PHP5 Co-Creator Interview

mandozcode writes "I came across an interesting interview with PHP co-creator Zeev Suraski at Open Enterprise Trends on the latest upgrades for PHP5's First Release Candidate (just released a week or so ago). Sounds like lots of improvements to help make it in the enterprise, including better bundled support for SQLlite and XML. Also encouraging, looks like Zend is getting more millions in VC investment."

PHP's broken security model

[Mr.+Darl+McBride]

I can't take PHP seriously for one reason alone: No built in suid mechanism.

If you enable PHP on your apache server, all PHP runs as the same user. That means any files writable by one PHP script are writable by all PHP scripts. There's no such thing as a secure apache PHP installation unless you run in feature limited mode which breaks virtually all PHP scripts and makes it unusable for most tasks.

Until PHP adds suid so PHP runs as the user owning the script, it's a no-go. Run in high security mode it's usable as a toy at best, or run in default mode, it's a security nightmare.

I've spoken with the PHP developers about this at several conferences. Their solution is that you have each user run their own copy of apache or have each user create their own PHP installation and run everything as CGI, launching the local PHP copy. I'm sorry, but that's insane.

I don't give a lick about new features if you can't get the foundation fixed. Take care of the wet sand base before you up the supported database count or make grand announcements about clever new scripting keywords.

Re:PHP's broken security model

[sinergy]

Welp, time to start taking over websites on shared hosting companes.

Re:PHP's broken security model

[Gislobber]

I totally agree with your agrument. A friend and I have been searching for a resolution to this for quite a while.

Then the other day, I think he may have found our (temporary) savior.

This module is in development, but looks to be almost *exactly* what we are looking for.
http://httpd.apache.org/docs-2.0/mod/perchil d.html

Re:PHP's broken security model

[Fweeky]

Eh, this is really outside the scope of PHP to fix; it's something for CGI suexec, FastCGI, Apache's perchild MPM, or some other higher level system for web based scripting to deal with.

If you don't want to take PHP seriously, do so because of it's instability (and poor release engineering), it's lack of speed (which has been partially fixed several times, but hey; Zend need to make their money!), the complete mess it's extensions are in, the inflexibility of the language (again, partially dealt with in Zend 2, but still a world away from some other dynamic languages, with lots held back by the extreme bittersweetness of backwards compatibility, which seems to break a lot anyway), the userbase mostly consisting of programming newbies, the ever-bickering devteam, or any of a thousand other issues you can pick on PHP about.

But hey, I still use it. Doesn't mean I have to like it.

Re:PHP's broken security model

Security problems like this aren't in the scope of PHP to fix in much the same way mad cow disease isn't in McDonald's scope.

If something is causing you huge problems, you find a way to get involved.

Re:PHP's broken security model

[Hungus]

It is quite possible to make PHP very secure, it just takes decent coding and a lot of work. As for scripts being writable by other scripts, well the solution to that is to not allow any scripts other than a select set to be able to run and have none of them writeable, this is how I code for the medical industry.

Re:PHP's broken security model

you have just shown how little you understand. one compromised script can touch all the scripts' data across all user accounts.

Re:PHP's broken security model

it happens every day of the week, my friend

hackers love to google for "powered by gallery," "pblog," "made with movable type" and similar. old versions mean known exploits, which means defacements on a single host by the hundreds.

Re:PHP's broken security model

Eh, this is really outside the scope of PHP to fix

Sure, but IIS supports this, but not when you are running PHP.

Re:PHP's broken security model

[sumbry]

I can't take PHP seriously for one reason alone: No built in suid mechanism.

You gotta be kidding, right? I mean this isn't even a concern if you aren't running in a shared hosting environment. Seems a bit premature to toss out an entire programming language that could potentially be beneficial because you don't agree with how it's implemented in one particular situation.

That said, it is entirely possible to get PHP working w/Apache suExec and to automatically have it execute php scripts as the User/Group specified in an Apache VirtualHost block.

http://www.localhost.nl/patches/phpsuexec_howto. ht ml

Re:PHP's broken security model

[Hungus]

And how are you going to comprimise the scripts? With good implementation none of the user input data is trusted anyways. PHP is sandboxed and will not allow any scripts outside of a particular directory to execute, and on our systems that directory is on read only media to begin with, SO i suppose yes if you break into the colo facilities manage to find my clusters amongst the racks and change out the storage arrays then I am in trouble otherwise I simply don't see it. Obviously I am not going to disclose details of the system in an open forum other than to say it is built fully from open source, and rivals teh largest listed databases in size and to this day has yet to have a breach. Of course it helps that we are always working to improve it and keep things patched too :) )

You don't like PHP thats fine and dandy. In fact its good because thats why we have a number of diverse languages. However there is no good reason to make such broad sweeping statements, especially when you aren't willing to go on the record as to who you are. I could say things like all windows products suck, but that simply is not true (yes I still like NT3.5x and NT 4 but yu have to know how and where to use them I will stick with my BSD boxes for anything needeing to actually be used). I could say all open source applications are used by terrorists, which would be nearly as silly.

