www.phparch.com September 2018 Volume 17 - Issue 9 MagniPHPicent 7.3 PHP 7.3 is On Track! Upgrading Old Legacy Apps to PHP 7 and Beyond Using the Symfony Workflow Component as a State Machine for Ecommerce ALSO INSIDE The Dev Lead Trenches: Security Corner: The Workshop: How Long Will Thinking Like Describe Your Tests It Take? an Attacker with Kahlan Community Corner: Education Station: finally{}: Finding the Perfect Producer-Consumer The Seven Deadly Sins Development Job Programming of Programming: Pride Start building with a focused, faster cloud. Fully supported by Thermo Physicists there to help solve any of your problems.. Focused Faster Care Elastic energy at your Deploy in Thermo.io Physicists fingertips. Launch. seconds on our are here to help Rebuild. Clone. Swap. high-availability, you out without Grow. Instantly. SSD-driven platform. confiscating root. DISCOUNT: Get your $150 credit today using code PHPDEVELOPER WEB: EMAIL: PHONE: Thermo.io [email protected] 833-3-THERMO Early Bird Sale until 9/15! 2018 The 4th annual PHP conference for Washington D.C. November 14–15, 2018 Washington, D.C. world.phparch.com Only $475 Full price: $795 SEPTEMBER 2018 Volume 17 - Issue 9 Features Columns 2 MagniPHPicent 7.3 3 PHP 7.3 is On Track! Oscar Merida 31 The Dev Lead Trenches: Damien Seguy How Long Will It Take? Chris Tankersley 10 Upgrading Old Legacy Apps 34 Security Corner: Professional Paranoia: Thinking to PHP 7 and Beyond Like an Attacker Eric Mann Sammy Kaye Powers 37 The Workshop: Describe Your Tests with Kahlan 24 Using the Symfony Workflow Joe Ferguson 41 Community Corner: Component as a State Finding the Perfect Development Job Machine for Ecommerce James Titcumb 43 Education Station: Michelle Sanver Producer-Consumer Programming Edward Barnard 51 August Happenings 52 finally{}: The Seven Deadly Sins of Programming: Pride Eli White Editor-in-Chief: Subscriptions Contact Information: Oscar Merida General mailbox: [email protected] Editorial: Editor: Kara Ferguson Print, digital, and corporate [email protected] subscriptions are available. Visit Print ISSN 1709-7169 https://www.phparch.com/magazine to Digital ISSN 2375-3544 Managing Partners subscribe or email [email protected] for Copyright © 2018—musketeers.me, LLC more information. All Rights Reserved Oscar Merida, SandySample Smith Although all possible care has been placed in assuring the Advertising accuracy of the contents of this magazine, including all architect associated source code, listings and figures, the publisher php[ ] is published twelve times a To learn about advertising and receive year by: musketeers.me, LLC assumes no responsibilities with regards of use of the the full prospectus, contact us at information contained herein or in all associated material. 201 Adams Avenue [email protected] today! Alexandria, VA 22301, USA php[architect], php[a], the php[architect] logo, musketeers. me, LLC and the musketeers.me, LLC logo are trademarks of musketeers.me, LLC. PHP 7.3 is OnFEATURE Track! PHP 7.3 is On Track! Damien Seguy PHP 7.3 successfully passed the “feature freeze” deadline. On Aug. 1st, 2018 all features for PHP 7.3 were identified. This triggered the first PHP 7.3 beta, on the following day, and, from there, we’ll reach RC in September. It is time to review what this new PHP version has available for us, help test PHP 7.3, and get ready. Improved Garbage Collector Relaxed Heredoc/Nowdoc One of the main improvement in the PHP 7.3 engine is the Heredoc and nowdoc are a string definition syntax that is garbage collector, also called GC. adapted to large pieces of text. Here is a heredoc: The Garbage Collector is an internal tool that frees memory. $x = <<<FRENCH PHP accumulates new objects in memory, and when it reach- Maître Corbeau, sur un arbre perché, es the infamous memory_limit, the garbage collector is fired to Tenait en son bec un fromage. check if any memory may be recycled. Then, PHP resumes Maître Renard, par l'odeur alléché, the normal execution of the script. Lui tint à peu près ce langage: Et bonjour, Monsieur du Corbeau,... Most traditional PHP applications have no use for the FRENCH; Garbage Collector. First, memory_limit is usually far beyond what a script needs, so there is no need to collect memory; The syntax starts with a triple <, followed by a token. This PHP frees it all at the end of the execution. Secondly, the GC token is a classic PHP identifier: alphanumeric chars and only works on roots, which are large dynamical structures, underscore. It must also start with a letter or an underscore. such as arrays and objects. Also, the script needs to allocate The identifier is free. Here, we used it to comment on the ten thousand (10,000) of