DEV Community: Jarosław Szutkowski

Why Relying on Code Review Alone Is a Recipe for Burnout

Jarosław Szutkowski — Fri, 23 Jan 2026 16:18:49 +0000

The false sense of safety after code review

The pull request is approved.

Tests are green.

All comments are resolved.

A week later, a bug appears in production.

Nothing exotic. No edge case. Just a simple issue that somehow slipped through.

Everyone did their job. The code was reviewed. And yet - it still broke.

Most teams have lived through this more times than they want to admit.

The everyday chaos nobody names

If you're a junior or mid-level developer, this probably feels familiar:

you get the same comments again and again in pull requests,
different reviewers focus on different things,
some care about style, others about architecture, others about "their way",
the rules are mostly implicit - you learn them by getting corrected.

Over time, quality starts to feel… random.

Not because people don't care.

But because there is no stable system behind it.

It's not a feedback loop.

It's a lottery.

The psychological cost nobody budgets for

Every manual quality process has a hidden psychological cost:

it frustrates senior developers, because they repeat the same comments over and over,
it slows down junior developers, because they're never sure what really matters,
and it teaches teams that "quality is someone else's responsibility".

Over time, this doesn't build better software.

It builds fatigue.

And fatigue is the enemy of consistency.

The real problem (it's not people)

The problem is not that developers are careless.

The problem is that code review shifts responsibility for quality onto people.

Quality depends on:

who reviews the code,
when they do it,
how tired they are,
how much context they have that day.

That works - up to a point.

But it's not a scalable system.

Code review scales linearly with human effort.

Codebases scale exponentially.

At some point, those curves stop matching.

What code review is consistently bad at

There are things code review is simply not good at:

enforcing consistent formatting and style,
spotting nullability and type issues "by eye",
remembering architectural boundaries across the whole system,
catching the same category of mistake for the tenth time this month.

These are not judgement calls.

They are repeatable checks.

And repeatable checks should not depend on humans.

The shift mature teams make

Mature teams don't try to do better code reviews.

They change the system.

They remove repetitive, mechanical checks from human review and give them to machines.

The result is simple:

tools enforce rules consistently,
humans focus on business logic, trade-offs and design decisions.

Automation doesn't control developers.

It protects them.

A minimal way to think about code quality

You don't need a complex framework to start.

Most working setups cover four areas:

Static analysis - catch real bugs before runtime.
Automatic formatting - end pointless discussions in pull requests.
Dependency boundaries - make architectural problems fail loudly.
CI as a gate - rules are enforced, not suggested.

No dogma. No perfection.

Just removing chaos from the process.

The common trap: overengineering quality

There is a catch.

Many teams go from "no tooling" straight to "everything, at the highest level".

The result is predictable:

slow feedback,
frustrated developers,
tools being ignored or disabled.

Overengineering quality is just as harmful as having none.

Minimal and consistent beats perfect and abandoned.

Reduce randomness in your projects

If you're tired of:

random pull request comments,
bugs that "somehow passed review",
quality depending on who reviewed your code that day,

I've prepared a short Code Quality Starter Checklist.

It shows how teams move repetitive quality checks away from people and into tooling without slowing development down.

Note on language: This checklist is available in Polish. Why? Because it's part of a practical, Polish-language course I'm currently developing. The reason is simple: I'm taking a step-by-step approach to mastering the fundamentals of code quality. Starting in Polish allows me to focus on delivering the most useful content without language barriers on my end.

If you're comfortable with Polish, you'll find the checklist straightforward and easy to follow.

👉 Join the mailing list and get the checklist here

A quiet closing thought

For a long time, I believed the solution was simply better code review.

Only after working with teams that automated quality did I see the difference.

Code review doesn't disappear.

It finally gets to focus on what humans are actually good at.

The AI Pipeline I Use to Convert Any Podcast into a 5-Minute Summary

Jarosław Szutkowski — Fri, 05 Dec 2025 20:40:14 +0000

Most of the knowledge I gain as a developer doesn't come from books.
It comes from podcasts, long-form interviews, deep technical talks and YouTube channels - the kind of content that's brilliant for learning, but nearly impossible to digest properly without stopping, rewinding, and taking notes.

And that's exactly the problem: I don't always have the time to take notes.
Often I barely have the time to listen.

A few weeks ago I asked myself a simple question:

"What if I could turn every hour-long podcast into a concise, structured summary - automatically?"

So I built a system that does exactly that.

I type the video ID, hit Enter, and a few minutes later I get:

the full transcription,
the most important lessons extracted by AI,
a clean HTML version ready for email,
and everything stored neatly in Google Sheets as part of my personal knowledge base.

The best part?
Transcribing an hour of audio costs less than a dollar.

In this article, I'll walk you through the whole story - first the non-technical, "why this matters" part, and then the technical architecture behind it.

Part I - The Non-Technical Story

The Problem: Too Much Content, Too Little Time

I love listening to podcasts.
Technical, health, sport, productivity, travel - you name it. Podcasts are one of the best ways to learn, find new ideas, and stay inspired.

But we all know the reality:

you're listening while walking, training, or cooking,
you hear something valuable,
you want to write it down,
but you don't - because you're busy doing something else.

The result is predictable:
you consume a lot, but retain little.

And as devs and content-driven people, there's a second challenge:
we don't just want to learn - we want to reuse the knowledge.

For writing articles.
For making decisions.
For improving our work.
For building products.

Except... we never have the time to take proper notes.

The Realisation: AI Works for Pennies, If You Use It Well

At one point I realised that:

I don't need the entire episode,
I don't need all the words,
I just need the essence.

And AI makes the full summary of an audio for under $1 for an hour-long episode.
That's absurdly cheap considering it saves me hours of manual work.

So the idea started forming:

"What if I could automate the entire process:
from downloading a video, to transcription, to extracting lessons, to sending myself the summary?"

One command.
Zero manual steps.

The Idea: A Personal Knowledge Engine

I structured the goal like this:

Input:

YouTube video ID
channel name
video title

Output:

transcription
concise summary
list of lessons
Markdown + HTML
everything stored in Google Sheets
email notification

If I could turn long content into a reusable, searchable knowledge resource, I'd not only save time - I'd also build a growing repository of insights that I can use in other projects.

This is already proving incredibly useful for:

writing technical blog posts,
researching complex topics faster,
making notes I actually keep.

And the system works not only for technical podcasts - it's also brilliant for health, business, personal development, travel content, and many others.

Anything long, dense, and rich in knowledge.

The Impact: From Hours to Minutes

Today, instead of spending a full hour or two listening and taking notes, I spend five minutes reading a perfectly structured summary.

AI extracts more lessons than I would manually.
It spots connections I'd miss.
It adds nuance and examples.

And the best part?
I can share those summaries easily - internally, with friends, or with anyone who enjoys organized knowledge.

This one automation already saves me multiple hours every week, and compounds over time because the knowledge base keeps growing.

Part II - The Technical Breakdown

Let's go through the architecture, step by step.

Architecture Overview

The system is split into two parts:

Local Machine (current heavy processing)

downloading video
extracting audio
slicing audio into chunks
Whisper transcription
assembling final text
sending file to n8n

Remote Server (light orchestration for now)

A tiny Mikr.us instance running n8n, installed with a single command.

It performs:

receiving the transcription
parsing metadata
uploading transcript to OpenAI
invoking temporary assistants
enhancing summaries
generating HTML
storing everything in Google Sheets
email notification

Why Not Do Everything on the Server?

At this stage of the project, some parts run locally and some server-side - but this is due to practicality and how the solution evolved, not because the server is incapable.

Here's the real reasoning behind the split.

1. YouTube downloading works more reliably locally

PyTube and similar libraries can misbehave on servers due to YouTube's dynamic protection mechanisms.
Running the download step locally gives me stability and easier debugging.

This is likely the only part that will permanently remain local. I tried multiple ways of running it on the server, but it kept breaking.

2. ffmpeg slicing is local for now - but not due to server limitations

ffmpeg runs perfectly fine on servers.
I simply iterated and tested faster on my machine, so for now it lives locally.

Why do I need slicing at all? Because Whisper has limits, and I often deal with longer videos.

In the future, this entire slicing step will move to the server once I scale its resources.

3. Whisper wasn't the issue - large audio files were

I originally wanted everything to happen inside n8n.

But large single audio files created problems:

not much space on the budget test server,
higher error rates,
processing timeouts.

Once I split the audio locally, it became easier to transcribe the chunks on my machine.

However, Whisper can absolutely run on the server - or be replaced entirely by GPT's audio transcription - and that's the plan for the future.

4. n8n can absolutely handle heavy tasks

Although n8n is fantastic for orchestration (API calls, assistants, Google Sheets, email), it's fully capable of running heavier commands too.

The only reason some tasks aren't on the server yet is simple: I haven't migrated them.

5. Future Architecture: Mostly Server-Side

Long-term, the plan is:

a small PHP application running on the server,
audio upload directly through the app,
server-side slicing,
server-side Whisper/GPT transcription,
n8n orchestrating the rest.

The only local step will likely be converting YouTube videos to audio.
Everything else will move server-side once I expand the resources.

