Hi, I’m Derick. Welcome to PHP internals news, the podcast dedicated to explaining the latest developments in the PHP language. This is Episode 92. Today I’m talking with Nikita Popov about a first class callable syntax RFC that he’s proposing together with Joe Watkins. Nikita, would you please introduce yourself?

Hi, Derick. I’m Nikita and I am still working at JetBrains. And still working on PHP core development.

Just like about half an hour ago when we recorded an earlier episode.

Exactly.

This RFC has no relation to read only properties. What is the first class callable syntax RFC about?

The context here is that PHP has the callable syntax based on literals, which is that if you just use a plain string, it’s interpreted as a function name, and an array where the first element is an object, and the second one is a method name, that’s methods. Or the first element is the class name, and the second one is method name, that’s a static method.

I would consider this concept a bit of a hack, especially the the one with the arrays, and I reckon you feel similar and hence this RFC?

Yes, I do. So the current callable syntax has a couple of issues. I think the core issue is that it’s not really analysable. So if you see this kind of like array with two strings inside it, it could just be an array with two strings, you don’t know if that’s supposed to actually be a static method reference. If you look at the context of where it is used, you might be able to figure out that actually, this is a callable. And like in your IDE, if you rename this method, then this array should also be this array element will also be renamed. But there’s like a lot of complex reasoning that the static analyser has to perform. That’s one side of the issue. The second one is that callables are not scope independent. For example, if you have a private method, then like at the point where you create your callable, like as an array, it might be callable there, but then you pass it to some other function. And that’s in a different scope. And suddenly that method is not callable there. So this is a general issue with both like this callable syntax based on arrays, and also the callable type. It’s a callable at exactly this point, not callable at a later point. This is what the new syntax essentially addresses. So it provides a syntax that like clearly indicates that yes, this really is a callable, and it performs the callable callability check at the point where it’s created, and also binds the scope at that time. So if you pass it to a different function in a different scope, it still remains callable.

And it’s guaranteed to always be callable.

Yeah, exactly.

What does the syntax like?

Hi, I’m Derick. Welcome to PHP internals news, a podcast dedicated to explaining the latest developments in the PHP language. This is Episode 91. Today I’m talking with Craig Francis and Joe Watkins, talking about the is_literal RFC that they have been proposing. Craig, would you please introduce yourself?

Hi, I’m Craig Francis. I’ve been a PHP developer for about 20 years, doing code auditing, pentesting, training. And I’m also the co-lead for the Bristol chapter of OWASP, which is the open web application security project.

Very well. And Joe, will you introduce yourself as well, please?

Hi, everyone. I’m Joe, the same Joe from last time.

Well, it’s good to have you back, Joe, and welcome to the podcast Craig. Let’s dive straight in. What is the problem that this proposal’s trying to resolve?

So we try to address the problem where injection vulnerabilities are being introduced by developers. When they use libraries incorrectly, we will have people using the libraries, but they still introduce injection vulnerabilities because they use it incorrectly.

What is this RFC proposing?

We’re providing a function for libraries to easily check that certain strings have been written by the developer. It’s an idea developed by Christoph Kern in 2016. There is a link in the video, and the Google using this to prevent injection vulnerabilities in their Java and Go libraries. It works because libraries know how to handle these data safely, typically using parameterised queries, or escaping where appropriate, but they still require certain values to be written by the developer. So for example, when using a query a database, the developer might need to write a complex WHERE clause or maybe they’re using functions like datediff, round, if null, although obviously, this function could be used by developers themselves if they want to, but the primary purpose is for the library to check these values.

That is a method of doing it. What is this RFC adding to PHP itself?

It just simply provides a function which just returns true or false if the variable is a literal, and that’s basically a string that was written by the developer. It’s a bit like if you did is_int or is_string, it’s just a different way of just sort of saying, has this variable been written by the developer?

Is that basically it?

That’s it? Yeah.

It would also return true for variables that are the res

Hi, I’m Derick. Welcome to PHP internals news, a podcast dedicated to explaining the latest developments in the PHP language. This is Episode 90. Today I’m talking with Nikita Popov about the read only properties version two RFC that he’s proposing. Nikita, would you please introduce yourself?

Hi, Derick. I’m Nikita and I do PHP core development work by JetBrains.

What does this RFC proposing?

This RFC is proposing read only properties, which means that the property can only be initialized once and then not changed afterwards. Again, the idea here is that since PHP 7.4, we have typed properties. A remaining problem with them is that people are not confident making public type properties because they still ensure that the type is correct, but they might not be upholding other invariants. For example, if you have some, like additional checks in your constructor, that string property is actually a non empty string property, then you might not want to make it public because then it could be modified to an empty value for example. One nowadays fairly common case is where properties are actually only initialized in the constructor and not changed afterwards any more. So I think this kind of mutable object pattern is becoming more and more popular in PHP.

You mean the immutable object?

Sorry, immutable. And read only properties address that case. So you can simply put a public read only typed property in your class, and then it can be initialized once in the constructor and you can be… You don’t have to be afraid that someone outside the class is going to modify it afterwards. That’s the basic premise of this RFC.

But it also means that objects of the class itself can modify that value any more, either.

Exactly. So that’s, I think, a primary distinction we have to make. Genuinely, there are two ways to make this read only concept work. One is like actually read only or maybe more precisely init once, which is what this RFC proposes. We can only set that once and then even in the same class, you can’t modify it again. And the alternative is the asymmetric visibility approach where you say that, okay, only in the public scope, the property can only be read, but in the private scope, you can modify it. I think the distinction there is very important, because read only property tells you that it’s genuinely read only, like, if you access a property multiple times in sequence, you will always get back the same value. While the asymmetric visibility only says that the public interface is read only, but internally, it could be mutated. And that might like be, you know, intentional, just that you want to like have your state management private, but that the property is not supposed to be immutable.

How’s this RFC different from read only properties, version one?

Read only pr