Slashdot Mirror

PHP has a distinct advantage over its direct competitory: A great documentation. You can enter http://php.net/levenshtein into your browser and you get a nice page with that function's signature, behavior, examples and (sometimes extremely helpful) user comments. Basic concepts of the language and the like also get close attention in the documentation. Apart from a few "this needs to be written" pages for the most exotic/new functions, PHP's documentation is extremely useful even in the offline version without user comments.

When I tried to get friendly with Python (which failed for various reasons) I was appalled at the state of the Python documentation. There usually are three different documentation bodies that might contain what you want to know, the bodies are not always organized in an intuitive way, finding what you need isn't trivial and once you have found it you usually just have a description of what it does with little in the way of code examples etc.

The Python documentation is certainly useful, but it can't approach that of PHP, which allows you to instantly work with whatever you're looking for (and if you don't know what you're looking for, the search function and extensive linking between similar functions allows you to quickly identify it).


I think a good bit of PHP's popularity comes from the fact that the documentation makes it easy to understand and properly use functions/classes in short time, even if you never used them before. I know that it's ugly, but PHP is my shell scripting language of choice because I can quickly implement just about everything I need, whether I have done that task in PHP before or not. It's essentially what VB is for GUI development: Ugly but very design-time efficient.

That's not actually what magic_quotes does: "When on, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically." (magic_quotes). The IBM example is bad; even with magic_quotes on, that query would fail.

PHP provides some protection against SQL injection by disallowing multiple statements in a single mysql_query call. However, here's a fairly realistic exploit example:

INSERT INTO USERS (username, admin) VALUES ("$_POST['username']", 0)

With magic_quotes on, this would be secure. If magic quotes are off, however, an attacker can enter the username haxx0r", 1)-- to be registered as an admin.

You know, I'd really love to know where you're getting this 1-2 year figure.

They began switching off register_globals() as of PHP 4.2.0, which has been out for just over 6 years. You had to manually go in and enable it in your php.ini, and there were many exclamation marks in the docblocks warning you about how this would be going away and you were damning yourself to deprecation purgatory if you relied on it.

Hell, they discontinued support on PHP4 at the beginning of the year.

Features like safe_mode, magic_quotes_*, register_globals, and open_basedir have long been known to be security issues and have been kept in BC for almost 7 years now. To state that this was a premature deprecation is fairly insulting.

PHP actually does have anonymous functions, although they're implemented in a somewhat clunky fashion.

That will means developers will start using unicode only to find scattered lines of code throughout the app doesn't work as the core function it uses doesn't support unicode. The overhead of keeping track of which functions do and don't support unicode will be a nightmare.

Dude, it's already a nightmare. For my employer, I had to move from MySQL 4.0 to 4.1 or higher, as well as move into UTF-8 land with PHP. Anyone who has done this knows that's a double-whammy, as MySQL had a huge shift regarding this stuff with the move to 4.1. Going to PHP's page on which functions need to be replaced is woefully incomplete. You cannot just substitute the functions they mention. There are dozens of others that have problems with multibyte text, and they're not flagged at all. I took it upon myself to create a Greasemonkey script that will flag the dangerous functions in PHP's online manual. But even still, a lot of it is educated guesswork because I can't program at the level they do, so reviewing their source code is grueling for me.

To be honest, this is one thing that the Perl team got right. I don't know how painful it was for them, but for me, UTF-8 just worked in Perl. I wish PHP could reproduce that, but it's already too late. The best we can hope for is that they keep working hard and work well.

Absolutely. It's not like anyone still uses PHP.

Absolutely true. One situation where unit testing is even more important is when writing in dynamically-typed scripting languages like Ruby and PHP. I tend to find that if I'm writing a small Java class, I don't really need to write tests, since I can rely on the compiler to pick up any type flubs I make - while in scripting languages, it's very useful to have the tests to make sure one doesn't screw up the typing.

In Ruby, I've been getting into the 'BDD' side of things on an open source project - using RSpec. It's pretty cool, actually. You write your tests so that they describe the behaviour (using brackets rather than do-end so that non-Ruby folks can read it):

describe "Cars" {
it "should have four wheels" { car = Car.new; car.wheels.should == 4 }
it "should have a reverse gear" { lambda { car = Car.new; car.reverse_gear! }.should_not raise_errors }
it "should have reclinable seats" { car = Car.new; car.driver_seat.recline!; car.driver_seat.location.should == :reclined }
}

What's cool about this is that the code describes what the class should do and is a lot more readable than the standard xUnit tests (is it assert_equal(expected, actual) or assert_equal(actual, expected)?), it forces you to write tests for the actual behaviour - the things that the code is doing! - and it also makes a really pretty HTML output that has each description and behaviour listed - coloured with red (if the test is written and fails), yellow (if the test hasn't been written) or green (if it works). The BDD approach is extremely hyped up and trendy in the Ruby community, but is actually well worth pursuing. Especially now JBehave exists.

