Slashdot Mirror

What part of "Not wishing to start a flame war" was it that went rocketing over your head. All of it along with the rest of the post apparently.

DB quoting/filtering should be left to the Database API.

What like using seperate commands for different databases. You can look the rest up yourself, I'm bored of reading the PHP manual for other people.

Register globals is there to allow backwards compatibility. Everyone, especially php.net, shout from the hills about how insecure it is and how it shouldn't be used.

Magically sticking backslashes in front of everything is stupid for nontrivial apps and is likely to corrupt data.

You must be in management, argueing with me by repeating what I said re-worded. As I said if you do filter your input then magic quotes GPC gets annoying, good job its simple to turn off really.

The fact that PHP programmers are commenting here about the joys of addslashes vs SQL injection

Well pedantically they should be talking about mysql_escape_strings or whichever for the database they're using. Unpedantically, nobody apart from you is under the illusion that addslashes is the only way to escape SQL strings. Coming from an ODBC background by any chance?

You do seem to be suggesting that escaping SQL strings is a bad thing (tm), care to explain why?

Also, please can you actually specify some preference of alternative language so we can get a proper flame war going instead of just flirting about like this :-)

What part of "Not wishing to start a flame war" was it that went rocketing over your head. All of it along with the rest of the post apparently.

DB quoting/filtering should be left to the Database API.

What like using seperate commands for different databases. You can look the rest up yourself, I'm bored of reading the PHP manual for other people.

Register globals is there to allow backwards compatibility. Everyone, especially php.net, shout from the hills about how insecure it is and how it shouldn't be used.

Magically sticking backslashes in front of everything is stupid for nontrivial apps and is likely to corrupt data.

You must be in management, argueing with me by repeating what I said re-worded. As I said if you do filter your input then magic quotes GPC gets annoying, good job its simple to turn off really.

The fact that PHP programmers are commenting here about the joys of addslashes vs SQL injection

Well pedantically they should be talking about mysql_escape_strings or whichever for the database they're using. Unpedantically, nobody apart from you is under the illusion that addslashes is the only way to escape SQL strings. Coming from an ODBC background by any chance?

You do seem to be suggesting that escaping SQL strings is a bad thing (tm), care to explain why?

Also, please can you actually specify some preference of alternative language so we can get a proper flame war going instead of just flirting about like this :-)

Not wishing to start a flame war but for PHP users, turn on safe mode. That blocks exec() and similar "dangerous" functions. If needed you can turn them back on in <Directory> statements in apache config.

Good time to mention magic_quotes_gpc and register globals as well.

Of courses none of these are a replacement for good programming practises in the first place. magic_quotes can get annoying if you do filter input properly as it's easy to end up with double escaped strings (e.g \\\'test\\\' instead of \'test\').

Generally speaking if your app breaks running under safe mode or without register globals its not very safe anyway and you need to read the PHP manual to update your coding.

Not wishing to start a flame war but for PHP users, turn on safe mode. That blocks exec() and similar "dangerous" functions. If needed you can turn them back on in <Directory> statements in apache config.

Good time to mention magic_quotes_gpc and register globals as well.

Of courses none of these are a replacement for good programming practises in the first place. magic_quotes can get annoying if you do filter input properly as it's easy to end up with double escaped strings (e.g \\\'test\\\' instead of \'test\').

Generally speaking if your app breaks running under safe mode or without register globals its not very safe anyway and you need to read the PHP manual to update your coding.

Not wishing to start a flame war but for PHP users, turn on safe mode. That blocks exec() and similar "dangerous" functions. If needed you can turn them back on in <Directory> statements in apache config.

Good time to mention magic_quotes_gpc and register globals as well.

Of courses none of these are a replacement for good programming practises in the first place. magic_quotes can get annoying if you do filter input properly as it's easy to end up with double escaped strings (e.g \\\'test\\\' instead of \'test\').

Generally speaking if your app breaks running under safe mode or without register globals its not very safe anyway and you need to read the PHP manual to update your coding.

How did this get modded up so high? This has been hashed over before and it's not illegal to use them together. See the PHP FAQ

There's similar functionality s/java/php/g, here:

http://talks.php.net/show/phpquebec/27
http://www.sklar.com/page/article/myphp

S

How much is it for 50 connections with Oracle?