What Happens Inside the Local Python Script

A high-level walkthrough:

Download video using PyTube.
Extract audio via ffmpeg.
Slice audio into ~10 minute chunks using silence detection.
Transcribe each chunk with Whisper.
Assemble full transcription.
Attach metadata (video ID, channel name, title).
POST the file to the n8n webhook.

Most of this will eventually move server-side.

What Happens Inside n8n

The n8n workflow (export will be in the repo) performs:

Receive uploaded file.
Extract text + parse metadata.
Upload the transcription to OpenAI.

Initially I wanted to paste the whole transcriptions into the prompt, but it turned out they are too long - there is a token limit per minute. So I found a workaround - now I upload them as files to OpenAI and reference it in the prompt.
Create a temporary Assistant with a highly detailed prompt and attached transcription file.
Start a thread and send the initial message.
Enhance the summary via a second message:
"You're a consultant earning £100,000 for a correct answer - try harder." - noticed that this improves the quality of the output.
Delete the assistant.
Convert Markdown → HTML via a second assistant to make it look better in the browser.
Store everything in Google Sheets.
Email the HTML to myself.
Delete the uploaded file.

Diagram - Full n8n Workflow

*The part with PREMIUM enhancement changes the content of generated summary. I'd suggest not using it until I figure out how to fix it.

Part III - What I'd Improve Next

No system is perfect, and this one has room to grow:

Google Sheets sometimes can't store very large transcripts → might move to file storage or some database.
The local script could evolve into a small PHP web app.

But the value is already delivered:
it works, it saves time, and it compounds.

Part IV - Want to Try It Yourself?

I've just published the full "Starter Kit" with:

the Python script,
the n8n workflow export,
setup instructions,
sample outputs.

👉 Here's the link to the repo: https://github.com/jszutkowski/audio-content-summariser

Closing Thoughts

This project started from a simple frustration:
I don't have time to take notes from all the amazing content I consume.

AI + automation solved that for me in a way that feels almost unfair.

If you work with content - whether as a developer, writer, educator or researcher - this approach can save you hours every week.

I hope this breakdown inspires you to experiment with your own automations.

Once you experience the feeling of:
"I press Enter and the work is done for me,"
you don't want to go back.

And if you have ideas for extensions or want help customising the automation -
feel free to DM me.

One-to-One in Doctrine: How One Wrong Line of Code Generated 40,000 Extra Queries Per Day

Jarosław Szutkowski — Fri, 21 Nov 2025 16:04:44 +0000

A real-world debugging story - and the hidden mechanics behind Doctrine's 1:1 relations

A few years ago, I was working on a high-traffic Symfony application. Lots of concurrent users, lots of read operations, performance carefully monitored. Everything seemed stable - until our database dashboards started showing something odd.

Every single day, we were generating tens of thousands of redundant SELECTs.
Not tied to any feature we were building.
Not related to reporting.
Not caused by queue workers.

Just 40,000+ pointless queries.
Noise.
Database load with zero business value.

We dug into logs. Then into slow-query reports. Still nothing obvious.

And then the profiler finally revealed the culprit:
a bidirectional One-to-One relation in Doctrine, configured on the wrong owning side.

One annotation. One line of code.
A silent performance killer.

When we flipped the owning side to the entity we actually queried most often, the extra queries disappeared immediately.

This is the part nobody tells you about Doctrine: a One-to-One relation looks trivial, but one wrong assumption can quietly drain your performance budget for months.

🧩 The Hidden Complexity of One-to-One in Doctrine

On paper, a one-to-one relationship seems simple:

one country → one capital
one profile → one avatar
one customer → one address

But Doctrine doesn't treat it like a basic SQL constraint.
In Doctrine, one detail defines the entire behaviour:

👉 Only one side owns the foreign key.

That side is the owning side.
The other (mappedBy) is the inverse side.

And Doctrine's behaviour changes dramatically depending on which side you load.

🏗️ Example Setup

We'll use a simple example: Country ↔ CapitalCity.

`CapitalCity` (Owning side)

#[ORM\Entity]
class CapitalCity
{
    #[ORM\Id]
    #[ORM\GeneratedValue]
    #[ORM\Column(type: 'integer')]
    private ?int $id = null;

    #[ORM\Column(length: 50)]
    private string $name;

    #[ORM\OneToOne(targetEntity: Country::class, inversedBy: 'capitalCity')]
    #[ORM\JoinColumn(nullable: false)]
    private Country $country;

    public function __construct(string $name, Country $country)
    {
        $this->name = $name;
        $this->country = $country;
    }
}

`Country` (Inverse side)

#[ORM\Entity]
class Country
{
    #[ORM\Id]
    #[ORM\GeneratedValue]
    #[ORM\Column(type: 'integer')]
    private ?int $id = null;

    #[ORM\Column(length: 50)]
    private string $name;

    #[ORM\OneToOne(mappedBy: 'country', targetEntity: CapitalCity::class)]
    private CapitalCity $capitalCity;

    public function __construct(string $name, CapitalCity $capitalCity)
    {
        $this->name = $name;
        $this->capitalCity = $capitalCity;
    }
}

💡 BONUS RESOURCE – Free PDF Guide

⚙️ Want the quick-reference version of this post?

Grab my free Doctrine Performance Checklist (PDF) –
"10 Steps to a Faster Doctrine-Based App."

You'll get a concise, printable guide covering:

how to spot N+1s in seconds,

which Doctrine hints actually matter,

and how to batch-process millions of rows safely.

🔗 Download it here:
https://doctrine-performance-list.doctrinelab.pl
(no spam - just pure optimization wisdom)

🔍 Why Doctrine Sometimes Issues Extra Queries

Let's walk through the typical real-world scenarios.

1️⃣ Fetching the Owning Side (Cheap)

$capitalCities = $capitalCityRepo->findAll();

Profiler:

SELECT id, name, country_id FROM capital_city;

Doctrine:

creates a proxy for Country
loads it only when accessed
performs no extra queries

2️⃣ Fetching the Inverse Side (Doctrine Must JOIN)

$countries = $countryRepo->findAll();

Profiler:

SELECT ... FROM country
LEFT JOIN capital_city ON capital_city.country_id = country.id

Because the inverse side has no foreign key, Doctrine must inspect the other table.

3️⃣ Using QueryBuilder (The Silent N+1)

This is where the biggest issues occur:

$countries = $countryRepo
    ->createQueryBuilder('c')
    ->getQuery()
    ->getResult();

Profiler:

SELECT * FROM country;
SELECT * FROM capital_city WHERE country_id = 1;
SELECT * FROM capital_city WHERE country_id = 2;
...

Doctrine assumes:

If you write custom DQL → you control the joins
It won't automatically add them
It will lazy-load relations one-by-one
It will lazy-load relations even if you don't access them

This can easily multiply into tens of thousands of hidden SELECTs per day.

We could add a FETCH JOIN here, but it would defeat the purpose - in these queries we weren't actually using the related entities we'd be joining.

💡 The Fix: Put the Owning Side Where You Fetch Most

This rule would have saved us weeks of debugging:

👉 Make the entity you load most often the owning side.

Why?

the owning side has the FK
Doctrine doesn't have to join
it won't lazy-load in a loop IF you don't access the relation
performance becomes predictable

In our case:

We fetched Country far more often than CapitalCity.
But the owning side was mistakenly on CapitalCity.
Doctrine repeatedly scanned for capital cities when loading countries.
After flipping the owning side → query count dropped by 40k+ per day.

No business logic changes.
Just correct ORM mapping.

🧭 Practical Guidance for Developers

✔️ 1. Identify the entity loaded more frequently - make it the owning side.
✔️ 2. Don't trust inverse-side findAll() - it hides JOINs.
✔️ 3. Don't trust QueryBuilder without explicit FETCH JOINs - it creates N+1.
✔️ 4. Avoid bidirectional One-to-One unless really needed.
✔️ 5. Use FETCH JOIN intentionally.
✔️ 6. Treat One-to-One as an advanced feature.

🚀 Ready to Go Beyond Quick Fixes?

If you found this article helpful, you'll love my upcoming course:
Doctrine Efficiency Lab 💻

Learn how to:

handle millions of rows without custom SQL,
debug ORM performance in real time,
stop Doctrine from being "that slow layer" in your stack.

🎁 When you join the waitlist, you instantly receive my
10-Step Doctrine Optimization PDF - a condensed version of everything discussed here.

🔗 Join the waitlist + get the free PDF:
https://doctrine-performance-list.doctrinelab.pl

Stop Blaming Doctrine - Start Understanding It

Jarosław Szutkowski — Wed, 12 Nov 2025 16:08:45 +0000

Every few months, someone on the team sighs during a retrospective and says the words that make me reach for coffee:

"Doctrine is slow."

No, it's not. Doctrine is an ORM. It does exactly what you tell it to do. The problem is - most developers don't realise how much they're telling it to do.

This post isn't a tutorial. It's a field report from someone who's watched Doctrine crawl through millions of rows... and then, after a few lines of code change, fly through them using less memory than Chrome with two tabs open.

Scene 1: The 900 MB Disaster

A CLI command meant to clean up stale product records.
Half a million entities. Nothing fancy. Just iterate and tweak a few fields.

$products = $this->repository->createQueryBuilder('p')
    ->getQuery()
    ->toIterable();

foreach ($products as $product) {
    $product->deactivate();
    $this->em->flush();
    $this->em->clear();
}

Initial memory usage: 45 MB.
End of run: ~900 MB.