Something like unset?

Try setting up a database with two tables: multitest and multitest2. Put some rows in them.

Now try this:

You will see that multitest2 was not dropped.

"I seem to recall not long ago that MS effectively shut down IE development because in their view it was done, complete, no more to do there. Oh but then Firefox came along with extensions, tabbed browsing, and whatnot and IE started up again (imagine that, it wasn't done after all)."

Using your own words, "Troll with a F-ing boat anchor why don't you".

"Let's see, no linux, no apache, no gcc, no perl, no php, no ruby, no BSD of any kind (meaning no OSX), no advanced web browsers (as above), no ogg, no emacs, no pile of email clients (yes we would all be using outlook, from '95) ... this list can go on for a long time. Yeah that would be a great world...

Gates is referring to GPL'ed projects in the article. Let's look at the projects you listed:

Linux: Ok, GPL
Apache: *bzzt* Not under the GPL
GCC: Ok, GPL
Perl: Ok, GPL but also under Artistic License
PHP: Not under GPL anymore (see http://www.php.net/license/)
Ruby: GPL and its own Ruby License (see http://en.wikipedia.org/wiki/Ruby_programming_language#Licensing_terms)
BSD: existed before the GPL
"advanced web browsers": no. Opera? Safari? yah ok
Ogg: GPL or BSD-like (see http://vorbis.com/faq/#slic), but not wide-spread
Emacs: this is a joke, right?
"pile of email clients": another joke, right?

Interesting how (with the exception of Linux), the most well-known projects on that list are either dual-licensed or use some other license over the GPL..

Maybe Gates is onto something after all.

This breaks my brain, even for the normally stereotypically slow, stereotypically technology-shy government (though I will say that a lot of the Government of Canada sites work surprisingly well in my experience).

SQL queries IN THE QUERY STRING. Someone reading their FIRST BOOK on web development would know not to do that! And now God help the people who have been affected by this: try proving to the government that you're not a sexual offender when you're already on their list.

SQL injections. Learn them. Learn how to mitigate them (a PHP-specific example, but there are similar mitigation techniques for other languages). And I mean, hell, in a site like this (and especially with programmers apparently this bad), stored procedures might be the thing to implement. Or even better, use a framework like CakePHP, Rails, or Django with this sort of sanitation built into the queries it generates.

Ugh. I hope someone gets fired for this. I bet, though, that in reality this was programmed by the lowest bidder.

What's wrong with the online documentation? This is all I ever needed...

6.0 is released, but it's pretty beta. You can download it here. It has a lot of changes. You can read about some of the important changes here.

HEAD PHP became PHP6 over a year ago. You can get snapshots if you're so inclined.

No.. they just know something you don't. :)

You can always try php.net. I find that it's a fairly good introductory tutorial into regular expressions going through all the basics and such. It might be a tad specific, but the general science behind them is there and should allow you to quickly learn them in any language.

I honestly don't know enough about Perl to say (something I intend to remedy one of these days) but my guess is PEAR is to PHP what CPAN is to Perl.

I would guess that this was more likely a script-kiddie running some scanner tool trying to make use of a vulnerability in a PHP application (PHPBB, Mambo, Drupal, etc.)

In order for the attack to work, you'd have to enable the allow_url_include option, which is off by default http://www.php.net/manual/en/ref.filesystem.php#ini.allow-url-include. It would probably also need register_globals enabled, which is off by default as of PHP 4.3 (I think 4.3, it started being off in version 4). I think that allow_url_fopen allowed this behavior in PHP 4.3 http://phpsec.org/.

It's unfortunate that there aren't more decent PHP programmers. I suppose it's true of any language. You have to start somewhere.

@3 you mean this?
$class = new ReflectionClass('classname');
while ($class) {
        echo $class->getName(), ' ';
        $class = $class->getParentClass();
}

@1 you can disable the file upload feature and use php://input instead. But you won't need it to show an upload progress meter. That's already a feature of the file upload handler, but needs an extension so it can be handled from PHP. http://pecl.php.net/package/uploadprogress is one and it's also part of http://pecl.php.net/package/APC .