Most people who use PHP/MySQL use something like mysql_pconnect() to use persistant connection to speed the site up. However, that backfires on you when your site gets heavy load and you run out of connections. There is a warning about this in the PHP docs mysql-pconnect

Using persistent connections can require a bit of tuning of your Apache and MySQL configurations to ensure that you do not exceed the number of connections allowed by MySQL.

A better solution would be a resource pool manager for PHP/MySQL that starts to free the connections when a certain numbers of configurable connections get in the pool to try to help with the infamous "Too many connections in /usr/XXX" MySQL error. Though, in the end, there are only so many connections you can get through a little box. Put the www.moviemistakes.com site on a nice 4-8 way box with the same setup and see how well it can do against Oracle. I am not knocking Oracle, I think it is the best Enterprise class DB out there. It comes down to using the right tool for the right job. Orcale for a dynamic web site is overkill and too expensive. Orcale for financial, e-commerce, data warehousing is a much better fit IMO.

Of course speed does depend on your programming skills as well. You can make a very slow programm in C or a very fast one in PHP.

I'd use Smarty and activate caching to speed the whole thing up. It's the same trick Slashdot uses and as most of the pages at Star Wreck almost never change this'd give it the needed boost.

To make it even faster someone could use Turk MMCache. And than but the whole output of Smarty in the MMCache, which is in shared memory, and write a little resource handler for Smarty to use this.

As we see it doesn't depend on PHP or Perl or Java or anything else. It's just about using the right tools for your chosen language.

b4n

Except.. it wouldn't have, in this case at least. Gallery works with register_globals turned off, I just checked.. but then I noticed the code (this is in init.php if anyone wants to check):

if (!$gallery->register_globals) {
if (is_array($HTTP_GET_VARS)) {
extract($HTTP_GET_VARS);
}

if (is_array($HTTP_POST_VARS)) {
extract($HTTP_POST_VARS);
}

The extract() function basically takes everything from the _GET and _POST arrays and dumps them straight into the appropriate variables, which is exactly what register_globals does. Whether it was turned on or off, you would still be able to pollute the $GEEKLOG_DIR variable via get/post. This is a pretty braindead piece of coding right here, and makes me a little worried about using gallery. I hope they plan to fix this in the future.

register_globals is disabled by default in >4.2.0. It was disabled in the "recommended" php.ini's in versions before that. Anyone configuring a PHP distribution should read over php.ini thoroughly. As long as the setting has been there, there have been comments around it regarding its dangers. There are global arrays now, to access the form data: $_GET[] and $_POST[].
Here is some background.

If you want to create SWF (Flash) animations, there are much cheaper alternatives to buying Flash from Macromedia. SWF is an open format, and there are other manufacturers of creation tools. Swish is one I've heard a fair bit about. Others are available for Tucows. You can even create SWF files from within PHP with the MING libraries. In short, I don't think SVG will replace SWF simply because of cost.

then I think this qualifies:
http://nl.php.net/manual/en/features.persistent-co nnections.php

I use persistant connections in my php programming all the time, and the difference in impact on the server is quite noticeable.

To combine your reply and the other reply at the time of this writing, here's a timely (coincidental) bit of news...

Java is coming to BeOS. Read more about it in an interview I posted recently.

Enjoy. ;)

$foo = strip_tags($foo, "<i>, <b>");

• Composite files built at request time,
• The results of running a script,
• Interaction with a web application 1 2 3 4,
• Remote procedure calls and object access 1 2,
• Instant messenger communications, and sometimes
• Static files.

Check out, as an example, PHP's documentation

-Adam

Check out, as an example, PHP's documentation

-Adam

Go explore it a while. Especially look at the functions individually. I even think it's overall the best documentation site I've seen yet.

Go explore it a while. Especially look at the functions individually. I even think it's overall the best documentation site I've seen yet.

How about PHP's documentation?

Not if you use Pear. Pear emulates prepared statements on top of vanilla MySql, and prepared statements are immune to most forms of SQL injection.

With plain Php you'd either need to use addslashes, or a different database (such as Oracle) which supports prepared statements natively.

PHP is awsome, and from what i've seen of presentations regarding PHP5, scalability is not the only thing in common, but so is public,private,protected types, exceptions (try & catch), and other things that for now have been the domain of Java or C++...

When php5 comes out i believe i'll start to dabble in it again. Php is an awsome language and i believe the future will be built around interpretive langauges.