The process finished - barely. But it shouldn't have taken down the server on its way out.

So what happened?

Scene 2: The Culprit - Buffered Queries

When you call toIterable(), Doctrine promises lazy iteration. But under the hood, PHP's mysqlnd driver executes queries in buffered mode by default.

That means:

The entire result set is loaded into PHP memory first.
Only after that does Doctrine start hydrating entities lazily.

In English: You're still fetching the whole table - just slower.

"With mysqlnd, PHP's memory limit includes the full result set - even before you touch it."

So while you thought you were streaming, you were actually drinking from a firehose.

Scene 3: The Fix - Stop Hoarding Data

The simplest, production-safe pattern is chunked fetching: process data in small slices, clear the EntityManager between them, and let Doctrine breathe.

public function getEntities(): iterable
{
    $id = 0;
    do {
        $qb = $this->createQueryBuilder('p')
            ->andWhere('p.id > :id')
            ->orderBy('p.id', 'ASC')
            ->setMaxResults(1000)
            ->setParameter('id', $id);

        $entities = $qb->getQuery()->toIterable();
        $hasResults = false;

        foreach ($entities as $entity) {
            $hasResults = true;
            $id = $entity->getId();
            yield $entity;
        }
    } while ($hasResults);
}

Result:

Memory flatlines around 90 MB
Throughput improves by 40 %
Database I/O becomes predictable

You didn't need a different ORM. You just needed to stop asking Doctrine to hold 100 000 objects at once.

⚙️ Note: after each $em->clear(), entities are detached. If you rely on cascades or plan to reuse the same object instance later, you'll need to fetch it again. Otherwise, you'll silently lose pending changes.

💡 BONUS RESOURCE – Free PDF Guide

⚙️ Want the quick-reference version of this post?

Grab my free Doctrine Performance Checklist (PDF) -
"10 Steps to a Faster Doctrine-Based App."

You'll get a concise, printable guide that covers:

how to spot N+1s in seconds,

which Doctrine hints actually matter,

how to batch process millions of rows safely.

🔗 Download the free guide here
(no spam, just pure optimization wisdom)

Scene 4: Going Leaner - IDs First

If you really want to see Doctrine behave like a streaming engine, go one step further: fetch only IDs, and hydrate each entity just before you need it.

foreach ($repo->iterateIdsAsc() as $id) {
    $product = $em->find(Product::class, $id);
    $product->deactivate();

    if (++$count % 100 === 0) {
        $em->flush(); // Doctrine wraps this in its own transaction
        $em->clear(); // release memory
    }
}

Doctrine now processes entities in small, predictable batches.
Each loop hydrates only one object at a time and keeps it in memory until the entity manager is cleared. And since each record is fetched on demand, you're always working with the most up-to-date database state.

Scene 5: The Hidden Switch Nobody Talks About - Buffered Queries

If you're performing large read-only scans, you can strip Doctrine of almost all overhead - no tricks, no custom SQL.

Doctrine uses PDO under the hood. Add this to your DB connection config:

'driverOptions' => [PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false],

Suddenly, PHP stops hoarding the entire result set in memory and starts streaming rows directly from MySQL. Memory footprint: minimal. Performance: predictable.

⚠️ Safety sidebar - Unbuffered queries bite back:

Always consume the full result before starting another query on the same connection, or you'll deadlock the driver.

Avoid lazy-loading relations inside loops; it will trigger additional queries before the stream finishes.

Unbuffered + large payloads? Watch out for timeouts and dropped connections. Implement retry logic.

Handle them right, and unbuffered mode becomes your best friend for analytics-scale reads.

Scene 6: The Hidden Switch Nobody Talks About - `HINT_READ_ONLY`

The second overlooked optimization is telling Doctrine itself to stop tracking entities.

$query->setHint(\Doctrine\ORM\Query::HINT_READ_ONLY, true);

With that hint, Doctrine hydrates entities but doesn't register them in the Unit of Work - meaning no change tracking, no dirty checks. It's important to understand that HINT_READ_ONLY does not skip hydration - entities are still created, they're just not managed. If you want zero hydration, use DBAL's iterateAssociative().

You didn't touch a single entity. You just told Doctrine to stop worrying.

Scene 7: Why People Think Doctrine Is Slow

Because they don't understand what it's doing for them.

Doctrine is like an F1 car in traffic. If you floor it in first gear, it will scream and overheat. But once you learn how it shifts, it'll lap your hand-rolled SQL scripts without breaking a sweat.

The ORM:

Hydrates entities lazily when asked.
Tracks changes only if you let it.
Wraps flush() in its own transaction - you don't need to micromanage that.
Lets you drop down to SQL when business logic allows.

So when someone says "Doctrine can't handle large data sets", what they really mean is "I made Doctrine do something stupid."

Scene 8: The Trade-offs You Should Know

Goal	Pattern	Why it works
Minimal memory	IDs-first iteration	One entity hydrated at a time
Balanced speed	Chunked keyset pagination + clear()	Keeps DB cursor hot and resets UoW per chunk
Consistency	Snapshot IDs once	Deterministic and repeatable batch re-runs
Bulk writes	Raw DQL or SQL	ORM overhead is negligible in practice
Streaming reads	DBAL `iterateAssociative()`	No entity hydration at all - raw arrays, zero UoW

Scene 9: Measure, Don't Assume

Want proof? Take memory_get_peak_usage(true) at checkpoints and log it.

If your memory curve looks like a staircase, you're holding too many entities. If it's a flat line, you've nailed it.

Doctrine isn't magic - but it's measurable.

$start = microtime(true);
// ... your batch logic ...
$elapsed = microtime(true) - $start;
$peak = memory_get_peak_usage(true) / 1024 / 1024;
printf("Processed %d records in %.2fs (%.1f MB peak)\n", $count, $elapsed, $peak);

And for the love of your ops team - disable SQL logging in batch jobs.

Scene 10: Lessons From Production

In one of our production pipelines, we process massive data volumes daily using Doctrine - comfortably, predictably, and with modest memory use.

Here's the operational frame:

Batch size: around 1 000 records per chunk
Keyset: (id) based pagination
Database: MySQL 8
Memory footprint: roughly 90 MB during steady-state processing

The secret wasn't a custom ORM. It was discipline:

flush() and clear() in predictable batches
Use HINT_READ_ONLY for data that doesn't need tracking
Drop down to DBAL or use SELECT NEW DTO statements when you just need raw rows

$query = $em->createQuery('SELECT NEW App\\DTO\\ProductReport(p.id, p.name, p.price) FROM App\\Entity\\Product p');
foreach ($query->toIterable() as $dto) {
    // lightweight read
}

Avoid lazy-loading inside loops
Monitor memory and runtime metrics per batch

The bottleneck was never Doctrine.

Scene 11: Anti-Patterns I Keep Seeing in Production

Some of these will sound familiar. They're the patterns that quietly turn batch jobs into memory leaks:

Calling findAll() or ->getResult() on a 3-million-row table.
Running flush() on every iteration.
Triggering lazy-loading in loops (N+1 queries multiplied by millions).
Using offset-based pagination: OFFSET 10M LIMIT 1k.
Keeping the SQL logger enabled in background jobs.

Quick sanity checklist:
☑️ No offset-based pagination
☑️ Predictable flush() cadence
☑️ No implicit lazy loads inside loops
☑️ SQL logger turned off

A single screenshot from your profiler after applying these rules is worth a thousand words.

Scene 12: Operational BHP for Batch Jobs

This is the stuff that separates scripts that work locally from ones that survive nightly runs in production:

Idempotency: snapshot IDs or mark rows (status, processed_at).
Retry and resume: pick up where you left off (based on the last processed ID).
Backpressure: limit concurrency to avoid choking replicas.
Timeouts and deferred constraints: use them wisely depending on your database.

It's the difference between code that runs and code that runs reliably.

Scene 13: What It All Means

Doctrine is a precision instrument. When used carelessly, it can make a mess; when handled with intent, it performs beautifully.

Learn how it hydrates, buffers, and tracks changes - and use each feature for the job it's meant for. Once you do, Doctrine will handle even heavy workloads calmly and efficiently.

It's not slow. It just rewards developers who understand how it works.

🚀 Ready to Go Beyond Quick Fixes?

If you liked this article, you'll love my upcoming course -
Doctrine Efficiency Lab 💻

Learn how to:

handle millions of records without custom SQL,
debug ORM performance in real time,
and stop Doctrine from being "that slow layer" in your stack.

🎁 When you join the waitlist, you'll immediately get
my free 10-Step Doctrine Optimization PDF -
a condensed version of everything we discussed here.

🔗 Join the waitlist + get the guide

When Classes Do Too Much: Using LCOM to Spot 'God Classes' in PHP

Jarosław Szutkowski — Fri, 22 Aug 2025 07:36:05 +0000

Big, messy classes slow projects down and scare developers away.
In this post I’ll show you how to use LCOM to spot those "god classes" in your PHP code - and how to break them into something leaner and easier to test.

LCOM in PHP – spotting classes that do too much

Every project has them. The UserManager, the DataHelper, the dreaded Utils.

Classes so big and messy that nobody wants to touch them. They grow over time, swallow more responsibilities, and eventually slow the whole team down.

