8 posts tagged with "Php"

There is a fascinating conversation happening in the Drupal community right now: HTMX Now in Drupal Core. The proposal? To replace the venerable (but aging) jQuery-based Ajax API with a modern, lightweight, HTML-over-the-wire subsystem based on HTMX.

To understand the practical implications, I built a demo module comparing the two approaches side-by-side.

The Experiment​

I created drupal-htmx-ajax-replacement-demo, a module that renders two identical interactive cards. One uses the standard Drupal.ajax library, and the other uses HTMX.

1. Legacy Drupal Ajax​

The traditional way relies on jQuery and a custom JSON protocol.

The Flow:

1. Client clicks a link with .use-ajax.
2. Drupal.ajax intercepts the click.
3. Server builds an AjaxResponse with commands (e.g., ReplaceCommand).
4. Server returns JSON: [{"command": "insert", "method": "html", ...}].
5. Client Javascript parses JSON and executes DOM manipulation.

The Code:

public function timeAjax() {
  $response = new AjaxResponse();
  $response->addCommand(new HtmlCommand('#container', $html));
  return $response;
}

2. The HTMX Way​

HTMX allows us to be declarative. We define what we want in HTML attributes, and the server just returns HTML.

The Flow:

1. Client clicks <button hx-get="..." hx-target="...">.
2. HTMX intercepts.
3. Server returns standard HTML fragment.
4. HTMX swaps the HTML into the target.

The Code:

public function time() {
  return new Response($html);
}

Why This Matters​

The difference in complexity is striking.

• Javascript: The legacy approach requires the heavy core/drupal.ajax library (and jQuery). HTMX is lighter and requires no custom Javascript for this interaction.
• Backend: The HTMX controller returns a simple Response object with a string. The legacy controller requires instantiating AjaxResponse and learning the Command API.

You can view the full source code and the comparative implementation in the repository below.

View Code

View Code

Drupal 12 is on the horizon, and with it comes the final removal of a long-standing legacy layer: the procedural Database API wrappers.

If your codebase still relies on db_query(), db_select(), or db_insert(), you are looking at a hard break when D12 lands. These functions have been deprecated since Drupal 8, but they've stuck around for backward compatibility. That grace period is ending.

Today I contributed a fix for a subtle but impactful operator precedence bug in Drupal Core's DefaultTableMapping class. The bug affects how SQL table names are constructed when a database prefix is used and entity type tables are not explicitly configured.

The Problem​

In PHP, the concatenation operator (.) has higher precedence than the ternary operator (?:). This led to an issue in the DefaultTableMapping constructor:

$this->baseTable = $this->prefix . $entity_type->getBaseTable() ?: $entity_type->id();

When a prefix is present (e.g., 'prefix_') and getBaseTable() returns NULL, the expression evaluates as follows:

1. 'prefix_' . NULL results in 'prefix_'.
2. 'prefix_' ?: $entity_type->id() checks if 'prefix_' is truthy.
3. Since 'prefix_' is truthy, it is returned, and the fallback entity ID is ignored.

This results in a table name that is just the prefix, leading to malformed SQL queries.

The Fix​

The fix is straightforward: wrap the ternary expression in parentheses to ensure it is evaluated before concatenation.

$this->baseTable = $this->prefix . ($entity_type->getBaseTable() ?: $entity_type->id());

Verification​

I've created a standalone reproduction project with a PHPUnit test to verify the fix. The test ensures that table names are correctly constructed even when getBaseTable() and related methods return NULL.

View Code

View Code

Issue Link

Issue: Operator precedence bug in DefaultTableMapping fix

In February 2026, a widespread malware campaign targeted thousands of WordPress sites, exploiting vulnerabilities in outdated plugins. One significant flaw was CVE-2025-67987, a critical SQL injection vulnerability in the popular "Quiz And Survey Master" (QSM) plugin.

To help developers and site owners identify these threats, I've built WP Malware Sentinel, a lightweight CLI tool that scans WordPress installations for known malware signatures and audits installed plugins for specific high-risk vulnerabilities.

Key Features​

• Signature Scanning: Detects common malware patterns like obfuscated eval(base64_decode()), suspicious shell executions, and embedded malicious iframes.
• Vulnerability Auditing: Specifically checks for vulnerable versions of plugins involved in current active campaigns (e.g., QSM versions prior to 10.3.2).
• Fast and Extensible: Built with Symfony Components (Finder, Console) for high performance and easy integration into CI/CD or agent workflows.

How it Works​

The scanner traverses the file system looking for signatures defined in its internal database. It also parses readme.txt files of installed plugins to verify stable versions against known vulnerable releases.

# Run a scan on the current directory
./bin/wp-sentinel scan .

Technical Implementation​

The project is written in PHP 8.4 and utilizes PSR-4 autoloading. It includes a comprehensive test suite using PHPUnit to ensure reliable detection without false positives in common WordPress codebases.

View Code

View Code

Link rot is a silent killer of the web's institutional memory. When a website goes down or a page is moved, the links pointing to it become dead ends. Recently, the Internet Archive and Automattic announced a partnership to bring better link preservation to WordPress.

I've built a demonstration plugin, Wayback Link Fixer, that showcases the core mechanics of this integration.

How it Works​

The plugin uses the Wayback Machine's Availability API. By querying https://archive.org/wayback/available, we can instantly determine if a given URL has a snapshot in the archive.