By the looks of php5 (following link) it has a great future!

take a look at this

Aren't all characters in PHP 8 bits? What about internationalization?

Ask Google and you shall receive. PHP seems to support UTF-8, and the developers hope to have more extensive internationalization ready by version 5.0.

From the PHP manual

I'm curious (since their web site doesn't offer much info, and the downloaded src didn't offer much more) as to what the difference is between this and these:

PEAR::HTML_Form
PEAR::HTML_QuickForm

On the surface, they seem to solve the exact same problem.

I'm curious (since their web site doesn't offer much info, and the downloaded src didn't offer much more) as to what the difference is between this and these:

PEAR::HTML_Form
PEAR::HTML_QuickForm

On the surface, they seem to solve the exact same problem.

I've only seen flash used for spamproof mailtos on one or two sites, but I think it's a pretty good idea as long as all of your users have the Flash player. Just make a little .swf of clickable text linking to the mailto: you want. You probably can even have them dynamically generated if you have a lot of different address across your site. PHP, for example, can do this with its built-in Flash functions.

Good idea.

There's probably a dozen or so postings already here (including your own PHP testimonial).

Granted, they're not random in the strictest sense (/. sure seems random), but it's a start.

I've been impressed with PHP (seems ideal for rapid application development) and have to wonder why projects like Pear and Horde don't have a greater uptake than they do.

Recurring security issues with PHP would make me nervous deploying in the context of financial transactions, though. News portals, blogs, calendars, mail and miscellaneous web tasks are nicely handled by PHP.

Just like good posts don't require logical operators that actually exist.

And anal rejoinders don't require snooty pseudo-knowledge that's actually wrong.

See what I mean... Couldn't think of one company to offer support? That's the problem.

It's object model is worthless compared to real OOP languages.

As a criticism of PHP3, this is spot on. As of PHP 4, however, things have improved markedly. No longer are there lame limitations like the inability to call methods on an object that's in an array ($ary[$key]->doStuff()), and passing and referring to things by reference really works. Also, PHP 4 grew a garbage collector, so you no longer have to worry about an app going belly-up just because it makes and immediately discards a few thousand objects. PHP doesn't yet have all of Java's syntactic sugar, but it's pretty good, especially if people follow good coding and documentation practices.

PHP 5 is planned to be practically an interpreted version of the Java language (speaking loosely). For example, 4 is missing destructors, abstract classes, interfaces, access specifiers, class constants, and automatic pass-by-reference. 5 adds all these things. Now, unlike Java, PHP won't force you to use these things, but, as I said above, you are free to use good coding practices.

It completely lacks exception handling, which makes rolling back partial transactions (etc) impossible in banking scenarios.

It's database support is mediocre at best: third party classes are currently the best (but not only) DB interface PHP has.

It's object model is worthless compared to real OOP languages.

As a criticism of PHP3, this is spot on. As of PHP 4, however, things have improved markedly. No longer are there lame limitations like the inability to call methods on an object that's in an array ($ary[$key]->doStuff()), and passing and referring to things by reference really works. Also, PHP 4 grew a garbage collector, so you no longer have to worry about an app going belly-up just because it makes and immediately discards a few thousand objects. PHP doesn't yet have all of Java's syntactic sugar, but it's pretty good, especially if people follow good coding and documentation practices.

PHP 5 is planned to be practically an interpreted version of the Java language (speaking loosely). For example, 4 is missing destructors, abstract classes, interfaces, access specifiers, class constants, and automatic pass-by-reference. 5 adds all these things. Now, unlike Java, PHP won't force you to use these things, but, as I said above, you are free to use good coding practices.

It completely lacks exception handling, which makes rolling back partial transactions (etc) impossible in banking scenarios.

It's database support is mediocre at best: third party classes are currently the best (but not only) DB interface PHP has.

Honestly, cut the crap. Show me how PHP has better OO than C#.

PHP lets you substitude objects for one another based on their behaviors, like Smalltalk. C#, instead, imposes restrictions based on inheritance. C#'s choice simplifies type checking and make work easier for the compiler, but it severly limits the flexibility you have during object-oriented design and development.

Can you catch exceptions ?

Sure. But exceptions, convenient and useful as they are, have nothing to do with the object system of a language.

That's not true, as you may see here.