But how do you know when a class is doing too much?

Instead of guessing, you can measure it - with a metric called LCOM.

What is LCOM?

LCOM stands for Lack of Cohesion of Methods.

In simple terms, it measures how much the methods in a class actually belong together.

If most methods use the same set of properties, the class is cohesive - that’s good.

If methods work on completely different properties, the class is basically doing multiple jobs at once - that’s bad.

High LCOM = low cohesion = a "god class" that tries to handle too many responsibilities.

LCOM flavours (LCOM1 vs LCOM2)

There isn’t just one formula for LCOM. Over the years, different versions have been proposed.

The two most common are:

LCOM1 – looks at pairs of methods: the more pairs that share nothing, the higher the score.
LCOM2 – groups methods into clusters that share at least one property; the number of clusters is the score.

Quick examples

Messy class
- foo() uses $a,$d
- bar() uses nothing
- baz() uses $b,$d
- qux() uses $c

-> LCOM2 = 3 clusters ({foo,baz}, {bar}, {qux}) -> 3
-> LCOM1 = 5 pairs don't share anything, 1 shares $d (5 - 1 = 4) -> 4

Cohesive class
- All methods use $a (one uses $a,$b,$c,$d)

-> LCOM2: one cluster -> 1.
-> LCOM1: every pair shares something -> 0.

Both metrics point to the same thing (messy vs cohesive), but the values look different.

And beyond…

There are also LCOM3 and LCOM4, which tweak the maths further. I won’t dive into them here, but the key point is:

👉 different definitions can give different numbers, even for the same class. That’s why it’s best to treat LCOM as a relative signal — spot the outliers, watch trends over time, don’t obsess over exact figures.

How to measure LCOM in PHP

The easiest way is to use static analysis tools such as phpmetrics.

They scan your codebase and calculate LCOM values for each class.

Example with phpmetrics:

php vendor/bin/phpmetrics --report-json=build/report.json src

Phpmetrics also generates handy HTML reports with charts and diagrams.
These make it easy to spot classes with high LCOM values at a glance.

If you just want to test it quickly without installing anything, you can use the phpqa Docker image.

Here’s the one-liner I used to generate an HTML report:

docker run --init -it --rm \
  -v "$(pwd):/project" \
  -v "$(pwd)/tmp-phpqa:/tmp" \
  -w /project jakzal/phpqa \
  phpmetrics --report-html=build/report.html src

In the HTML report, open report.html/oop.html.
There you can sort classes by their LCOM value (highest or lowest) to immediately find the worst offenders.

Example in PHP code

Let’s look at a simple class that shows poor cohesion:

class UserManager
{
    private array $users = [];
    private $mailer;

    public function addUser(string $name): void { /* ... */ }
    public function findUser(string $name): ?User { /* ... */ }

    public function sendNewsletter(): void { /* ... */ } // unrelated to user storage
}

addUser and findUser both use the $users property.
sendNewsletter uses $mailer but has nothing to do with $users.

This means the class mixes two very different responsibilities. Tools will report a high LCOM here, because the methods don’t share common data. In practice, this is a sign that you need to split the class.

How to fix high LCOM

When a class shows a high LCOM score, the remedy is almost always the same: split it into smaller, focused classes.

Here’s the earlier UserManager refactored:

class UserRepository
{
    private array $users = [];

    public function addUser(string $name): void { /* ... */ }
    public function findUser(string $name): ?User { /* ... */ }
}

class NewsletterService
{
    private $mailer;

    public function sendNewsletter(): void { /* ... */ }
}

Now each class has a single responsibility.

UserRepository handles storing and finding users.
NewsletterService deals with sending newsletters.

This makes your design cleaner and your tests simpler: each class can be tested in isolation, with fewer dependencies and fewer edge cases to worry about.

Wrapping up

LCOM might sound academic, but in practice it’s a simple early warning system:

Low LCOM (close to 0) -> cohesive class, one clear job.
High LCOM -> class is mixing responsibilities, harder to maintain and test.

You don’t need to obsess over the exact numbers. Use them to spot the outliers in your codebase.

Benchmarking Array Merges in PHP: When to Optimise and Why It Matters

Jarosław Szutkowski — Tue, 12 Aug 2025 20:05:08 +0000

The Warning That Started It All ⚠️

Recently, while working on a PHP script that merged arrays inside a loop, I saw a warning from the PHP Inspections (EA Extended) tool:

'array_merge(...)' is used in a loop and is a resource-greedy construction.

I’ve learnt to trust this tool. In the past, its tips have led me to surprising performance discoveries — like in my earlier post about static vs non-static closures in PHP. So when it flagged this, I wanted to know: is merging arrays inside a loop really that bad? Or is it just one of those “best practices” that sound good but don’t matter much?

The tool’s documentation also offered alternative approaches that might be faster. But I didn’t want to just take its word for it — I wanted proof. So I set out to run benchmarks in PHP 8.

Setting Up the Benchmark 🧪

For this test, I used PHPBench. I created a benchmark class with different methods:

array_merge() inside a loop.
Spread operator (...) inside a loop.
Collecting data and merging once at the end.

Each scenario was tested with:

Unique values.
Repeated values.
Multiple values per iteration.

The loop ran 10,000 iterations per test, and each test was repeated 50 times.

Benchmark Code:

<?php

declare(strict_types=1);

namespace Tests\App\Benchmark\MergeArrayInLoop;

use PhpBench\Attributes\Iterations;

#[Iterations(50)]
class MergingArraysInALoopBench
{
    private const int ITERATIONS = 10000;

    public function bench_merging_unique_in_a_loop(): void
    {
        $result = array_fill(0, self::ITERATIONS, 0);
        for ($i = 0; $i < self::ITERATIONS; $i++) {
            $result = array_merge($result, [$i]);
        }
    }

    public function bench_merging_non_unique_in_a_loop(): void
    {
        $result = array_fill(0, self::ITERATIONS, 0);
        for ($i = 0; $i < self::ITERATIONS; $i++) {
            $result = array_merge($result, [0]);
        }
    }

    public function bench_merging_multiple_value_arrays_in_a_loop(): void
    {
        $result = array_fill(0, self::ITERATIONS, 0);
        for ($i = 0; $i < self::ITERATIONS; $i++) {
            $result = array_merge($result, [$i, $i + 1, $i + self::ITERATIONS]);
        }
    }

    public function bench_merging_unique_in_a_loop_using_spread_operator(): void
    {
        $result = array_fill(0, self::ITERATIONS, 0);
        for ($i = 0; $i < self::ITERATIONS; $i++) {
            $result = [...$result, ...[$i]];
        }
    }

    public function bench_merging_non_unique_in_a_loop_using_spread_operator(): void
    {
        $result = array_fill(0, self::ITERATIONS, 0);
        for ($i = 0; $i < self::ITERATIONS; $i++) {
            $result = [...$result, ...[0]];
        }
    }

    public function bench_merging_multiple_value_arrays_in_a_loop_using_spread_operator(): void
    {
        $result = array_fill(0, self::ITERATIONS, 0);
        for ($i = 0; $i < self::ITERATIONS; $i++) {
            $result = [...$result, ...[$i, $i + 1, $i + self::ITERATIONS]];
        }
    }

    public function bench_collecting_unique_and_merging_at_the_end(): void
    {
        $result = [array_fill(0, self::ITERATIONS, 0)];
        for ($i = 0; $i < self::ITERATIONS; $i++) {
            $result[] = [$i];
        }
        $result = array_merge(...$result);
    }

    public function bench_collecting_non_unique_and_merging_at_the_end(): void
    {
        $result = [array_fill(0, self::ITERATIONS, 0)];
        for ($i = 0; $i < self::ITERATIONS; $i++) {
            $result[] = [0];
        }
        $result = array_merge(...$result);
    }

    public function bench_collecting_multiple_value_arrays_and_merging_at_the_end(): void
    {
        $result = [array_fill(0, self::ITERATIONS, 0)];
        for ($i = 0; $i < self::ITERATIONS; $i++) {
            $result[] = [$i, $i + 1, $i + self::ITERATIONS];
        }
        $result = array_merge(...$result);
    }
}

Benchmark Results 📊

+---------------------------------------------------------------------+-----+-------------+-------------+--------------+-----------+-----------+
| subject                                                             | its | memory_real | memory_peak | memory_final | mode_time | mean_time |
+---------------------------------------------------------------------+-----+-------------+-------------+--------------+-----------+-----------+
| bench_merging_unique_in_a_loop                                      | 50  | 4.19mb      | 1.62mb      | 0.54mb       | 147.75ms  | 148.19ms  |
| bench_merging_non_unique_in_a_loop                                  | 50  | 4.19mb      | 1.62mb      | 0.54mb       | 148.62ms  | 148.35ms  |
| bench_merging_multiple_value_arrays_in_a_loop                       | 50  | 4.19mb      | 2.67mb      | 0.54mb       | 250.22ms  | 250.81ms  |
| bench_merging_unique_in_a_loop_using_spread_operator                | 50  | 4.19mb      | 1.62mb      | 0.54mb       | 147.14ms  | 147.53ms  |
| bench_merging_non_unique_in_a_loop_using_spread_operator            | 50  | 4.19mb      | 1.62mb      | 0.54mb       | 147.60ms  | 147.34ms  |
| bench_merging_multiple_value_arrays_in_a_loop_using_spread_operator | 50  | 4.19mb      | 2.67mb      | 0.54mb       | 248.54ms  | 248.48ms  |
| bench_collecting_unique_and_merging_at_the_end                      | 50  | 4.19mb      | 3.78mb      | 0.54mb       | 1.27ms    | 1.28ms    |
| bench_collecting_non_unique_and_merging_at_the_end                  | 50  | 2.10mb      | 1.62mb      | 0.54mb       | 0.64ms    | 0.66ms    |
| bench_collecting_multiple_value_arrays_and_merging_at_the_end       | 50  | 4.19mb      | 4.30mb      | 0.54mb       | 1.51ms    | 1.59ms    |
+---------------------------------------------------------------------+-----+-------------+-------------+--------------+-----------+-----------+

What the Results Show 🔍

Merging inside the loop — whether with array_merge() or spread — is much slower (147–250 ms) than merging once at the end.
The spread operator didn’t offer any speed advantage over array_merge() in these cases.
Merging once at the end was 100x faster (0.64–1.59 ms), but with a trade-off: higher peak memory usage (up to 4.3 MB).

