Xdebug is a PHP extension that provides a wide range of debugging features. Have you ever wondered while using Xdebug, from step debugging to code coverage: "How is this actually implemented?" In this session, I will dive into the internal implementation of Xdebug's step debugger. Let's understand at least a little of what feels like magic.

Note: This talk focuses only on step debugging, not other Xdebug features.

When measuring code coverage in PHP software (for example in unit tests), extensions such as Xdebug and PCOV are commonly used.

Have you ever wondered: "How does it collect executed-line information while running the application (or tests)?" To understand this, at least two points might matter: how execution data is captured, and how that captured data is output.

In this talk, we will examine those points using PCOV as a concrete example. We will focus on which parts of PHP's core features are leveraged, how they are used, and what implementation ideas make it work.

Where does declare(strict_types=1) actually switch PHP's type checking behavior? In this session, we will reference the php-src, specifically parts where strict_types is handled (Zend/zend_execute.c and zend_compile.c), and trace the compile-time flags as well as how the type check branches on function call. Using reproducible examples and diagrams, we organize the boundary where TypeError is thrown and where implicit conversion still happens. The goal is to understand how strict_types works internally and leave with practical guidance for when and how to use it in real projects.

Target audience

• People who use type hints and static analysis but still treat strict_types as a vague convention
• People curious about how PHP actually sees and validates types
• People who want concrete guidance on strict_types usage

"When an incident happens, check logs." "Look at metrics and search for the cause." Is that really what observability means?

Observability is not only for SRE or infrastructure engineers. When application engineers consider observability from the design and implementation phase, they can speed up incident investigation and reduce operational burden across the team. This session introduces the core of observability for application engineers, especially backend engineers, based on practical field experience.

Overview

Long-running PHP applications accumulate dead code over time. However, it is hard to know what is actually executed in production.

In this session, I introduce an approach that uses PHP tracepoints (DTrace) and eBPF to record PHP files actually compiled in production and detect dead code. I will explain this through the implementation of my tool, php-dcr.

Along with implementation details and demos, we will also cover the basics of tracepoints and eBPF, and discuss possibilities and challenges for applying these techniques in the PHP ecosystem.

What you'll gain

• Understand how tracing works through a real tool implementation, including strengths, difficulties, and practical usage
• Learn the fundamentals of eBPF and ideas for where it can be useful in PHP

TiDB is a MySQL-compatible NewSQL database. Many people have heard the term NewSQL, but don't know the concrete architecture behind it.

This talk explains what distributed systems solve and where they are strong by looking through TiDB's architecture. Because TiDB is MySQL-compatible, it is relatively easy to adopt from PHP applications. I hope this session broadens your options for future technology choices.

Target audience

• People interested in NewSQL or distributed databases
• People facing MySQL scaling challenges

Topics

• What NewSQL is and how it differs from traditional RDBMS
• TiDB architecture overview (TiDB / TiKV / PD)
• Strengths and use cases enabled by distributed systems

At the sponsor session of PHP Conference Odawara 2025, I gave a talk titled "Traveling the OSI 7 Layers with PHP." https://fortee.jp/phpconodawara-2025/proposal/db76a0c7-a721-4e3b-9245-72d432105b19 There I talked about implementing HTTP, TLS, and TCP/IP with PHP.

With PHP 8.5, released in November 2025, standard functions finally reached Layer 2, the data link layer, so reading and writing Ethernet frames also became possible. One year later, the journey continues, and now I've gone as far as implementing an IP router in PHP.

As a sponsor session, I'll also introduce the company while sharing the next chapter of that journey.

With AI around, do we no longer write code? Do we even need VS Code or PhpStorm anymore? How is PhpStorm useful in an AI-first era? What differentiates PhpStorm's AI features from other AI services?

This session answers those questions.

In December 2025, a vulnerability called React2Shell was discovered. It was a React.js vulnerability that allowed arbitrary code execution through insecure deserialization.

Insecure deserialization has also caused vulnerabilities in many PHP OSS projects such as phpMyAdmin, Joomla!, and Drupal.

This talk explains what deserialization is, what insecure deserialization is, and why it leads to vulnerabilities.

Deserialization is a powerful programming technique. I hope this talk helps you write deserialization-related code with confidence.

When people hear "implement an MP3 player in PHP," they usually think: "Oh, you mean playing audio in the browser." No. This session is about implementing the MP3 player itself in PHP, not with HTML or JavaScript. Playback control, buffering, decoding, and I/O. If your first reaction is "Is there any point in doing this in PHP?", that is exactly the entrance to this talk. We drag PHP out of its backend comfort zone and force it to make sound.

PHP is a flexible language that accepts many programming styles, and recent versions have added even more useful syntax.

I personally like functional-style programming, but in PHP it has often been seen as impractical and hard to read.

That era is ending. With PHP 8.x and especially features added recently in 8.5, expression-oriented code can now be written more clearly without sacrificing readability.

Practicality lies between extreme ideals and compromises. By understanding new language features, you gain the option to use them intentionally or decide not to.

In this talk, I explain how I think while writing code and invite you to explore expression-oriented PHP together.

Modern development faces security risks not only in web applications, but also across cloud infrastructure, CI/CD pipelines, editor extensions, and coding agents. However, there is a large gap between simply "knowing" about vulnerabilities and truly "understanding" them by experiencing both attack and defense hands-on.

This session introduces the overall landscape of OSS hands-on training materials that can be used across web, cloud, and CI/CD domains, and explains how hands-on learning changes developers' security awareness and behavior. It also covers practical training for realistic risk scenarios and incident response techniques that are harder to learn from OSS materials alone.

Based on experience running hands-on workshops for technical communities across Japan, the speaker will also share practical steps for introducing this kind of training into development teams.

Sponsor Session

One day my father asked me, "Can you rebuild a web app for me?" I accepted casually. The original system had been outsourced about 10 years ago and operated ever since. The code I received was "old-school PHP": HTML, CSS, JS, and PHP mixed in one file, with GET/POST handled in that same file.

When I asked my father for requirements on LINE, he replied: "Capacity has two types: authorized capacity and operational capacity, both managed in facility settings." At that moment, I realized he was the domain expert.

This session introduces how we inherited that legacy system, understood the domain through dialogue and existing code, extracted entities and use cases, and performed a large rewrite using Slim Framework + PHP-DI + Doctrine ORM + Claude Code.

Do you use domain events?

Domain events model facts like "something happened" as classes. By organizing flows around events, dependencies can be aligned in one direction.

Using a real refactoring case, this talk compares before/after code in three steps:

• Understanding differences and limits versus traditional method splitting
• Introducing synchronous events
• Moving to asynchronous events

The goal is to give your team a practical starting point for discussing and adopting domain events.

This is a case study where a daily sync of about 40,000 records was reduced from 45 minutes to 20 seconds without infrastructure scaling. The challenge was balancing long-term maintainability (with Drupal as a framework dependency) and eliminating bottlenecks such as N+1 queries and sequential S3 reads. Rather than "fully embrace the framework" or "throw it away," I chose where to use it precisely.

1. Separation: Keep complex persistence in the framework, but move heavy calculations/search to raw PHP arrays to reduce complexity to O(n).
2. Structure: Avoid loading full entities into memory; build lookup hash maps for memory-efficient access.

This talk shares decision criteria for balancing operational cost and performance beyond the false binary of "all framework" vs "all custom."