Re:PHP's broken security model

[Mr.+Darl+McBride]

You gotta be kidding, right? I mean this isn't even a concern if you aren't running in a shared hosting environment. Seems a bit premature to toss out an entire programming language that could potentially be beneficial because you don't agree with how it's implemented in one particular situation.

I would venture to guess, and I doubt I'd be far off, that this "one particular situation" represents >90% of all potential php servers. It is absolutely insane to ignore this.

Re:PHP's broken security model

And how are you going to comprimise the scripts?

Shared hosting. For $10 a month, you can get into any of thousands of servers where you can write your own PHP and use it to pummel other users' data.

Re:PHP's broken security model

who needs shared hosting? you can find old versions of movable type all over with vulnerabilities

Re:PHP's broken security model

[Hungus]

you aren't going to get hared hosting on one of my machines ... plain and simple. Not only do we own the machines but the racks they sit in and the routers they connect with. We just lease the floor space, and the net connections. Again your argument is invalid, though thats expected for an AC.

Re:PHP's broken security model

bwa ha ha! If anyone wanted absolute PROOF that php is not enterprise ready, you just gave it! You guys don't have a clue about security. Read a book!

Isn't a concern if you aren't running in a shared hosting environment? That's most users!

Even if it's a server for just one company or person, any noob wants to run different web apps as different users. If a vulnerability is found in one of your PHP apps, all your PHP apps are compromized!

Re:PHP's broken security model

Again your argument is invalid

my argument is that php is insecure for multi-user environments. you're saying that your having locked down your server and being afraid to use a shared server for php refutes this?

read what you wrote. you might laugh just as hard as i did.

Re:PHP's broken security model

[Mr.+Darl+McBride]

How did you prove his argument invalid? You just said you were afraid to run PHP in a shared hosting environment. Sounds to me like you actually proved his point. (And mine.)

Re:PHP's broken security model

[Hungus]

no the initial argument was that PHP was by definition insecure not just in a shared environ, further nowhere did I say I was afraid to do anything, on teh other hand as I have said it is a medical application, and to be honest runs on a cluster of over 60 machines so its not like there would be any room for anyone else anyways. I will say that I would like to be able to run several instances of php seperately, and to the best of my knowledge that is not a trivial issue. I don't care what OS you run on (QNX is what we are looking at for the next project), but when you are dealing with federal medical regulations you dont let anything else play on your systems, to do so could mean big fines and even possibel jail time.

Re:PHP's broken security model

[Mazzie]

Ahhh... the search for the "perfect" language continues.

No one language is going to work for everyone. Is PHP the most secure language? Definitely not. Is it one of the easiest to learn languages? Yes.

Hind-sight is 20/20. I am sure that way back when PHP was created, had they known that such a ginormous percentage of websites on the Internet would be using it they might have done things differently. Who knows...

PHP is so popular because it is easy to learn, supported by a massive, massive user base, and is developed rapidly in response to user requests for new features. Is PHP an enterprise language? That is a hot topic of debate.

Some people would argue that Perl is an enterprise language, and that started out as a tool for system admins to make managing *nix servers easier. PHP started out as a tool to make developing dynamic websites easier.

It would be hard to argue against PHP being an extremely powerful language for developing websites. As site developers demand more and more from the language, and build bigger and bigger apps I think it will grow and morph to meet those challenges.

I don't think PHP is going anywhere anytime soon, and I think its only going to improve as more people jump in and help improve it.

php

[larry+bagina]

maybe they should spend less time adding new functions that don't work and fix up php's speed issues? Everytime php serves a page, it must parse the file, do syntax checking, convert it to bytecode, then interpret it. It should compile it to bytecode once and just run the bytecode. Perl, C#/.Net, jsp, csp, etc. all work that way, that's one reason they're serious languages for web devlopment and php is a toy.

