Joined December 2011
- Tweets 10,239
- Following 139
- Followers 883
- Likes 9,472
540 Photos and videos
Pinned Tweet
Do you need help with #PHPStan in some form?
I have plenty of experience in contributing changes to PHPStan core, or implementing custom extensions.
staabm.github.io/2024/01/01/…
plz RT
21
32
4,279
my #phpstan #todoby extension just crossed the 200 stars.
it will emit errors, when todos expire...
- by date
- when a referenced issue tracker ticket changes state
- when a composer version constraint is met
see github.com/staabm/phpstan-to…
3
10
589
Spent the morning to make sure #composer/pcre, @PHPCSFixer, thecodingmachine/safe #phpstan integrations will utilize latest PCRE type inference additions
goal is to make sure users of this regex wrappers will have the same benefits native php-src preg_* function consumers have
2
117
just pushed a new #phpstandba release, which adds basic support for common-table-expressions (CTE) and fixes a few bugs (and compatibility with PHPStan 2.2.x)
thanks to @ArtemGoutsoul, Etienne V. Labelle, Dan Hemberger
2
158
markus staab | @markusstaab@phpc.social retweeted
Jun 4
Ever found yourself accidentally merging changes to the public API of a PHP package and regretting it later? I made a GitHub Action to help prevent that. seld.be/notes/surfacing-publ…
1
7
21
1,527
working on more precise #phpstan types, based on regex AST - lets make use of the new decimal-int-string type.
2
9
475
markus staab | @markusstaab@phpc.social retweeted
May 30
Type juggling has been exploited in real #PHP authentication bypasses. Here's the classic:
if ($userInput == $storedHash) { // login success }
If $storedHash starts with "0e" followed by digits (like "0e462097"), PHP treats it as scientific notation: 0 * 10^462097 = 0.
An attacker just needs to find an input whose MD5 also starts with "0e" digits. Both sides evaluate to 0. 0 == 0 is true.
Known "magic hashes":
- MD5("240610708") = 0e462097...
- MD5("QNKCDZO") = 0e830400...
- SHA1("aaroZmOk") = 0e00000...
Fix: use === everywhere. Or better: hash_equals() for timing-safe comparison. Never == for security checks.
1
8
62
2,675
You might remember #PHPStan supports array-shapes for $matches in preg_match*() since ~June 2024.
RegEx AST based inference implemented before AI was even a thing.
Today I realized that we can re-use the existing RegEx inference for $subject :-).
phpstan.org/r/8b12686a-f8c8-…
4
278
markus staab | @markusstaab@phpc.social retweeted
May 28
Composer 2.10 is out.
Native malware filtering via @AikidoSecurity, enabled by default on @Packagist. Plus a unified config.policy framework, deprecated source fallback, and wildcards in --with.
#php #phpc #composerphp
ALT Composer fending off packages, Malware automatically blocked
9
85
334
25,143
markus staab | @markusstaab@phpc.social retweeted
May 28
PHPStan 2.2: Unsealed Array Shapes, Safer Array Keys, and More! phpstan.org/blog/phpstan-2-2…
4
17
51
3,933
markus staab | @markusstaab@phpc.social retweeted
May 27
Today we published our Impact and Transparency Report for 2025. We are incredibly grateful for our sponsors, partners, contractors, and individual financial contributors for without them, none of our work would be possible. 💙 🐘thephp.foundation/blog/2026/…
#php #opensource
1
20
53
2,483
markus staab | @markusstaab@phpc.social retweeted
May 26
Goodbye PHPStan 2.1.x 👋 It's been nice 18 months. github.com/phpstan/phpstan/r…
Now onto PHPStan 2.2.0. It's coming on Thursday.
3
9
67
2,950
markus staab | @markusstaab@phpc.social retweeted
May 21
I've added rules to @rectorphp for this---give them a shot!
Mar 23
I love named arguments in PHP. They should be mandatory for null/true/false.
5
3
17
5,571
Togehter with @OndrejMirtes I will be at #neoscon to see what this awesome community has built over the years.
see you there
1
4
426
1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.
Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.
581
3,608
11,530
7,491,408
markus staab | @markusstaab@phpc.social retweeted
May 20
If you haven't updated Composer to 2.9.8 or 2.2.28 (LTS), do so urgently! GitHub will restart the rollout of their new GitHub Actions tokens later today. They've improved secret masking to cover this Composer issue, but you're safer if you update. #composerphp #php #phpc
May 13
🚨 Security advisory: Composer 2.9.8 and 2.2.28 are out and fix a vulnerability leaking GitHub Actions new format GITHUB_TOKENs into job logs via error messages.
Update now (composer self-update) or disable affected Actions workflows.
#composerphp #phpc #php
3
40
112
30,106
In case you are using global userland constants in PHP and you configured their types in the @phpstan configuration, starting with todays release we will error about invalid values in define() or const definitions (bleeding edge only).
phpstan.org/config-reference…
4
181
New release: PHPStan 2.1.55 github.com/phpstan/phpstan/r… #phpstan
1
3
350
markus staab | @markusstaab@phpc.social retweeted
May 17
Infection 0.33.0 has been released.
- Testo test framework support (by @roxblnfk)
- Allow using the full width of the terminal for console output
Enjoy!
2
3
11
1,692
markus staab | @markusstaab@phpc.social retweeted
May 14
Do you use Infection with AI-generated code/tests? If so, what is the workflow / skills / prompts?
Is there anything we need to improve here to make it more useful?
4
4
10
946