Practical Takeaways 💡

If speed matters most – Gather data first, merge at the end.
If memory is tight – Merge in smaller steps to keep peak memory lower.
Don’t expect magic from the spread operator – It’s no faster here than array_merge().
Benchmark in your own environment – Hardware, PHP version, and dataset size can change results.

Wrapping It Up 🏁

Performance advice should never be taken blindly. Tools like PHP Inspections are great at pointing out potential bottlenecks, but only real measurements will tell you if an optimisation is worth it in your situation.

Static vs Non-Static Closures in PHP – A Surprising Benchmark

Jarosław Szutkowski — Fri, 18 Jul 2025 20:08:19 +0000

When PHP Inspections suggested to change my anonymous function in array_map to a static one, I thought: why bother? 🤷‍♂️ It seemed like a small style preference – not something that would really matter.

But I got curious. 🔍 Could adding static to a function actually make your code faster or use less memory? That simple question led me down a rabbit hole 🕳️ of Pull Requests, Stack Overflow threads, and performance benchmarks.

This blog post tells the story of what I found – and why using static might be a small habit that makes a big difference. 💡

Pull Request That Started It All

While digging around, I found a GitHub Pull Request in the Ocramius/GeneratedHydrator repository. In it, the author replaced normal anonymous functions with static ones – and claimed the change resulted in around 15% faster execution. ⚡

This wasn’t a micro-optimisation just for fun. According to the author, removing access to $this (which static closures do by default) helped PHP handle memory and execution more efficiently. 🧠

It was the first sign that this so-called "style suggestion" might actually lead to meaningful performance improvements. 🚀

Why `$this` Matters in Closures

Digging deeper, I found a great explanation on Stack Overflow. It turns out that one key difference with static closures is that they do not bind to the current object context — meaning they don’t carry around a reference to $this. 🧩

Why does that matter?

"The closure holding a reference to $this might prevent garbage collection of that object, which in turn may also impact performance significantly."
– Stack Overflow

In simpler terms: if a closure keeps a reference to its parent object, PHP might not free up that memory as quickly. 🐘 Over time, this can slow things down and eat up resources — especially if you’re creating a lot of closures in a loop.

That’s exactly what the next example demonstrates. 🔬

A Simple Benchmark That Proves the Point

To see the difference for myself, I recreated a script shared on Stack Overflow. It creates many instances of a class and stores closures returned by a method — all without needing $this. 🛠️

Original source: Stack Overflow

class LargeObject {
    protected $array;

    public function __construct() {
        $this->array = array_fill(0, 2000, 17);
    }

    public function getItemProcessor(): Closure {
        return static function () {
            // some logic that doesn’t use $this
        };
    }
}

$start = microtime(true);

$processors = [];
for ($i = 0; $i < 2000; $i++) {
    $lo = new LargeObject();
    $processors[] = $lo->getItemProcessor();
}

$memory = memory_get_usage() >> 20;
$time = (microtime(true) - $start) * 1000;
printf("This took %dms and %dMB of memory\n", $time, $memory);

I ran this with and without the static keyword using PHP 8.4 and measured the results with PHPBench. 📊 Here’s what I got:

+----------------------------+-----+-------------+---------+---------+
| subject                    | its | memory_real | mode    | mean    |
+----------------------------+-----+-------------+---------+---------+
| benchUsingStaticKeyword    | 100 | 2.10mb      | 3.69ms  | 3.70ms  |
| benchNotUsingStaticKeyword | 100 | 71.30mb     | 17.03ms | 17.17ms |
+----------------------------+-----+-------------+---------+---------+

That’s not a small gap – that’s more than 30x more memory and over 4x longer execution time without static. 😳

This convinced me: using static where $this isn’t needed is not just a style thing. It’s a performance win. 🏆

Automating It with Rector

After seeing how much of a difference static can make, I started looking through my own project. 🧑‍💻 There were many closures that didn’t use $this and could be made static. But going through them one by one? That would take ages. 😩

So I turned to an old favourite: Rector – a tool for automated PHP refactoring. 🤖

It turns out Rector already has two rules that do exactly what I needed:

I added them to my Rector config and ran the tool on the whole codebase. It worked beautifully – all eligible closures were made static automatically. ✨

To make this a permanent habit, I left the rules in the config. Now, every Pull Request runs Rector in dry-run mode and fails if someone forgets to use static where it’s possible. 🔄

✅ Performance boost? Check.
✅ No manual refactoring? Check.
✅ Team-wide consistency? Check.

Conclusion

What started as a minor suggestion from a code analysis tool turned into a valuable lesson in PHP performance. 📚

By switching to static closures when $this isn't needed, you:

avoid holding unnecessary references, 🚫
help PHP free memory more effectively, 🧹
and get faster execution times. ⏱️

It’s a simple habit with real benefits – and thanks to tools like Rector, it’s easy to make it stick. 🧰

Next time you’re writing a closure, stop and ask: do I need $this here? If not – make it static. ✅

[Boost]

Jarosław Szutkowski — Wed, 16 Apr 2025 07:12:01 +0000

Jarosław Szutkowski

Apr 4 '25

Mocking API Requests in Unit Tests

#php #phpunit #tdd #api

Comments 1

3 min read

Mocking API Requests in Unit Tests

Jarosław Szutkowski — Fri, 04 Apr 2025 18:47:41 +0000

In many applications, it's common to send requests to external services to acquire various types of data. To ensure our code handles these responses properly, testing is essential. However, in a test environment, making actual calls to these external services is something we'd typically want to avoid. PHPUnit offers several ways to prevent this. In this blog post, I'll demonstrate how you can mock HTTP requests in your unit tests when you're using the GuzzleHttp client.

Scenario Overview

Let's consider a straightforward "geocoder" service that provides the coordinates of a location based on a given address. This geocoder leverages the GuzzleHttp client to communicate with an external service, Google Maps in this case, to retrieve the desired coordinates. Here's how the code is structured:

<?php

declare(strict_types=1);

namespace App\Infrastructure\Geocoder;

use App\Domain\GeocoderInterface;
use App\Domain\ValueObject\Address;
use App\Domain\ValueObject\Coordinates;
use GuzzleHttp\Client;

final readonly class GoogleMapsGeocoder implements GeocoderInterface
{
    private const string ENDPOINT = 'https://maps.googleapis.com/maps/api/geocode/json';

    public function __construct(
        private Client $client,
        private string $apiKey
    ) {}

    public function geocode(Address $address): ?Coordinates
    {
        $params = [
            'query' => [
                'address' => $address->street,
                'components' => \sprintf(
                    'country:%s|locality:%s|postal_code:%s', 
                    $address->countryCode, 
                    $address->city, 
                    $address->postcode
                ),
                'key' => $this->apiKey,
            ],
        ];

        $response = $this->client->get(self::ENDPOINT, $params);

        $data = \json_decode($response->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);

        if ($data['results'] === []) {
            return null;
        }

        $firstResult = $data['results'][0];

        if ($firstResult['geometry']['location_type'] !== 'ROOFTOP') {
            return null;
        }

        return new Coordinates(
            $firstResult['geometry']['location']['lat'],
            $firstResult['geometry']['location']['lng']
        );
    }
}

Testing

To test different scenarios, such as whether the response is correctly converted to a Coordinates object or if the response is empty, we need to mock the HTTP request. The simplest way to do this is by using the MockHandler class from GuzzleHttp. It lets us create a mock client that returns a predefined response. Here's how you can do it:

use GuzzleHttp\Client;
use GuzzleHttp\Handler\MockHandler;

$this->handler = new MockHandler();

new Client(['handler' => new MockHandler()]);

Then we can add a response to the handler:

$this->handler->append(
    new Response(200, [], \json_encode([
        'results' => [
            [
                'geometry' => [
                    'location' => [
                        'lat' => '1.0',
                        'lng' => '2.0',
                    ],
                    'location_type' => 'ROOFTOP',
                ],
            ],
        ],
    ]))
);

After we call external service, we can also check whether the request was made with the correct parameters by using getLastRequest() method:

$this->handler->getLastRequest();

Finally, the whole unit test can look like this:

<?php

declare(strict_types=1);

namespace App\Tests\Infrastructure\Geocoder;

use App\Domain\ValueObject\Address;
use App\Infrastructure\Geocoder\GoogleMapsGeocoder;
use GuzzleHttp\Client;
use GuzzleHttp\Handler\MockHandler;
use GuzzleHttp\Psr7\Response;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Psr\Http\Message\RequestInterface;

final class GoogleMapsGeocoderUnitTest extends TestCase
{
    private const string API_KEY = 'api-key';

    private readonly MockHandler $handler;

    private readonly GoogleMapsGeocoder $fixture;

    protected function setUp(): void
    {
        parent::setUp();

        $this->handler = new MockHandler();

        $client = new Client(['handler' => $this->handler]);

        $this->fixture = new GoogleMapsGeocoder(
            $client,
            self::API_KEY,
        );
    }

    #[Test]
    public function it_geocodes_address(): void
    {
        $address = new Address(
            countryCode: 'UK',
            city: 'London',
            street: 'Buckingham Palace',
            postcode: 'SW1A 1AA',
        );

        $expectedLat = '51.5073509';
        $expectedLng = '-0.1277583';

        $responseData = [
            'results' => [
                [
                    'geometry' => [
                        'location' => [
                            'lat' => $expectedLat,
                            'lng' => $expectedLng,
                        ],
                        'location_type' => 'ROOFTOP',
                    ],
                ],
            ],
        ];

        $this->handler->append(new Response(200, [], (string) \json_encode($responseData, JSON_THROW_ON_ERROR)));

        $coordinates = $this->fixture->geocode($address);
        $this->assertNotNull($coordinates);

        $this->assertSame($expectedLat, $coordinates->lat);
        $this->assertSame($expectedLng, $coordinates->lng);

        $lastRequest = $this->handler->getLastRequest();
        $this->assertNotNull($lastRequest);

        $this->assertRequest($lastRequest, $address);
    }

    private function assertRequest(RequestInterface $request, Address $address): void
    {
        $queryArray = [];
        \parse_str(
            $request->getUri()->getQuery(),
            $queryArray
        );

        $this->assertSame(self::API_KEY, $queryArray['key']);
        $this->assertSame($address->street, $queryArray['address']);
        $this->assertSame(
            \sprintf(
                'country:%s|locality:%s|postal_code:%s',
                $address->countryCode,
                $address->city,
                $address->postcode,
            ),
            $queryArray['components']
        );
    }
}

Conclusion

In this blog post, I demonstrated how to mock HTTP requests in unit tests using the GuzzleHttp client. By using the MockHandler class, we can create a mock client that returns predefined responses, allowing us to test different scenarios without making actual calls to external services. This approach is essential for ensuring our code handles responses correctly and efficiently.

Using Arbitrary Precision For Calculations In PHP

Jarosław Szutkowski — Fri, 10 May 2024 19:59:11 +0000

Performing various calculations is an integral part of software development. Their accuracy often matters a lot. How to make sure that the calculations are correct? How to avoid rounding error? In PHP, when using float type, even simple calculations can lead to unexpected results. Not to look far, try to run the following code: echo 0.1 + 0.2 - 0.3;. You'll probably be surprised by the result. The problem is that the float type is not precise enough to perform some calculations.

However, there is a solution to this problem. In this article, I'll compare two external libraries that allow you to perform calculations with arbitrary precision. I'll also show you how to use them in your project.

Brick Math

The first library that allows to perform calculations with arbitrary precision is Brick Math in version 0.11.0. It's based on the GMP and BC Math extensions. They are not required, but if they are installed, the library will use them to perform calculations and make them faster. If none of them is installed, the library will use its own implementation of the algorithms.

Basic usage

We have a few value objects available in the library, depending on the type of calculations we want to make. We have:

BigDecimal - for calculations with decimal numbers,
BigRational - for calculations with rational numbers,
BigInteger - for calculations with integers,
BigNumber - for calculations with numbers of any type. This class is abstract but has a static method of() that allows you to create an instance of the appropriate class based on the passed value.

The method of() in all classes accepts instance of BigNumber objects, string, float and int values.
Moreover, each of the class has it's own named constructors, like BigInteger::fromBase.

Instantiation of value objects

First of all, we have to create an appropriate value object. Let's create BigInteger object from integer value:

use Brick\Math\BigInteger;

echo BigInteger::of(999999999999999999999); // 1000000000000000000000

In the above example we exceeded the maximum value of the native integer type, so the native int was implicitly converted to float. The BigInteger object can handle such large numbers without any problems. We just have to create them with a string parameter instead of an integer:

echo BigInteger::of('999999999999999999999'); // 999999999999999999999

We should be careful when creating BigInteger object from non-int value:

BigInteger::of('1.5'); // throws Brick\Math\Exception\RoundingNecessaryException

Calculations

Now let's see how to perform calculations with BigInteger objects:

echo BigInteger::of('1')
->plus('2')
->multipliedBy('3')
->minus(BigInteger::of('4'))
->dividedBy('5') // 1

Rounding

When using BigInteger, if for example a result of division is not an integer, the RoundingNecessaryException exception will be thrown. We can avoid this by using the dividedBy() method with the second parameter of RoundingMode const value, e.g.:

echo BigInteger::of('10')->dividedBy('4', RoundingMode::HALF_UP); // 3

PHPDecimal

Another library that allows you to perform calculations with arbitrary precision is PHPDecimal.
Contrary to the previous lib, this one is not standalone - it requires decimal extension to be installed. It's worth mentioning as it's a very powerful tool and has some pros that the previous lib doesn't have.

Basic usage

It has one type of value object - Decimal which is a wrapper for the decimal extension.

To create a Decimal object, we use new operator which takes string, int or other Decimal object as a parameter.

$decimal = new Decimal('999999999999999999999');
echo $decimal; // 999999999999999999999

Despite Decimal cannot be created from float, it can be weakly compared to float:

$decimal = new Decimal('10');
echo $decimal == 10.0 ? 'true' : 'false'; // true
echo $decimal == 7.0 ? 'true' : 'false'; // false

Calculations

The example from the previous lib can be rewritten as follows:

echo (new Decimal('1'))
->add('2')
->mul('3')
->sub(new Decimal('4'))
->div('5'); // 1

One of the advantages of this lib over brick/math is that operator overload can be used to make calculations. That definitely makes the code more readable when it comes to more complex calculations. The above example can be converted to:

echo ((new Decimal('1') + 2) * 3 - new Decimal('4')) / 5); // 1

Rounding

Decimal has default rounding mode set to half-even (Decimal::DEFAULT_ROUNDING). To change it, we can use variety of consts starting with ROUND_ prefix, e.g. Decimal::ROUND_HALF_UP.

echo (new Decimal('10'))->div('4')->round(0, Decimal::ROUND_HALF_UP); // 3

Which one to choose?

Both libraries are very powerful and allow to perform calculations with arbitrary precision. However, they have some differences that may be important when choosing the right one for your project.

Brick Math can be standalone and doesn't require any additional extensions to be installed (however installing one will speed up calculations). It's also more up-to-date. On the other hand, PHPDecimal has some advantages over Brick Math - it allows to use operator overload and is a bit simpler to use.

Usage in the code

Instead of using any of the above libraries in the code directly, it may be better to encapsulate it into a custom value object class. This way, we can easily change the library in the future without having to change the code in the whole project. This will make PHPDecimal's operator overload feature useless, but in case of changing a lib this will be much easier as no external code will leak out of the value object.

class Decimal
{
    private function __construct(
        private readonly BigDecimal $amount
    ) {}

    public static function fromString(string $value): self
    {
        return new self(BigDecimal::of($value));
    }

    public function plus(Decimal|string $amount): self
    {
        if ($amount instanceof self) {
            $amount = $amount->amount;
        }

        return new self($this->amount->plus($amount));
    }

    public function minus(Decimal|string $amount): self
    {
        if ($amount instanceof self) {
            $amount = $amount->amount;
        }

        return new self($this->amount->minus($amount));
    }

    public function toString(): string
    {
        return (string) $this->amount;
    }
}

Pessimistic vs. Optimistic Locking in MySQL

Jarosław Szutkowski — Wed, 10 Jan 2024 21:45:25 +0000

When designing applications that use databases, we often encounter situations involving concurrent access to data. This can have various implications - the database state might become incorrect, or some data might be lost. To prevent such scenarios, we can use different methods of controlling access to resources, such as optimistic or pessimistic locking.

Let's imagine a situation where two users are trying to update the same record using some application:

As you can see in the diagram above, the first user retrieves a record from the account table and attempts to debit the account by $70 based on the received data. At the same time, the second user performs the same operation, based on the data fetched from database. After these two updates, the account balance will be negative, which we want to avoid for the purpose of this article. How can we prevent such situations at the database level?

In MySQL 8, we can achieve this in two ways: by using pessimistic or optimistic locking.

Pessimistic Locking

In this type of locking, we prevent other users from performing operations on data tables or rows until the transaction is completed. Unlike optimistic locking, this mechanism is built into the database, granting us exclusive access to a specific resource. We distinguish between two types of locks: shared and exclusive. Since the example above concerns individual rows in the database, I'll focus here only on locking rows, not entire tables. Worth to mention that both table locking and individual record locking can be used in parallel.