Re:php

If you're that concerned about speed. http://www.zend.com/store/products/accelerator-how -it-works.php

Re:php

[DAldredge]

If they did that they would not be able to charge for their Zend Accelerator...

Re:php

[sumbry]

PHP's content accelerator (Zend) is free. And if you don't want to use it, there are plenty of other accelerators that have been designed that you can drop into your php.ini and have working in minutes.

IonCube - http://www.php-accelerator.co.uk/
MMCache - http://turck-mmcache.sourceforge.net/

That said, a company following the model of PHP/Zend actually gives me some peace of mind. These guys have the right balanace of OpenSource/Business that I think alot more projects/companies need to realize.

While existing in a pure OS world would be great, it's not pratical now. And if you wanna use PHP now, fine no problem. You can download it and the entire source for free. However if you are a business and want to take advantage of load balancing, development environments, and other advanced features then hey - you're making money as a business and can afford to drop a few duckets to further the development of the project.

What's wrong w/that?

Re:php

If so many people are concerned about speed, why not run websites on C? With all the process forking going on at heavily used sites, C would offer an immediate benefit. I often wonder if the reason C is not used is because today's programmers have become lazy. What else would explain the current popularity of pointer-free languages?

Re:php

[JimDabell]

With all the process forking going on at heavily used sites, C would offer an immediate benefit.

The usual method of running PHP is with Apache configured to spawn a number of child processes when it starts up, and to handle connections using those processes.

A new process is not spawned for each new request. You may be thinking of the old standalone CGI method.

Re:php

[Richard_at_work]

There are many bytecode cachers that do this for you, indeed zend supply one free of charge.

Re:php

[nickos]

You can :D

Use mod_spin, a template engine with C API
support and session data tracking.

code in the db, wow!

[Charles+Dart]

The idea of being able to manipulate store retrieve and execute on the fly is currently blowing my mind. I can't wait to get started on it. This is truly groundbreaking


Bring on the Lang X has had that for years

Yea, with a lot of lame hacks you could have done this with a file structure with php itself. But this sounds seamless.

Re:code in the db, wow!

[arkanes]

Just to be clear, any language that can do dynamic evaluation has had this always. Language extentions to make it seamless is innovative but not groundbreaking - it's a cool idea thats rarely used enough that other languages haven't made a big deal out of it. I've used database-as-filesystem type deals that work on this concept for dynamic web pages and it's largely a nightmare to maintain.

Bunch of Perl haters

Any time I talk to someone using PHP, at about minute 20 of the conversation they just explode with the rant on why Perl sucks and why Perl in unreadable and how people go to mental hospitals while trying to learn Perl.

Which is weird, because I never mention Perl myself, nor do I make any implicit remarks about the superiority of Perl. I mean, let's get serious, Perl allows GUI apps with Tk, writing your own custom servers, parsing local files via command prompt and what not, while PHP is a bunch of templates used to process HTML this way or that way depending on what MySQL database has.

Re:Bunch of Perl haters

[sumbry]

I mean, let's get serious, Perl allows GUI apps with Tk, writing your own custom servers, parsing local files via command prompt and what not

PHP GTK - http://gtk.php.net/
Sockets for PHP - http://php.net/manual/sv/ref.sockets.php
PHP Process Control Functions (fork, etc) - http://php.net/manual/en/ref.pcntl.php
PHP Functions to Parse Conf/Ini Files - http://php.net/manual/en/function.parse-ini-file.p hp

PHP also builds a CLI (command line interface) everytime you compile it enabling you to do perl style #/usr/bin/php and writing command line scripts (even full argc/argv support).

I'm a PHP developer - I do not think "Perl sucks" but I do think developing web applications on PHP is quicker and easier (for me) than in Perl, especially since I'm a native C coder.

To each is own.

Re:Bunch of Perl haters

[rjshields]

That's fair enough, but PHP will probably never have the breadth and depth of modules available as you can find on CPAN. Perl is more mature and doubtless has more disciples. For "enterprise development" (whatever that means) (although JSP/servlets and .NET would probably be more suitable than scripting languages), given the choice between PHP and mod_perl, I would go the Perl route simply because it is more mature, and has an aura of stability and security.

Re:Bunch of Perl haters

[rjshields]

Dear Mr Moderator, Simply because my view is different from yours does not make my post flamebait.

Php in the enterprise? Scary thought.

[neiras]

Since its inception, PHP has gone from a simple website templating language and form processing tool, to a semi-OO scripting language hacked onto a bunch of C extensions, and now they expect to become a fully OO, enterprise-ready language?

Scary.

