This is a branch off from a separate discussion on the PHP-FIG mailing list about other ways the Framework Interoperability Group can encourage and foster wider interoperability among its member projects (and by extension, the whole PHP community). I'll start by noting two interesting developments in recent months and one long standing best practice.

The two "interesting developments" he mentions are the relatively recently released SensioLabs Security Checker that uses you Composer file to find security issues and the new entry in the latest version of the OWASP Top 10 list for "Using Components with Known Vulnerabilities". The best practice he talks about is more around the timely/responsible disclosure of vulnerabilities and how some kind of decentralized tracking of these issues that puts the responsibility back on the developers of the tool and not on one tracking resource.

The PHP development process is still a bit frustrating. Many developers hoped that PHP had certain features but those are still missing due to several reasons. One way to see those features happen is to write code to implement the features and then submit the code to the PHP core. However that is not a guaranteed process. Even if you provide the necessary code, other developers may object to the addition of those features and the effort is wasted.

Among the things he lists as features that are desired but not implemented yet are things like:

• Aspect oriented programming
• Annotations
• Class generics
• Introspection of private variables and functions
• Named parameters

There's a summary of each of the features mentioned and in some cases links to RFCs that presented the same ideas. If you're interested in presenting your own ideas to the PHP project for inclusion, you can "demystify" the RFC process by checking out this post from Chris Jones with lots of good suggestions and the flow of how the process (usually) works.

PSR-3 is a proposed standard (voting has finished, it should appear as an accepted standard when the PSR folks recover from too much Christmas turkey) describing a common logging interface for PHP frameworks. It's based on a small subsection of RFC 5424, which describes the Syslog standard, which is a very sensible choice. Sysadmins think in terms of Syslog levels, and they utterly hate dealing with loggers that don't map cleanly onto Syslog.

He briefly introduces the PSR and the format of the logger with some of the main methods it should implement and what they do. He talk gets into some of his critiques about the proposal, namely the method naming, the exception handling parameter and the proposed LogLevel constants.

Earlier today, I was asked "Any tips on how to write a proposal for a major conf?" I've never shared tips on this, and since the calls for proposals for Sunshine PHP and Midwest PHP both end tomorrow, I thought it would be a good idea to share my approach to writing conference proposals. Remember those standard, five-paragraph essays you used to write in high school? Remember how you thought they sucked and wouldn't provide any practical benefit to your life? Well, it turns out they do have some redeeming qualities.

He suggests that this "five paragraph essay" format helps you not only come up with a more fleshed out, full idea but also can provide you with the abstract to submit to the conference (possibly the first paragraph). He mentions the need for a "hook" and finishing off with an opinion that's the basis of the talk. He also has a reminder of a few things - don't talk down, don't use negative language and try not to use absolutes.

A short time ago today, I submitted a PHP RFC for discussion which proposes adding an SPL Escaper class and, quite possibly, a related set of functions dedicated to escaping data for output to HTML/XML to PHP: https://wiki.php.net/rfc/escaper. The RFC itself should be a good read if you want to understand why I'm proposing this but the basics are quite simple. Cross-Site Scripting (XSS) is one of the two most common security vulnerabilities in web applications - the other being SQL Injection. Despite this, PHP's offering of escaping functions is extremely limited.

He talks about what problems the proposed solution solves and how it could help protect PHP programmers more effectively than the more complicated methods they have to go through now. If you're interested in reading the conversations so far, you can start here and walk through the messages.

Building software with a clear set of use cases and requirements is a relatively straight forward process. Various design patterns exist to help you solve problems which others have come across already. You can use principles like SOLID to help separate your classes and simplify your code. [...] Using a set of guidelines like SOLID may make it easier to swap out a broken class for a new class, but they don't really help you identify the problem or fix any data corruption which may have occurred. Knowing you have a problem and being able to isolate and fix the problem is just as important, if not more so, than being able to rely on consistent interfaces from your factory method. That is why I am proposing an additional set of software development guidelines called "LUCID code."

He defines it as "code with understands that bugs are unavoidable" and is able to give developers feedback through its own logging, tests and documentation. With correctly isolated code, development can be segmented and worked at the same time and make changing requirements and updating functionality simpler in the long run.

It's quite possible that PHP may finally be getting the addition of the finally block in its try/catch block. [...] It also solves a simple, but overlooked problem for the developer. With finally we offer the user-space code a chance to do any clean up work that may be necessary after a try block has terminated execution and with clear semantics.

He includes a use case for this feature - an example showing exception handling on multiple levels and writing to log files when the cleanup of the exception is finished (without the potential for another method to trigger the exception itself). "Finally" allows you to take this logic out of the exception handling and put it at the end, removing the possibility of it triggering an exception for the wrong reason. There's a few other examples showing some other quirks with its usage - like calling die will not make it end up in the "finally".

He explains the concept of "generators" as an easier way to implement iterators. In his example he shows how to refactor is file handling iterator to replace it with generator functionality. It uses a new keyword, "yield", to return a Generator instance that can then can be used much like the file iterator without the need for all of the code to create the iterator itself. His more complex example shows how to replace an ArrayObject instance by a little trick inside its "getIterator" method.

There has been a lot of traction lately on the topic of the PSR "PHP Framework Interoperability Group". They are introducing two new proposed standards: PSR-1and PSR-2, both dealing with code formatting standards. [...] I have read both, and actually agree and think they are quite good. However, there's a deeper problem. Open Standards is something that the internet was built upon. From HTTP, E-Mail and HTML to ECMA Script (JavaScript), OAuth and JSON, open standards are everywhere. The problem with the entire PSR process is that it is not designed to produce open standards.

He describes an "open standard" and points to this RFC as an example of the open process they should result from. He talks about the importance of the process and how having more people reviewing and contributing their ideas could help find issues in the proposal. He issues a "call to the PSR team" to adopt this practice, allowing a more open flow to the ideas that are being proposed.

Note that I'm not asking to open the vote to anyone else. I'm not saying that standards should be approved by everyone in the community. There should still be a standards body that makes the final decision. But they should make that decision based on community input. They should actively look for and encourage open discussion prior to voting.

One of the features originally planned for PHP 5.4 was scalar type hinting. But as you know, they weren't included in the release. Recently the topic has come up again on the mailing list and there has been a hell lot of discussion about it. Yesterday ircmaxell published a blog post about his particular proposals. The reactions on reddit were mixed. On one hand it is clear that people do really want scalar type hints, on the other hand they didn't seem to like that particular proposal.

He gets into some of the details of some of the current proposals and their problems like the strict versus loosely-typed nature of PHP and type hinting that was included but not enforced. One he does like, however, is one based on casting - how the variable ends up being cast rather than the specific type it is when it comes into the function/method. This one still has its flaws, so he suggests another method - weak type hints but with stricter input validation (without casting). He also briefly mentions something called "box based type hinting" that would allow users to define their own hinting rules.

Don't worry - code examples (pseudo-code obviously) are included for each of these proposals to help you understand the differences.