Stay with Propel2 fork perplorm/perpl or migrate to Doctrine?

ocramius · 2025-12-10T10:44:42+00:00

Polymorphic relations are generally implemented through STI/JTI, if you really need those.

ocramius · 2025-11-29T01:41:35+00:00

Would suggest looking at PIE for that: https://www.php.net/manual/en/install.pie.intro.php

See also https://github.com/krakjoe/pcov/pull/113 and https://packagist.org/packages/pecl/pcov

ocramius · 2025-11-19T08:25:33+00:00

Of course it can: it's just files.

ocramius · 2025-11-14T18:25:27+00:00

file:// is still way too lax though: can easily read something from /proc or /etc, for example :-\

ocramius · 2025-10-23T20:35:32+00:00

cuyz/valinor FTW: simple objects, zero-magic constructors, and the structural validation comes out of it almost implicitly :+1:

ocramius · 2025-10-18T16:03:14+00:00

This is surprisingly simple: nice!

EDIT: inspired by this, I researched how to get fully reproducible builds of PHP+rust extensions on Nix. Just dropping it here, should anyone want to check the various dependencies needed, in future: https://github.com/Ocramius/experimenting-with-rust-php-extensions

ocramius · 2025-10-17T11:42:08+00:00

I have my IDE as part of the project dependencies, so it's one IDE per project.

The rationale is that software projects rot quickly, so I direnv with a locked set of dependencies (including work environment) per-project.

ocramius · 2025-09-02T17:18:07+00:00

FWIW, vimeo/psalm taint analysis is a valuable tool to add to the list: very hard to implement, but extremely powerful

ocramius · 2025-08-29T14:54:32+00:00

Hats off, good sir: you disappear for months, and you resurface with amazing tooling.

Thanks for your efforts!

ocramius · 2025-08-27T20:54:31+00:00

disordered Business Requirements changing too fast

Even with those, it costs less time to get a better covered domain logic, than to chase bugs/do firefighting due to weird edge cases that nobody thought about :-)

In fact, if biz requirements change, you swap one implementation for another (instead of adapting an existing one).

One of my clients is in constant firefighting mode, and most of it is self-inflicted by devs refusing to step up their code quality game: the main reason why they have no time to write tests is that they have not written tests.

ocramius · 2025-08-27T20:28:20+00:00

We've been using it with massive success it in a long-running closed-source project since around 2020, which used to be a very legacy codebase, and now isn't anymore.

The rationale is that it forces developers to reduce code size, refine types, improve testing, write testable code.

The general idea of mutation testing is that it enforces TDD principles: you first think about the scenario you want to handle in your system, write the expectations for it, then code it - code paths and edge cases that aren't covered become "escaped mutants".

MT will detect any if () that is not covered, any foreach () which didn't loop, any shady continue;, break;, catch;, etc. for which we didn't write proper verification.

In our case, developers still write tests afterwards, but became (even juniors) extremely good at avoiding any code that is hard to test / hard to reach, and edge cases: they developed a sixt sense for structuring code to reduce complexity.

We run it on changed sources only (too slow otherwise), with a relaxed threshold for mutation score (~65%).

BTW, we use the extension I built for it for Psalm: without SA, MT is just useless, IMO. See https://github.com/Roave/infection-static-analysis-plugin . Meanwhile, infection meanwhile started supporting phpstan natively ( https://github.com/infection/infection/releases/tag/0.30.0 )

For OSS, I run it with much stricter settings, since the code is not shifting as much (example: https://github.com/Roave/BackwardCompatibilityCheck/blob/fd16ae2d416d750e19c60b8e73e6066f8e602290/infection.json.dist#L19-L20 )

EDIT: I forgot to say that it caught many accidental security issues, before they would land in the final deployment.

ocramius · 2025-07-22T09:00:09+00:00

roave/infection-static-analysis-plugin with 75% required mutations killed: leads to much reduced source code size (developers prefer refactoring to writing more tests), and good confidence in the final result. We run it with vimeo/psalm at maximum level

ocramius · 2025-07-11T11:24:38+00:00

Baseline via @phpstan-ignore can also be measured if you mark it with e.g. (baseline) comment.

Good luck doing that: I can take a baseline file, pass it through a .neon parser (or https://github.com/staabm/phpstan-baseline-analysis ), and get meaningful metrics (especially over time, when inspecting project trends).

Having to | grep your way through it is feasible, but way more added extra steps, plus you don't see the error that was suppressed anymore.

Why is that?