• CMS - because it is about storing the content in the database and serving it fast in a dynamic site - php.net is a good example
• Company management - (CRM/ERP/reporting/helpdesk) - because it's all about listing records from the database and edit them - that is lists and forms, where employees could edit business information stored in the database (take a look at this and login with admin/admin to see a complex CRM application)

I have seen huge cumbersome application servers built around PHP that are a nightmare to maintain

This problem doesn't discriminate by language. :) Perhaps it's more common in PHP because the barrier to entry is lower.

My guess is that PHP needs a better OO design (and no, PHP5 is not it, yet)

I think you could argue PHP5's OO design is good enough, or just as easily argue that it's not. I'm curious, though, what your main complaints wants with it are.

better seperation of logic and presentation for larger systems

I was looking for this for quite a while and then found Smarty. At first, it seemed so simple that I disregarded it as being glorified search-and-replace templates. The temptation is to think "I can just do that by echo variables inline." But truth is, there's much more to it than that. After giving it a fair shake, I've discovered that it's an incredible useful, clever design. It's much more functional than it seems on the surface. It made PHP substantially more useful to me.

Between PHP5 and Smarty, I think there's a pretty good basic core toolset to work with. I actually think Java tries too hard in certain areas -- too many features, too much syntax, too heavy-handed typing system, too much complication. But no question it has its merits.

- Scott

Then what's the set_error_handler() function for?

I have to agree about the OOP, though. I wrote a pretty large-scale ecommerce project in php, though, and it took me about 1/5 the time it would have taken in perl.

Is it web-based? Try giving PHP's ldap functions a look-through.

This world would be a much better place if everybody programmed in C++ instead of Perl.

You want to write websites in C++ just to get object orientation? You clearly have far too much time on your hands. Try PHP4 or, better, 5. You'll find most of the code you need for free in existing online repositories, and even find a fair bit of the syntax familiar.

Tell your clients to install their own copy of MySQL (or contract out to them to do it yourself!), then install and compile PHP against that copy of MySQL (which you obtained perfectly legally from the MySQL site), and then install your product that uses PHP, and you're fine.

The whole idea is that you can't redistribute MySQL code under a license that prevents others from redistributing that code. But you can distribute your code, and MySQL can distribute their code, and some person can take your code and MySQL's code and have them work together, and that's just fine.

it should absolutely refuse to run if magic_quotes_gpc is OFF

I hope php-nuke does not rely upon register_globals

Since PHP-Nuke is popular and GPL, there are a few PHP-Nuke derivatives that have been locked down pretty well. Start by looking at Nuke Fixes, Nuke Resources and Nuke Forums. The derivatives worth a look that I know of are:

• MyPHPNuke
• Postnuke
• Nuke Cops PHP-Nuke Enhanced Bundle

it should absolutely refuse to run if magic_quotes_gpc is OFF

I hope php-nuke does not rely upon register_globals

Since PHP-Nuke is popular and GPL, there are a few PHP-Nuke derivatives that have been locked down pretty well. Start by looking at Nuke Fixes, Nuke Resources and Nuke Forums. The derivatives worth a look that I know of are:

• MyPHPNuke
• Postnuke
• Nuke Cops PHP-Nuke Enhanced Bundle

If php-nuke contains lots of code like this, it should absolutely refuse to run if magic_quotes_gpc. is OFF. This setting will not, of course, protect against the problem you described, but if the code contains this kind of stuff, almost all SQL statements could do much nastier stuff.

Also, I hope php-nuke does not rely upon register_globals (your example makes it look like it does).

I'm looking for some kind of message board system similar to php-nuke, but it needs to be rock-solid since it will be running in a sensitive environment. I'm willing to write my own, but don't have lots of time so I might be hiring someone to do it (idea is that it's much easier to carefully audit 100% of the code if it follows my spec and contains only those features I need). This sounds like a trivial project to write, but as I spec it out, it ends up being a lot of code.

Anyone have any suggestions? It needs to be modular code as I will be ripping out and replacing chunks of it (logins will go to our LDAP server, groups and boards will come from our existing SQL databases), it does not need spurious features, it needs to look very polished and professional, but most importantly, it needs to be very careful, audited code. I would prefer php or python over perl.

... can process Java code that's not a bit slower than native Java on Windows.