The Link Checker Logic​

At the heart of the plugin is a simple LinkChecker class that wraps the API call:

public function get_archived_url($url) {
    $response = $this->client->request('GET', $this->api_url, [
        'query' => ['url' => $url]
    ]);

    $data = json_decode($response->getBody()->getContents(), true);

    if (isset($data['archived_snapshots']['closest']['url'])) {
        return $data['archived_snapshots']['closest']['url'];
    }

    return null;
}

Why This Matters​

For journalists, researchers, and bloggers, links are more than just navigation; they are citations. When a citation breaks, the credibility of the content is diminished. By automatically detecting broken links and pointing them to the Wayback Machine, WordPress can help ensure that the web remains a reliable source of information for years to come.

View Code

View Code

The PHP world doesn't sleep. Today brought a critical wave of security patches across the entire Symfony ecosystem (from 5.4 LTS to 8.0) and a forward-looking release from Pantheon's Terminus CLI adding support for the upcoming PHP 8.5.

Why I'm Flagging This​

Dependency management is often "set and forget" until a CVE hits. The sheer breadth of today's Symfony security release—touching five major branches—is a reminder that even stable, mature frameworks have surface area that needs constant watching.

Simultaneously, seeing platform tools like Terminus prep for PHP 8.5 (while many of us are just settling into 8.3/8.4) signals that the infrastructure layer is moving fast. If your tooling lags, your ability to test new features lags.

The Solution: Patching & Upgrading​

Symfony Security Sweep​

The Symfony team released versions 8.0.5, 7.4.5, 7.3.11, 6.4.33, and 5.4.51. These aren't feature drops; they are security hardenings. If you are running a composer-based project (Laravel, Drupal, native Symfony), you need to verify your lock file isn't pinning a vulnerable version.

# Check for known security vulnerabilities in your dependencies
composer audit

# Update only symfony packages
composer update "symfony/*" --with-dependencies

Terminus & PHP 8.5​

Pantheon's CLI tool, Terminus, bumped to 4.1.4. The headline feature is PHP 8.5 support. While PHP 8.5 is still in early development phases, having CI/CD tools that can handle the runtime is essential for early adopters testing compatibility.

# Check your current Terminus version
terminus --version

# Update Terminus (if installed via phar/installer)
terminus self:update

The Code​

No separate repo—this is a maintenance and infrastructure update cycle.

What I Learned​

• LTS is a commitment: Seeing Symfony 5.4.51 in the release list proves the value of Long Term Support versions. You don't have to be on the bleeding edge to get security patches, but you do have to run the updates.
• Composer Audit is underused: Running composer audit should be part of every CI pipeline. It catches these announcements instantly.
• Tooling leads runtimes: Infrastructure CLIs (like Terminus) often need to support a language version before the application code does, so developers have a stable environment to break things in.

References​

• Pantheon Terminus 4.1.4 Released with PHP 8.5 Support
• Security Release: Symfony 8.0.5, 7.4.5, 7.3.11, 6.4.33, and 5.4.51

The Drupal AI module is getting granular with a new 'Focal Point' operation type and fixing critical streaming consistency issues in the API Explorer.

If you've ever wondered how Drupal magically discovers all its breadcrumb builders, access checkers, or authentication providers, you're looking at the Service Collector pattern. It's the secret sauce that makes Drupal one of the most extensible CMSs on the planet.

Why I Built It​

In complex Drupal projects, you often end up with a "Manager" class that needs to execute logic across a variety of implementations. Hardcoding these dependencies into the constructor is a maintenance nightmare. Instead, we use Symfony tags and Drupal's collector mechanism to let implementations "register" themselves with the manager.

I wanted to blueprint a clean implementation of this because, while common in core, it's often misunderstood in contrib space.

The Solution​

The Service Collector pattern relies on two pieces: a Manager class that defines a collection method (usually addMethod) and a Service Definition that uses a tag with a collector attribute.

Implementation Details​

In the modern Drupal container, you don't even need a CompilerPass for simple cases. You can define the collector directly in your services.yml.

services:
  my_module.manager:
    class: Drupal\my_module\MyManager
    tags:
      - { name: service_collector, tag: my_plugin, call: addPlugin }

  my_module.plugin_a:
    class: Drupal\my_module\PluginA
    tags:
      - { name: my_plugin, priority: 10 }

namespace Drupal\my_module;

class MyManager {
  protected $plugins = [];

  public function addPlugin(MyInterface $plugin) {
    $this->plugins[] = $plugin;
  }

  public function executeAll() {
    foreach ($this->plugins as $plugin) {
      $plugin->doWork();
    }
  }
}

The Code​

I've scaffolded a demo module that implements a custom "Data Processor" pipeline using this pattern. It shows how to handle priorities and type-hinted injection.

View Code

What I Learned​

• Decoupling is King: The manager doesn't need to know anything about the implementations until runtime.
• Performance: Service collectors are evaluated during container compilation. This means there's zero overhead at runtime for discovering services.
• Council Insight: Reading David Bishop's thoughts on UK Council websites reminded me that "architectural elegance" doesn't matter if the user journey is broken. Even the best service container won't save a site with poor accessibility or navigation.
• Gotcha: If your manager requires implementations to be available during its own constructor, you might run into circular dependencies. Avoid doing work in the constructor; use the collected services later.

References​

• [The Drop Times: David Bishop on Council Insight and Rethinking How UK Council Websites Are Evaluated](https://www.thedroptimes.com/interview/66236/david-bishop-interview-council-insight-user-journeys-and-evaluating-uk-council-websites?utm_source=Drupal Planet)
• David Bishop on Council Insight and Rethinking How UK Council Websites Are Evaluated
• [The Drop Times: Drupal service container deep dive (Part 3): service collectors](https://www.thedroptimes.com/66222/drupal-service-container-deep-dive-part-3-service-collectors?utm_source=Drupal Planet)