Latest Issue
View all issues →Issue #12
19 May 2026
"Generics are back on PHP’s agenda, not as an abstract type system debate but as a practical question about how much intent the language itself should express. And, as expected, security remains a hot topic."
— Stefan & Sebastian
garfieldtech.com
This article frames the latest RFC for generics in PHP as perhaps the language’s best shot yet, while raising an important unresolved question: would such a feature make static analysis an implicit part of writing modern PHP?
Picked by Stefan Priebsch – "A balanced analysis of PHP’s latest attempt at generics, one of PHP’s hardest language design questions: technically possible, widely desired, but full of trade-offs."
wiki.php.net
This RFC proposes moving even more of PHP’s informal “promises about what kind of data code expects” out of comments and into the language itself, while keeping adoption gradual so existing code does not have to change all at once.
Picked by Sebastian Bergmann – "This might become another example of PHP core adopting ideas explored in userland, in this case shaped in large part by the maintainers of static analysis tools."
phpreads.com
Damien Retzinger documents a serious PHP supply-chain issue. For a short window, vulnerable Composer versions could expose GitHub Actions tokens in public build logs after GitHub changed its token format.
Picked by Stefan Priebsch and Sebastian Bergmann – "Perfect example of a blame-free post-mortem providing useful guidance for the PHP community. Thank you, Damien, for your exceptional work.
Issue #11
12 May 2026
"Security has a long memory. Systems carry forward old assumptions, forgotten shortcuts, and design decisions made under constraints that no longer exist. We look at what happens when familiar software is examined with fresh eyes and how tools like Claude Mythos may bring long-buried risks back into view."
— Stefan & Sebastian
blog.calif.io
This article walks through a newly discovered use-after-free vulnerability in PHP's
unserialize() function,
tracing it back to a missing lock in a code path introduced with PHP 5.1.
It shows that old design decisions can remain reachable, relevant, and
dangerous long after everyone assumes the terrain is well understood.
Picked by Stefan Priebsch – "Code is not only an asset; it is also a liability. This article shows how every line can carry hidden risk, sometimes lying dormant for decades before becoming exploitable."
sektioneins.de
It is great to see Stefan Esser associated with PHP security again. Few people have shaped the field as deeply, with work such as the Hardened-PHP Project, Suhosin, and the Month of PHP Bugs. This historic article is a good example of the depth and precision of his work.
Picked by Sebastian Bergmann – "Stefan Esser’s work has held up exceptionally well over time. I picked this article to raise security awareness in preparation for what may come once Claude Mythos is used to look at PHP."
phrack.org
Famous hacker Orange Tsai’s article turns PHP security into a story about curiosity, persistence, and the creative culture of the security researcher community. It shows how playful exploration of familiar systems can uncover forgotten lessons, preserve community knowledge, and push security research forward.
Picked by Stefan Priebsch and Sebastian Bergmann – "Security research is about revealing how familiar systems fail when real-world use exceeds the assumptions their designers made."
Issue #10
5 May 2026
"Open source does not sustain itself, and PHP is no exception. This issue looks at the work behind the work: funding maintainers, simplifying licenses, and turning private experience into shared knowledge for the community."
— Stefan & Sebastian
skoop.dev
Open source software is not simply free code, but a community ecosystem that depends on active support from its users. Companies that profit from open source should deliberately contribute back to the projects they rely on, especially smaller libraries with few maintainers.
Picked by Stefan Priebsch – "This is PHP Reads social engineering at its best: after convincing Stefan to contribute to our online conference years ago, we were also able to persuade him to write this blog post."
ben.ramsey.dev
Ben Ramsey explains how a 2020 compliance question led to years of work replacing PHP’s aging custom PHP and Zend Engine licenses with plain BSD-3-Clause, eliminating ambiguity around OSI approval, GPL compatibility, distributor rights, and legacy Zend-specific terms.
Picked by Sebastian Bergmann – "We encouraged Ben to publicly tell the story behind PHP’s license simplification. He delivered exactly the kind of article we love, highlighting one of the less visible ways people contribute to PHP."
phpreads.com
PHP Reads is not only about finding good PHP content, but also about helping more community knowledge become visible. We invite everybody to share worthwhile articles, encourage you to write, and offer our help in turning your experience into something the PHP community can learn from.
Written by Stefan Priebsch and Sebastian Bergmann.