Reflection API
Also Known As
PHP Reflection
ReflectionClass
introspection PHP
TL;DR
PHP's built-in introspection system for examining classes, methods, properties, and parameters at runtime.
Explanation
The PHP Reflection API (ReflectionClass, ReflectionMethod, ReflectionProperty, ReflectionFunction, ReflectionParameter) enables runtime inspection of code structure — reading type declarations, attributes, docblocks, visibility, and default values without invoking the code. It underpins dependency injection containers (resolving constructor parameters), ORM hydration, serialisation libraries, and testing frameworks. Reflection is powerful but has a performance cost — production DI containers cache reflection results. PHP 8.0 Attributes provide a structured, performant alternative to docblock-parsed metadata.
Common Misconception
✗ The Reflection API is only useful for framework developers. Reflection enables runtime code generation, attribute processing, dependency injection containers, test mocking, and documentation generation — it is the backbone of most modern PHP frameworks.
Why It Matters
The Reflection API gives runtime access to class structure, docblocks, and attributes — it powers dependency injection containers, ORMs, and testing frameworks, but has non-trivial performance cost.
Common Mistakes
- Using Reflection in hot code paths without caching results — ReflectionClass instantiation is expensive.
- Not caching reflected class metadata in a DI container — reflecting the same class on every request adds measurable overhead.
- Using Reflection to access private members of other classes in production code — breaks encapsulation.
- Not using PHP 8 Attributes instead of docblock parsing when possible — native attributes are faster and type-safe.
Code Examples
✗ Vulnerable
// Uncached reflection in a hot path:
function resolve(string $class): object {
$ref = new ReflectionClass($class); // Expensive — not cached
$params = $ref->getConstructor()->getParameters();
// ... inject dependencies
}
✓ Fixed
// Inspect class structure at runtime
\$ref = new ReflectionClass(OrderService::class);
echo \$ref->getName(); // 'App\Domain\OrderService'
echo \$ref->getShortName(); // 'OrderService'
\$methods = \$ref->getMethods(ReflectionMethod::IS_PUBLIC);
\$constructor = \$ref->getConstructor();
// Read PHP 8.0+ attributes:
foreach (\$ref->getMethods() as \$method) {
foreach (\$method->getAttributes(Route::class) as \$attr) {
\$route = \$attr->newInstance();
echo \$route->path;
}
}
// Instantiate without constructor (DI containers, test fixtures):
\$instance = \$ref->newInstanceWithoutConstructor();Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
22
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8
Unknown AI 3
Perplexity 2
Ahrefs 2
Google 1
Also referenced
How they use it
crawler 15
pre-tracking 1
Related categories
⚡
DEV INTEL
Tools & Severity
🟢 Low
⚙ Fix effort: High
⚡ Quick Fix
Use PHP's Reflection API for framework-level metaprogramming (DI containers, ORMs, test mocking) — avoid using it in application code as it bypasses encapsulation and is significantly slower
📦 Applies To
PHP 5.0+
web
cli
queue-worker
🔍 Detection Hints
Reflection used in hot path per-request; accessing private methods in tests via reflection when Closure::bind() would be cleaner
Auto-detectable:
✗ No
phpstan
blackfire
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Medium
✗ Manual fix
Fix: Medium
Context: File
Tests: Update
CWE-470