Orrr ... They can just stick with mod_perl or WebWare for Python or PHP or some other truly open source technology that isn't controlled by forty-thousand corporations all with an invested business interest in competing with Microsoft.

I swear to God, every time I hear a phrase like "suited to the Enterprise" it's accompanied by a Java, Microsoft, or IBM article, all of which have a huge interest in convincing you that in order to sell a widget on the Internet you've absolutely, no-question, gotta have nineteen layers of logical infrastructure completely independent of each other otherwise your site's gonna go down and boy are you going to pay. In the meantime, sites like Yahoo run their e-commerce off of Lisp, PHP is their standardizing implementation language, Amazon is hiring Perl programmers, and Slashdot, a site which regularly DOSes other sites by virtue of it's power to link, runs on Perl.

But if you really want to be successful YOU NEED JAVA FOR THE "ENTERPRISE". Only with Java can you take half the time to express what takes twice as much typing to code. Or maybe by "Enterprise" what everyone really means is the USS Enterprise? Maybe that's why it could max out to warp 7.

On page 2 of interview:

"Perl, Python, Ruby and Tcl are the four dynamic programming languages that get the most publicity as open source projects, and I think they have a lot more in common than they differ."

Hello? Language Usage Estimates (based on Google searches).

Depending where you look, PHP gets far more publicity than Python, Ruby and Tcl put together, for example: Head-to-Head: PHP vs. ASP.NET.

Quit being some kind of language snob. PHP may not be the greatest language ever designed but it's highly popular and aside from web sites, does a reasonable job on the command line and is capable of simple desktop apps: PHP-GTK.

More to the point, alongside Apache, it's one of the main things holding off the Beast from domination of the Internet.

If I See Another Hyperlink I Might Explode

The HTTPD user should be a member of each users group so you don't have to set world rights to your files. Assuming it's just hosting and no other rights are required.

I like this idea but as a customer if I can run CGI pages or PHP (without safe mode) then it's easy to read everyone's files anyway because the script runs as the apache user.

Yes suEXEC exists but it places restrictions on the CGI which limits customers programming.

I have used CGIwrap and really liked it. Also it is some of the nicest C code I've ever read/worked with.

I heard Apache 2.0 may allow for the listening process to fork and change it's UID but 2.0 still isn't considered stable by most. In fact php.net says Warning Do not use Apache 2.0 and PHP in a production environment neither on Unix nor on Windows. To be honest I haven't tried apache 2.0 in the last 10-12 months. When I did it had threading issues so I swichted back to 1.3.

Java is not more scalable than PHP by its own because it shares memory. Java enables/simplifies the design of scalable applications, which is not exactely the same. If there is nothing to share, then the execution model doesn't matter. If you can capilize on stuff created once for all, or at least reusable several times, then being able to share memory has a big impact.

"Java-based SEDA Web server outperforms Apache and Flash (sld12)" because of a design aimed at limiting object reinstantiations and context switching. These two pains obviously occur when you do the same things on many concurrent threads: you'd better do it once and share the result.

There is really nothing special with Java and multi-threading about that. The same is true for multi-process Apache C modules programmed to use shared memory.
In fact all four components of the LAMP architecture internally make extensive usage of shared memory (for i in linux apache mysql php; do google "shared memory" $i ; done) simply because cpu cycles and memory allocations are expensive and high performance objectives imply not to waste them. If PHP had a higher level API than its existing one for managing shared memory, web programmers would be able to easily prolong the benefit of using shared memory to the application itself.

I shouldn't end my post with a flamebait but I believe that if a web developer suffers from Java's drawbacks (bytecode/JVM, performance cost of native UTF-16 strings, garbage collection, ...), he's 99% likely to under-use its strengths (great thread API, servlet model, great librairies, ...). Well used, they enable really performant designs. I've seen so many times applications refactored from C to Java performing several times faster, just because it was easy to do things smarter in Java, while very risky in C (Never had a SIGSEGV in a large multi-threaded C application ? Happy debugging and next time you'll keep it stupid!).

Yes, PHP can generate images on the fly. See http://us3.php.net/manual/en/ref.image.php.

Although this will work, it's probably not as "interactive" as the poster needs. Ie, a page refresh every time something needs to change is annoying.

Its far easier to make a call to a command line image manipulation software than to call a library and do all the work yourself.

Not particularly. For instance, with PHP:

• Image manipulation with GD
• Image manipulation with ImageMagick