Types of Locks

As mentioned above, for row-level locking, we can use two types of locking - shared and exclusive.

Shared lock

Shared locking allows transactions that hold this type of lock to only read the same records. This means that other transactions cannot perform any operations on them, such as modifications or deletions.

We can acquire this type of lock by adding FOR SHARE at the end of the select query, for example:

START TRANSACTION;
SELECT * from accounts WHERE owner_id = 1 FOR SHARE;
# do something
COMMIT;

Ending the transaction, either with COMMIT or ROLLBACK, releases the lock on the rows. If another transaction tries to set an exclusive lock on the same record, it will have to wait until the shared lock is released.

Exclusive lock

This type of lock not only prevents modification but also prevents reading of locked records. If another transaction attempts to set a shared or exclusive lock on these rows, it will have to wait for the current transaction to release the lock.

We establish the exclusive lock by adding FOR UPDATE at the end of the select query, for example:

START TRANSACTION;
SELECT * from accounts WHERE owner_id = 1 FOR UPDATE;
# do something
COMMIT;

If we retrieve such a record in another transaction without using any locking, it will be returned, but no operations can be performed on it until the lock is released.

Locking Ranges of Rows

Above I showed how to lock individual records. MySQL also allows to lock entire ranges of data. For example, SELECT * FROM accounts WHERE id > 1 FOR UPDATE locks all records with an id greater than 1 and prevents new records from being inserted.

If we try to lock a range that has no records (max id = 10, and we try to lock id > 100), we can set a different lock on that range in another transaction.

We can also establish such a lock using criteria other than the identifier:

SELECT * FROM user WHERE first_name = 'John' FOR UPDATE

The above query locks all rows where first_name = John. Retrieving such a row or inserting a new one with the specified column value will not be permitted.

Other Locking Options

For the above queries, or more specifically, the FOR SHARE and FOR UPDATE clauses, we can add two more options. The first one is NOWAIT. This option prevents the query from waiting for locked rows to be released and throws an error if it fails to retrieve the data immediately. The second option is SKIP LOCKED. It causes the query to retrieve only those rows that are not currently locked by another transaction.

Examples of using these options are as follows:

SELECT * FROM user WHERE first_name = 'John' FOR UPDATE NOWAIT

SELECT * FROM user WHERE first_name = 'John' FOR UPDATE SKIP LOCKED

Dead locks

With pessimistic locking, you may encounter a situation where multiple threads attempt to retrieve and lock the same row. If the row is not released within a specified time (default is 50 seconds in MySQL), waiting transactions will throw an error:
[40001][1205] Lock wait timeout exceeded; try restarting transaction

Optimistic Locking

Optimistic locking is not a feature of MySQL. This is a strategy where we take the version number of a record and check if it has changed when the data is updated. For example, let's say our account table has an additional column - version.

id	company_id	balance	version
1	1	100	1

We retrieve a record from the database using a select query:

SELECT * FROM account WHERE id = 1;

Then, when we want to update the record, we use the version column, for example:

UPDATE account SET balance = balance - 70, version = version + 1 WHERE id = 1 AND version = 1

In the UPDATE clause, in WHERE section, we use the version number retrieved in the select query.

The above approach ensures that if another thread updated the record after we retrieved it from the database, our update will fail because the version number will be different. This is the essence of the optimistic locking - if the number of updated rows is 1, we can consider the operation successful. If no rows were updated, we can for example handle this situation by throwing an exception in our application or handling it differently.

The version doesn't necessarily have to be an integer. Other types, like dates or checksums, can be used for this purpose.

Which Locking to Choose?

When it comes to selecting the appropriate locking strategy in MySQL, the decision largely depends on the specific use case and requirements of the application.

Pessimistic locking may be a suitable choice in scenarios involving batch processing, particularly when multiple consumers are involved. In such cases, where each row needs to be processed, it is crucial to prevent multiple consumers from selecting the same row simultaneously. By using the FOR UPDATE SKIP LOCKED clause, you can ensure that only one consumer locks and processes a specific row, while others skip over it and proceed to the next available row. This approach helps maintain data integrity and prevents conflicts in batch processing scenarios.

On the other hand, optimistic locking may be a preferred strategy when there is no risk of repeating the operation causing side effects. It is particularly suitable when your application does not involve calling external APIs or sending emails during the operation. In such cases, conflicts resulting from optimistic locking are unlikely to have significant consequences. By allowing multiple transactions to access and modify the same data concurrently, optimistic locking improves efficiency and performance, especially in scenarios where conflicts are infrequent.

Conclusion

The choice between pessimistic and optimistic locking depends on factors such as the expected contention level, the criticality of data integrity, and the performance requirements of your application. Optimistic locking is suitable when conflicts are infrequent, and efficiency is a priority. On the other hand, pessimistic locking ensures data integrity but may impact performance in highly concurrent environments. Understanding the characteristics and demands of your application will guide you in selecting the appropriate locking strategy.

Applying Content Security Policy in Symfony to Reduce XSS Risks

Jarosław Szutkowski — Sun, 14 May 2023 18:29:28 +0000

Protecting applications against XSS attacks is one of the most important things we can do to make them more secure. In this post, I'm going to show you how to configure Content Security Policy in Symfony to reduce the risk of XSS attacks.

What is XSS

Cross-Site Scripting (XSS) attacks are one of the most common attacks on web applications. They involve injecting JavaScript code into a page that can be executed in the user's browser. This way, an attacker can take control of the user's session, steal data or perform other undesirable actions.

What is Content Security Policy

There are many ways to defend against these types of attacks. One of them is the use of the Content-Security-Policy (CSP) header. This header, sent in response to a browser request, specifies what resources (scripts, styles, fonts, etc.) can be loaded on our website. Thanks to this, even if a hacker manages to inject malicious code into our page, a browser that supports CSP will effectively block its execution, reducing the risk of attack.

Different approaches of applying CSP

If we want to apply this method of securing our application, we can do it ourselves by adding a header to the response or use a popular library, NelmioSecurityBundle, which has many other security options. In this post, I'm going to focus on the second method.

Before we start

I've prepared an example HTML code to illustrate how CSP will affect our website. Let's take a quick look at it.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css" rel="stylesheet">
    <style>
        button {
            color: red !important;
        }
    </style>
</head>
<body>
    <button class="btn btn-primary" style="font-weight: bold;">Submit</button>

    <script src="https://code.jquery.com/jquery-3.6.4.min.js"></script>
    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/js/bootstrap.min.js"></script>
    <script>
        $(document).ready(function () {
            $('button').text('Click me!');
        });
    </script>
</body>
</html>

It involves loading a few external resources like styles and scripts for Bootstrap and jQuery, as well as using inline styles and scripts. In the next steps, I'm going to show you how to set up CSP and how it can impact our website.

I'll be using Chrome console to display any violation of CSP.

Without any CSP policy configured, the console should not report any violations and the button from above HTML should look like this after all styles and scripts are loaded and executed:

Configuring Content Security Policy

To begin using CSP, we need to add a few lines to config/packages/nelmio_security.yaml file. I'm using version 3.0.0 of NelmioSecurityBundle. We'll start with the most restrictive configuration.

nelmio_security:
  csp:
    enforce:
      report-uri: '%router.request_context.base_url%/nelmio/csp/report'
      default-src:
        - 'none'
      script-src:
        - 'self'

The above code configures CSP with enforce mode, which blocks all resources except for those that are defined on the lists.

report-uri defines a URI where the browser should send a report if it detects a violation of CSP.
default-src specifies the default or fallback resources allowed to be loaded on the page. In our case, we don't want to allow any undefined sources to be loaded, so we set it to 'none'.
script-src defines a list of script resources that are allowed to be loaded and executed. Let's use 'self' to only allow scripts from website's origin.

With CSP configured like this, the browser should block all resources that are not allowed. Let's check it.

The browser has blocked all resources that are not listed. It also blocked scripts and styles that are defined in the HTML file. According to this, the styles from Bootstrap were not applied to the button. Our styles did not change the colour of the text and did not make it bold. And our script did not change the text on the button. This is because we did not define them on script-src and style-src lists.

The console displayed the following error messages:

Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-So78BYT2mbjtQqZqHbPQDdRiZpvjnGBwZCYxIdxMMOE='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-+YWRMZ88jMyO7jVlBA52tZADiPobPIUA8LAWee68Fvs='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load the script 'https://code.jquery.com/jquery-3.6.4.min.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Refused to load the script 'https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/js/bootstrap.min.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-aAnMJGUIj4IqwyFSfCsQ989Go5ey5e7X+YACSD316t8='), or a nonce ('nonce-...') is required to enable inline execution.