them, literally. language being used. Other variations include SQL, HTML, GREM- When PHP reaches the 10,000 limit, the GC is triggered. LIN, XML, PHP, YAML, DOT, etc. It will be triggered more frequently, as long as it stays above The final identifier comes with a few restrictions; it should the limit (in particular, when leaving a context: a function, be the first on its line, and only accepts a semi-colon with it. a method, a closure). Until now, any application that went Not even a space should be found on that line, or you’ll end beyond 10,000 would experience a lot of GC calls, and as up with a syntax error, unexpected end of file. such, a sudden degradation of its performances. Of course, the ending delimiter shouldn’t be found inside With PHP 7.3, the GC is now significantly more efficient. the text, at the beginning of a new line. This is quite rare, so it If it can’t reasonably free enough memory, it raises the limit. is really difficult to debug. When that happens, just make the This prevents many inefficient collections and keeps script identifier longer. execution fast. Nowdoc and heredoc are close cousins: heredoc behaves Applications that generate a lot of objects, like long-run- like a double-quote string and interpolates variables inside ning CLI applications, event-driven, or framework-based single-dimensional arrays and properties. NowDoc encloses applications will benefit from this improvement. Yet, most of the identifier in single quotes, and behaves like a single quote applications will never come near the limit, and won’t feel a string: no string interpolation is available. See Listing 1. difference. More on this subject: • What About Garbage?1 Listing 1 • How to optimize the PHP garbage collector usage to 1. <?php 2 improve memory and performance? 2. $animal = 'Corbeau'; • Improvements to Garbage Collection (GC) in PHP 7.3, 3. // Heredoc 5x boost performance in tests3(GC) in PHP 7.3, 5x boost 4. $x = <<<FRENCH performance in tests: https://phpa.me/react-etc-gc-php73] 5. Maître $animal, sur un arbre perché, 6. FRENCH; 7. 1 What AboutSample Garbage?: https://phpa.me/ircmaxell-about-garbage 8. // Nowdoc 2 How to optimize the PHP garbage collector usage to improve mem- 9. $x = <<<'FRENCH' ory and performance?: https://phpa.me/tideways-optimize-gc 10. Maître $animal, sur un arbre perché, 3 Improvements to Garbage Collection (GC) in PHP 7.3, 5x boost 11. FRENCH; performance in tests www.phparch.com \ September 2018 \ 3 PHP 7.3 is On Track! In PHP 7.3, two constraints are is the secure argument, and should feature was rarely used, yet, for those relaxed: first, the ending delimiter may always be used), will create a one-line who do, the impact shall be significant. be freely followed by other operators. diff. More on this: Deprecate and Remove So, it is now possible to use heredoc in Case-Insensitive Constants6. a function call. > 1, PCRE 2.0 $variable = 'THINGS'; instead of a two-line diff: print strtolower(<<<ENGLISH PHP’s regex are based on an inde- ALL THOSE $variable > "example.com", pendent library, called PCRE7. PHP has > 1 ENGLISH); been using the PCRE library for ages. It has made its way to the core of PHP, Secondly, the ending delimiter may Note that function definitions don’t and can’t be disabled anymore. Yet, PHP be moved to the left. There is no need get that syntax. still uses the version 1.0 of the PCRE for it to be the first on its line. Better, More on this: Allow a trailing comma library. It has been abandoned, and a the indentation of that ending delimit- in function calls5 new version, PCRE2, was released in er is the indentation for the text in the 2015. This new version is actively devel- Heredoc syntax. Look at that: Deprecated Case-insensitive oped. function foo() { Constants The change from PCRE 1 to 2 means return <<<MESSAGE Constants defined with thedefine the API for the library has changed. Returned Message function may be case-insensitive. This This only impacts internals, and Anatol MESSAGE; } behavior is now deprecated in PHP 7.3 Belski did a great job an integrating this and will be completely removed in PHP new version in the heart of PHP. print foo(); 8.0. As for userland code, the new version // prints 'Returned Message' null, true and false are exempt- means regex may be impacted. There ed from this deprecation. So are the are several places where impact may be The important point here is to use the magic constants __function__ or __ felt: same indentation for the delimiter and TRAIT__, although it was not explicitly for every line in the text. PHP identifies • Modifier 8S is now on by default. mentioned in the RFC. the indentation on the final delimiter PCRE does some extra optimiza- and uses it.