@3 you mean this?
$class = new ReflectionClass('classname');
while ($class) {
        echo $class->getName(), ' ';
        $class = $class->getParentClass();
}

@1 you can disable the file upload feature and use php://input instead. But you won't need it to show an upload progress meter. That's already a feature of the file upload handler, but needs an extension so it can be handled from PHP. http://pecl.php.net/package/uploadprogress is one and it's also part of http://pecl.php.net/package/APC .

It seems this is more of a financial decision than a technical one. Most frameworks work, and with enough expertise can work well. Sure, there's crap out there, but by and large this is a function of profit.

1) Is your company currently profitable? If not, is a significant reason for that because of the cost to maintain your applications?
2) If you are currently profitable, are your forecasts showing continued profitability?
3) Is your IT budget forecast to increase, and if so is that due primarily to increased maintenance costs? If yes to both, then maybe.

There's no easy way to know for sure. Despite my previous jab against PHP, there are plenty of successful PHP applications about there. But assuming that it was a relatively unused technology, and you were having a hard time finding PHP coders, I still think this would boil down to a financial decision. If it turns out to be IMPOSSIBLE to find developers, then train the new hires.

There's plenty of frameworks out there specifically for separating content from layout. Just look in http://pear.php.net/.

I know nothing of ASP or its Master Pages, but when it comes to said separation, I favor HTML_Template_IT for its simplicity. For those who want a more "involved" templating system, there's things like Smarty, which I think doesn't quite have as strict a separation as I'd like.

http://us.php.net/maunal

It is a bit disappointing and surprising to see that the author spent more time talking about Silverlight and moderation and other things when he could have written about the *other* open source things that Yahoo! either supports directly or where patches have been contributed. Where is the discussion about Hadoop, Pig, ZooKeeper, YUI, PHP, ... ? Do these not impact Linux users from his point of view?

I think the public nature of the bid suggests that private behind-closed doors negotiations have failed and they're trying to attempt a near-hostile takeover. YHOO shares have jumped about 10 USD over friday and a lot of us have been getting rid of them. And I wonder who's buying all of these, in reality? Someone who'd pay 31 dollars for a share, when they could instead buy it in-market at 28?

I'd really hope it was some sort of last-ditch effort to put shareholder pressure onto Jerry Yang (yes, I do work at Y! and I do have a very nice job, which I'd be really sad to leave ...). And yeah, read my domain to figure out exactly why I would have to :)

Here's to hoping that it doesn't happen (for YUI, flickr, freebsd, hadoop and del.icio.us!)

Actually, I said that PHP can't include files using require() from domains other than the one that is serving the requested file.

I stated that the settings you were naming are off by default.

you know what they say about winning an argument online.

mysql_connect() is supposed to connect to a unix-domain socket, not an IP address.

Got a reference for that?

Socket based connections weren't added until 3.x.

As far as I know, you can't require() a file from a server other than the one that the current file was requested from.

So your statements about "require() pulls in files unexpectedly from malicious sites" is completely false.

As to "programmers are encouraged to use mysql_connect()", well that might be in your neck of the woods. By my 2nd year of development I had written a custom connection class to handle it all, protect the data from injection and do any number of modelling that I needed it to.

"Regular expressions are so prevalent"??? I have written stuff for Google Maps, Inform's API, CakePHP, e107, phpbb, punbb, and hundreds of other php junk and used regular expression maybe once. Could you please list any php app package that uses them heavily?

As far as I know, you can't require() a file from a server other than the one that the current file was requested from.

So your statements about "require() pulls in files unexpectedly from malicious sites" is completely false.

As to "programmers are encouraged to use mysql_connect()", well that might be in your neck of the woods. By my 2nd year of development I had written a custom connection class to handle it all, protect the data from injection and do any number of modelling that I needed it to.

"Regular expressions are so prevalent"??? I have written stuff for Google Maps, Inform's API, CakePHP, e107, phpbb, punbb, and hundreds of other php junk and used regular expression maybe once. Could you please list any php app package that uses them heavily?

You mean like mysqli_stmt_prepare ?
http://us2.php.net/manual/en/function.mysqli-stmt-prepare.php

Looks pretty much like PERL's version
http://articles.techrepublic.com.com/5100-3513_11-6139247.html

Announcement: http://www.php.net/releases/5_2_0.php
Change Log: http://www.php.net/ChangeLog-5.php#5.2.0p
Upgrade Guide: http://www.php.net/UPDATE_5_2.txt

Announcement: http://www.php.net/releases/5_2_0.php
Change Log: http://www.php.net/ChangeLog-5.php#5.2.0p
Upgrade Guide: http://www.php.net/UPDATE_5_2.txt

