from PHP. EventSource opens a persistent connection to the Mercure Hub and registers an event handler for updates.

How to filter a MySQL json array of objects

2019-04-02T00:00:00+10:00

Imagine you have a json column in your MySQL table and that column contains a list of objects. In this example, my list will contain events that have a name, an id and other arbitrary data:

[
    {
        "name": "FooEvent",
        "id": "87dd4f31-664a-4059-a3fc-6472231530e4",
        ...
    },
    {
        "name": "BarEvent",
        "id": "8ce05580-ceaf-4eb9-b5af-8ad454ca9ced",
        ...
    },
    {
        "name": "BazEvent",
        "id": "23e981cb-9e07-413b-acb0-042cd355e46d",
        ...
    }
]

So you have a bunch of rows in your table, each of them has an events column that looks something like the example above. Now let’s say you want to get the id for every FooEvent, that’s not an easy thing to do and there are multiple steps involved.