To write web applications properly and efficiently, you need a framework to support you. You do NOT want to be reinventing the wheel. Have you noticed the massive proliferation of database abstraction layers, incompatible form processing libraries, etc. etc. all written in PHP for PHP developers? Libraries of code written in a templating language! Eep. Every reasonably experienced PHP developer has probably tried to create an application framework at some point - if people keep seeing the need for one, it's a good bet PHP needs to supply one. No, PEAR is not an application development framework.

And what is it with all those PHP developers who seem to think a "class" is another term for "static function library"? The concept of using object types is foreign to thse people - they'd rather make huge monster arrays.

Just because the "I Can Use A Database So I Must Be A Web Developer" crowd thinks every web app could and should be written in PHP does NOT mean that that's actually the case.

PHP downright _encourages_ beginners to embed application-logic in HTML pages. I've been through a rewrite of an absolutely MASSIVE PHP site, and it was a year-long affair for five developers. The old site had become impossible to maintain. Talk about a waste of resources.

When PHP adopts a *standard* way of separating content logic from application logic, and enforces that split (kind of the way JSP pages work with servlets), then _maybe_ there will be some hope for it in the enterprise. Until then, Java will continue to dominate. I find it funny that Java interaction is such a high priority for PHP - if Java's installed on a company's hardware, a developer's natural reaction would be to use Java, not write something in some other language.

Re:Php in the enterprise? Scary thought.

[wan-fu]

I do agree that all too often applications are rammed into PHP without too much forethought; however, I think PHP is already going in the right direction for enterprise level development. The object orientedness of the language is much improved since PHP3. They have the Smarty template engine which does a fairly good job of separating presentation from application. People should be encouraged to use it and I think as PHP apps get bigger, people will begin to realize the advantage to separating design logic from application logic. Most importantly, there are a variety of third-party developers creating frameworks such as the Horde framework or Blueshoes framework (I no affiliation with either). And that's great that there are such frameworks. It's not the job of the language developer to create the framework imho (e.g. CPAN does a great job supplementing Perl)

Re:Php in the enterprise? Scary thought.

[self+assembled+struc]

well, there are several template kits for php. i'm not a fan of smarty coming from a perl world, so i ported html::template over to php. it's smaller than the one on sourceforge and about twice as fast. it's not extremely pretty, but it gets the job done and done well with a good execution time.

it's really about peopel writing good code, much more than PHP providing an application framework.

(http://www.robotholocaust.com/scripts/template. ph ps)

Re:Php in the enterprise? Scary thought.

[ceejayoz]

It entertains me that many of the arguments against PHP in the enterprise can be summed up as "well, it's possible to do it poorly."

Re:Php in the enterprise? Scary thought.

[moro_666]

i agree that php & bigtime enterprise software have
nothing incommon at the time being.

php has no business with enterprise software until it has no real security model nor a backward compatible language nor a threading model. not even thinking of application servers that interract on the language level like java's or sharing massive amount of data between threads so they would be synchronized and desynchronized as needed.

php has a long way to go.
i must admit that the php5 is a big step in the right direction.
but what use is a big step if after the upgrade all old oop scripts will cease to work ?

Re:Php in the enterprise? Scary thought.

you've never worked in the enterprise. The whole point of 'enterprise' applications is that is should be much more difficult to do it poorly. Java fulfills these needs because it is much more difficult to do anything at all.

Re:Php in the enterprise? Scary thought.

[rjshields]

And what is it with all those PHP developers who seem to think a "class" is another term for "static function library"?

Well, what would you expect from a procedural programmer? Incidentatally, these are also the kind of developers that would shun OO as unneccessary and illogical without taking the time to understand it.

Re:Php in the enterprise? Scary thought.

[JimDabell]

Since its inception, PHP has gone from a simple website templating language and form processing tool, to a semi-OO scripting language hacked onto a bunch of C extensions, and now they expect to become a fully OO, enterprise-ready language?

Scary.

Scary? Projects evolve. Apache wasn't always "enterprise ready". FreeBSD wasn't always "enterprise ready". Just because something started out as a pet project rather than at a lab, that doesn't mean it's automatically "tainted" and cannot ever be useful to big businesses.

Libraries of code written in a templating language!

PHP may have started out as a templating language, but it is a general purpose scripting language now. You can even write GUI applications with it.

And what is it with all those PHP developers who seem to think a "class" is another term for "static function library"? The concept of using object types is foreign to thse people - they'd rather make huge monster arrays.