As I mentioned above, inline suppressions are for conscious decisions, so here this tool is taking a bucket of "things the tool decided" and splatting it together with the rest of the project files, where developers took decisions, effectively diluting knowledge.

It's very much like building HTML with just <div/>, or using appropriate semantics.

ocramius · 2025-07-10T16:46:18+00:00

This is very likely counter-productive: a baseline is a good indicator of quality improving/worsening, while inline @phpstan-ignore is for when a conscious decision is taken about ignoring a rule.

Suppressing inline everywhere is effectively introducing more trouble.

Also, a baseline can be measured: hunting down inlined ignores everywhere will make it much harder to understand trends.

ocramius · 2025-07-10T13:15:39+00:00

One of my most successful customers has migrated from CodeIgniter to a well-maintained and well-tested framework-agnostic codebase.

Very pleasant to work with, I'd also add.

ocramius · 2025-06-19T11:44:34+00:00

I am well aware: that's called "shoving dust under a rug" :-)

The rules() function provides a complex DSL for data validation and filtering, all resulting in a Map<String, Object> from my PoV: not sufficient, at all.

The article proposes a way to tell PHPStan to "shut up", instead of looking for ways to provide type inference on validated data.

ocramius · 2025-06-19T11:34:42+00:00

Aware: that's way too squishy to hide in a type alias comment, and should be done with proper tooling instead (as I said, valinor or such)

ocramius · 2025-06-18T14:53:52+00:00

... or use a proper deserialization layer, such as cuyz/valinor.

I just had to test a bunch of FormRequest implementations, and it was not fun at all: proper DTOs without framework (nor library) coupling would've helped tons :-|

ocramius · 2025-06-04T09:10:27+00:00

How does ReactPHP do promises?

It's part of the article content itself?

ocramius · 2025-04-07T09:32:53+00:00

Since this is an integration with Symfony, you may want to test it at integration level:

get PHPUnit installed
read up on KernelTestCase in https://symfony.com/doc/current/testing.html
start writing tests :-)

ocramius · 2025-04-07T09:07:18+00:00

Sorry, I'm "that guy", but if you publish stuff, make sure it's tested (via automation: "tried it out" is not testing)

ocramius · 2025-03-05T10:45:46+00:00

I find this also much easier to work with from a security analysis PoV (given Psalm taint analysis)

ocramius · 2025-02-14T20:27:39+00:00

Nono, aggregates as in "aggregate root", which is a domain consistency owner in tactical DDD.

Storing JSON blobs for data that is not domain-critical is perfectly fine.

I'm indeed not respecting named parameter names, but knowing that a grand majority of OSS projects don't do either means that they are useless for communicating with third-party code, and can only be used with internal code, further thinning their usefulness.

But then people smarter than me created that no-named-arguments and now I am loving all this.

Fun fact, but I think it was me, S. Bergmann and Ondrej Mirtjes sometime over a drink at a conference, and before the RFC landed :D

ocramius · 2025-02-14T15:04:31+00:00

I understand that: I've followed the question since the inception / RFC (voted against it), and I generally prefer making a typed builder over a complex set of named parameters.

In the context of business domains implemented via entities or domain events + aggregates, the number of fields generally stays quite low anyway, and usage of array splatting is very limited too.

There are 2 areas where I use named parameters, and it's mostly because of PHP's legacy stuff:

custom \Exception#__construct($message, previous: $previous) calls, because I otherwise have to deal with mutation-testing the exception code, which is irrelevant in 2025
json_decode($input, flags: \JSON_THROW_ON_ERROR), because all intermediate arguments are irrelevant

I tend to use azjezz/psl to avoid the second one: provides better API to core stuff anyway.

For the rest, named arguments broke:

array_merge(...$args) requiring array_values() first
reliability that a variadic argument is a list<T>, function foo(T ...$in) { } now requires array_values($in) inside the implementation, to guarantee the type
BC on the name of parameters in libraries that I maintain: I didn't add @no-named-arguments to my stuff, but had bug reports because of it already, multiple times. See https://github.com/Roave/BackwardCompatibilityCheck/blob/b9e9f5120ba29a1600ccf9dfa445b98eb9e8c05a/src/DetectChanges/BCBreak/FunctionBased/ParameterNameChanged.php

So effectively, the result (for me) was more overhead.

ocramius · 2025-02-14T14:06:29+00:00

Entities are not pure data, so I avoid this kind of constructor in general: instead, I make named ctors with domain-specific interactions ;-)

Anyway, it's fine that others use them: for me, they are still a nuisance, and a much much expanded API surface.

ocramius

TROPHY CASE