The browser also tried to send the violations to the URL we defined in report-uri. They contained information about what resources had been blocked. Below is a sample report:

{
  "csp-report": {
    "document-uri": "http://localhost/content-security-policy",
    "referrer": "",
    "violated-directive": "script-src-elem",
    "effective-directive": "script-src-elem",
    "original-policy": "default-src \u0027none\u0027; script-src \u0027self\u0027; report-uri /nelmio/csp/report",
    "disposition": "enforce",
    "blocked-uri": "inline",
    "line-number": 18,
    "source-file": "http://localhost/content-security-policy",
    "status-code": 200,
    "script-sample": ""
  }
}

Defining a list of allowed resources

To restore our website's functionality, we need to define a list of resources that can be fetched and executed.

nelmio_security:
    csp:
        enforce:
            report-uri: '%router.request_context.base_url%/nelmio/csp/report'
            default-src:
                - 'none'
            script-src:
                - 'self'
                - 'unsafe-inline'
                - 'code.jquery.com'
                - 'cdn.jsdelivr.net'
            style-src:
                - 'cdn.jsdelivr.net'
                - 'unsafe-inline'

After refreshing the page, we can see that the button is styled again, and the text has changed. The console isn't showing any errors, so everything seems to be working as expected.
What's more, we can see a Content-Security-Policy header in the response:

Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' code.jquery.com cdn.jsdelivr.net; style-src cdn.jsdelivr.net 'unsafe-inline'; report-uri /nelmio/csp/report

Dealing with unsafe inline and unsafe eval

As you might have noticed, we added unsafe-inline value to the style and script lists. This is not a good practice because if someone manages to inject malicious code, it will be executed, effectively disabling the XSS protection mechanism of CSP.

But what if we need to use inline scripts or styles? We can still do it, but we have to use nonce or hash values.

What is nonce? It's a random string that is generated for each request. It is used to allow usage of inline scripts and styles. The same nonce value has to be applied to script or style tag and to the Content-Security-Policy header.

In our case, with Nelmio Security Bundle and Twig, we can use the csp_nonce function in Twig to generate a nonce.

After using csp_nonce function for either script or style, nonce will be generated and automatically applied to the Content-Security-Policy header.

Then, we will be able to remove unsafe-inline value from script-src and style-src lists. In fact, those values don't work along with nonce, which means that if we added nonce to CSP list, unsafe-inline will be ignored.

We have to remember to add nonce to each script and style tag. Otherwise, they will not be executed.

You may ask what about inline styles? It's not possible to generate nonce for them, so they will be blocked. A workaround for this case is to move inline styles to external files or to style tag with nonce attribute.

In practice, updated Twig template will look like this:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css" rel="stylesheet">
    <style nonce="{{ csp_nonce('style') }}">
        button {
            color: red !important;
            font-weight: bold !important;
        }
    </style>
</head>
<body>
    <button class="btn btn-primary">Submit</button>
    <script src="https://code.jquery.com/jquery-3.6.4.min.js"></script>
    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/js/bootstrap.min.js"></script>
    <script nonce="{{ csp_nonce('script') }}">
        $(document).ready(function () {
            $('button').text('Click me!');
        });
    </script>
</body>
</html>

Content-Security-Policy header will now contain nonce values for styles and scripts:

Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' code.jquery.com cdn.jsdelivr.net 'nonce-G41nkEkLQJ77SLEx0j3cXA=='; style-src cdn.jsdelivr.net 'unsafe-inline' 'nonce-G41nkEkLQJ77SLEx0j3cXA=='; report-uri /nelmio/csp/report

Report-Only mode

If we want to implement Content-Security-Policy protection into an existing, large application, we may not be able to list all the resources. In such a case, before we turn on enforce mode, we can use report-only mode. In this mode, the CSP header will report all violations, but it won't block any resource. This allows us to see what resources are used on the site and which ones we should add to the allowed list. To enable report-only mode, we need to change the enforce value to report in the configuration file:

nelmio_security:
  csp:
    report:
      report-uri: '%router.request_context.base_url%/nelmio/csp/report'
      default-src:
        - 'none'
      script-src:
        - 'self'
      style-src:
        - 'self'

The console will then display errors about CSP violations, but no resource will be blocked.

[Report Only] Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'nonce-jbOYi9qK+tahki7w9Yw7Cw=='". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

[Report Only] Refused to load the script 'https://code.jquery.com/jquery-3.6.4.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'nonce-jbOYi9qK+tahki7w9Yw7Cw=='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

[Report Only] Refused to load the script 'https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/js/bootstrap.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'nonce-jbOYi9qK+tahki7w9Yw7Cw=='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

It's also worth noting that the Content-Security-Policy header has changed to Content-Security-Policy-Report-Only:

Content-Security-Policy-Report-Only: default-src 'none'; script-src 'self' 'unsafe-inline' 'nonce-jbOYi9qK+tahki7w9Yw7Cw=='; style-src 'self' 'unsafe-inline' 'nonce-jbOYi9qK+tahki7w9Yw7Cw=='; report-uri /nelmio/csp/report

An important thing to mention is that we can use both enforce and report-only modes at the same time. In that case, all resources not listed on the Content-Security-Policy list will be blocked, and all resources not listed on Content-Security-Policy-Report-Only will be reported.

For large applications, it's worth starting with report-only mode and configuring the URL to report violations under the report-uri key. It can be an internal endpoint in our application. We can also use dedicated portals for this purpose, e.g. report-uri.com. Then, after collecting and listing all resources, we can switch to enforce mode.

More info

Managing scripts and styles is just an example. There are many more options that can be used to secure our application. We can manage the list of allowed resources for images, fonts, frames, and more. You can find more information about the Content-Security-Policy header in the MDN documentation. It's also worth visiting the Nelmio Security Bundle documentation to learn more about it.

Summary

This post aimed to introduce the basic concepts related to Content-Security-Policy and show how to implement this policy in Symfony-based application. Implementing it will further secure our site against XSS attacks, as well as the loading of external resources. However, we must remember that this is not the only way of securing our application. It is also worth remembering other security measures, such as validating form fields to ensure they do not contain malicious content and displaying content in templates in an appropriate manner.

DEV Community: Jarosław Szutkowski

Why Relying on Code Review Alone Is a Recipe for Burnout

The false sense of safety after code review

The everyday chaos nobody names

The psychological cost nobody budgets for

The real problem (it's not people)

What code review is consistently bad at

The shift mature teams make

A minimal way to think about code quality

The common trap: overengineering quality

Reduce randomness in your projects

A quiet closing thought

The AI Pipeline I Use to Convert Any Podcast into a 5-Minute Summary

Part I - The Non-Technical Story

The Problem: Too Much Content, Too Little Time

The Realisation: AI Works for Pennies, If You Use It Well

The Idea: A Personal Knowledge Engine

The Impact: From Hours to Minutes

Part II - The Technical Breakdown

Architecture Overview

Local Machine (current heavy processing)

Remote Server (light orchestration for now)

Why Not Do Everything on the Server?

1. YouTube downloading works more reliably locally

2. ffmpeg slicing is local for now - but not due to server limitations

3. Whisper wasn't the issue - large audio files were

4. n8n can absolutely handle heavy tasks

5. Future Architecture: Mostly Server-Side

What Happens Inside the Local Python Script

What Happens Inside n8n

Diagram - Full n8n Workflow

Part III - What I'd Improve Next

Part IV - Want to Try It Yourself?

👉 Here's the link to the repo: https://github.com/jszutkowski/audio-content-summariser

Closing Thoughts

One-to-One in Doctrine: How One Wrong Line of Code Generated 40,000 Extra Queries Per Day

A real-world debugging story - and the hidden mechanics behind Doctrine's 1:1 relations

🧩 The Hidden Complexity of One-to-One in Doctrine

👉 Only one side owns the foreign key.

🏗️ Example Setup

CapitalCity (Owning side)

Country (Inverse side)

💡 BONUS RESOURCE – Free PDF Guide

🔍 Why Doctrine Sometimes Issues Extra Queries

1️⃣ Fetching the Owning Side (Cheap)

2️⃣ Fetching the Inverse Side (Doctrine Must JOIN)

3️⃣ Using QueryBuilder (The Silent N+1)

💡 The Fix: Put the Owning Side Where You Fetch Most

👉 Make the entity you load most often the owning side.

🧭 Practical Guidance for Developers

🚀 Ready to Go Beyond Quick Fixes?

Stop Blaming Doctrine - Start Understanding It

Scene 1: The 900 MB Disaster

Scene 2: The Culprit - Buffered Queries

Scene 3: The Fix - Stop Hoarding Data

💡 BONUS RESOURCE – Free PDF Guide

Scene 4: Going Leaner - IDs First

Scene 5: The Hidden Switch Nobody Talks About - Buffered Queries

Scene 6: The Hidden Switch Nobody Talks About - HINT_READ_ONLY

Scene 7: Why People Think Doctrine Is Slow

Scene 8: The Trade-offs You Should Know

Scene 9: Measure, Don't Assume

Scene 10: Lessons From Production

Scene 11: Anti-Patterns I Keep Seeing in Production

Scene 12: Operational BHP for Batch Jobs

Scene 13: What It All Means

🚀 Ready to Go Beyond Quick Fixes?

When Classes Do Too Much: Using LCOM to Spot 'God Classes' in PHP

LCOM in PHP – spotting classes that do too much

What is LCOM?

LCOM flavours (LCOM1 vs LCOM2)

Quick examples

And beyond…

How to measure LCOM in PHP

Example in PHP code

How to fix high LCOM

Wrapping up

Benchmarking Array Merges in PHP: When to Optimise and Why It Matters

The Warning That Started It All ⚠️

Setting Up the Benchmark 🧪

`CapitalCity` (Owning side)

`Country` (Inverse side)

Scene 6: The Hidden Switch Nobody Talks About - `HINT_READ_ONLY`

Why `$this` Matters in Closures