Announcement: http://www.php.net/releases/5_2_0.php
Change Log: http://www.php.net/ChangeLog-5.php#5.2.0p
Upgrade Guide: http://www.php.net/UPDATE_5_2.txt

If there is anything that I have learned in the past 10 years of writing code (since before high school), I have learned that the following sequence of learning is ideal.
1. HTML/CSS/JavaScript - Get acquainted with web programming. None of that Nambly-pambly BBCode crap that they offer on MySpace.
2. Python - I wish I had got into this before I learned C++. Good for learning about shells if you decide to switch to Linux or BSD, especially if you decide to create your own website through a webhosting provider that uses SSH.
3. C/C++ and/or PHP/MySQL. - Playing with the big-boy toys at this point. The safety net that points 1 and 2 provided has been lowered.
4. OpenGL or Assembly Programming. - Really advanced programming! OpenGL is high-level. Assembly is low-level.
From there on, the sky is the limit.

http://uk.php.net/create_function

And if you can't see what's wrong with that (especially if you think it's comparable to anonymous functions in Lisp, Ruby, Haskell, etc etc), you need to go boil yourself in oil.

Technically you're talking about the available functions, not the "language" itself. But, semantics aside, I would argue that your complaint is being addressed. The Zend Framework I linked to and the SPL are PHP class libraries that you can use if you would prefer to work with PHP in OO way and (for the most part) forget about calling PHP functions outside of a class or object context.

yes, I know that but one can also query sysobject to get tables in PHP too and therefore, there should be a good number of PHP based sites which have MS-SQL backend getting successfully attacked. But I've not seen that.

Maybe there is something in the attack which only works for MS-ASP SQL-injections since that sure looks like the case. I just figured that someone would have picked this apart and figured it out. And who knows, maybe every site out there that uses PHP, Perl, Python, etc for web site scripting just don't use MS-SQL backends. Doubtful but a possibility. Not likely since it looks like atleast two people are: http://us3.php.net/mssql_field_type

LoB

http://www.php.net/nl2br. seriously, it's 2008. and what's up with the 2 minute+ wait between posting? i don't even see an option for editing my post (i haven't looked very hard, so if somebody wants to just chime in if that option exists i'll be really grateful for saving me the time i might have to spend finding it, what a pointless pursuit that would be]). for a site written by people capable of understanding how to...create a site, this one sure is a pain in the ass to use.

Maybe OSS should actually be pushing for Silvelight to win, as you can at least create Silverlight content in notepad for free, and aren't forced to buy a massive Adobe illustration package just to put a few pretty buttons or videos on your site.

Never heard about Ming, haven't you?
Ok there is no fancy GUI but you can create some SWF contents with your notepad...
Look to the examples here. I found a page with a lot of very nice examples, but I can't remember where...

The worst part is PHP still don't have prepare/execute statements for binding values.

I don't care how many people are in your enterprise; when you create a resource for the public (like MSDN), publish your entire API references etc. there, your URIs should not be changing every month. I've had the same experience as the OP, where I'll bookmark something on MSDN and try to pull it up merely a few weeks later, only to hit a 404. Even the MSKB URIs keep changing around. "This article (876543) was previously known as 'Q876543'" and such tripe. Pick a consistent gosh-darned convention and stick with it. It seems to have something to do with constant reorganization of their "tree" navigation structure, but whatever the cause, it's damned annoying.

Five years ago, I could go to http://php.net/fsockopen and be taken to the documentation for that function. The same URI works today. There's no reason that I shouldn't be able to go to http://microsoft.com/api/win32/wsastartup and rely on that URI to point wherever Microsoft has decided that documentation wants to go today...

Return Values

As of PHP 4, eval() returns NULL unless return is called in the evaluated code, in which case the value passed to return is returned. If there is a parse error in the evaluated code, eval() returns FALSE and execution of the following code continues normally. It is not possible to catch a parse error in eval() using set_error_handler()

It is not just the forums, it is in the php documentation itself. For instance, the documentation for the 'date()' function on the php.net website has the following example code:

mktime(0, 0, 0, date("m") , date("d")+1, date("Y"));

The problem with this example is that the date() function can return a different value every time it is called - because time keeps on ticking (into the future). So this code has a good chance of failing at any midnight, end of month, or end of year.

Many of the contributed posts at the end of that page also make the same mistake.

A few years ago I posted a friendly comment saying that you are better off getting the timestamp once and then manipulating the fields individually instead of calling date with no timestamp repeatedly.

Instead of any rebuttal or comment to my posting, they just deleted it.

It is scary to think of how many websites out there use broken code like this. I hate when example code is flawed. Avoid doing transactions at midnight server time!