So the language is judged on its worst practitioners? If that is the case, then, judging all languages equally, we'd better just give up this programming lark and hide under a rock.

Rewrites of crufty code are not exclusive to PHP, you know. Neither are bad developers.

Re:Php in the enterprise? Scary thought.

[rjshields]

The separation that needs to be there is between PHP code that affects layout, and PHP code that does stuff like writing to databases, processing forms, etc.

Here, here.

I would agree that PHP needs some standard way of separating presentation code/html from code. Both JSP and ASP.NET do a good job of providing a standard mechanism to acheive this.

The existence of Smarty shows the need and willingness of developers to use this kind of tool. However, skipping over the important point of whether Smarty actually constitues a "template engine" or merely a hack, I wouldn't be too hasty to use Smarty with all the other templating engines springing up and the chance that there may well be a standard replacement for it that renders Smarty code obsolete.

Re:Php in the enterprise? Scary thought.

[natmsincome.com]

Your arguments are great but they apply for almost every lanugage I know of.

As for frameworks look at apache. Have you seen how many frameworks it has for java? What about Swing, AWT, SWT etc? Just because they're are lots of frame works doesn't mean it bad.

I agree with your class as a static function library but that's not PHP's fault. C++, Java and Perl have the same problem. When people learn C or VB first and then go to an OO langauge they generally get it wrong.

As for bad projects I sure if you did an "Ask Slashdot" they'd be able to tell you about bad projects C, C++, Lisp, PHP, Java, J2EE, .NET, etc.

As for a standard was of seperating logic from content lots of people say that JSP isn't enough that's why you have stuff like Velocity and all the other framework template engines. If you want a template engine for php the default one is Smarty.

When it come down to it the problem you have with PHP is that it has a lot of newbie programers that use it. Which is good and bad. Try making a simple form in JSP then do the same thing in PHP. PHP is ALOT easier. That doesn't mean it's better but it does mean people with a lower skill can do it. I'm using templates for our internal site and when other people edit it half the time the escape and got back to raw PHP and it's a mess so I fix it up and it's all clean again but they just don't get it untill after I show them then it make sense and they can do it but the next time they can't figure it out so it happens again etc.

Does it mean you get lots of bad half baked libraries YES does it mean you get good libraries and frameworks YES (because more poeple start, so more people get good at it).

If you want to look at good php projects check out:
* Smarty
* Mambo
* Gallery
* phpBB
* JpGraph
* phpMyAdmin

That being said at what level do you move someone from a "HTML + PHP Hack" to a "Web Developer"?

What makes a lanuage "enterprise-ready"? Does an "enterprise" company just have to use it (IE Yahoo and PHP). Or does it have to have faetures?

Where I work we still use PROC and PIC which is a 40 year old language that doesn't have:
* Variable Names - Only numbers!
* Functions - Only GOTO and GO SUB (again numbers no names)
* All variables are global!
* No loops!
* No else - You have to use IF and GOTO!

Yet this is still being used in thousands of companies all over the world! Sure it's legacy but it's enterprise ready and still being used!

So could it be used on a massive site handling 1,000 of concurrent users? Yes, IF IT WAS DESIGNED IN THE RIGHT WAY. It wouldn't be the same design as you'd use for .NET or the same as you'd use for J2EE but it would work. It might not be the best but that depends on the problem. (Same as Clusters vs Grid)

I've ranted engough ... have fun pulling my comments to peices.

Re:Php in the enterprise? Scary thought.

Have you noticed the massive proliferation of database abstraction layers, incompatible form processing libraries, etc. etc. all written in PHP for PHP developers?

It's true, PHP probably has at least a third as many as Java does now.

Re:Php in the enterprise? Scary thought.

[riffenator]

Its called XSLT.

Why would you write a templating layer in PHP?

[neiras]

PHP is a templating language. That was its original purpose, and it's quite good at it. The problem is, it's now capable of a hell of a lot more than templating, and people get confused about how to use it properly. The PHP people need to clarify that, and a standard PHP web-app framework is the answer.

A lot of well-meaning people have written templating layers for PHP to "separate layout from content". What they really need to do is separate layout-related PHP code (that's the stuff that generates HTML tables and otherwise affects markup) from application-related PHP code (the stuff that modifies databases and sends email, etc).

Smarty is a disaster. We evaluated it for our rewrite, but concluded that if we separated PHP/HTML 'templates' from PHP 'action' files, we would gain all the advantages of Smarty without the obscure formatting and slowdowns.

I agree with you that people need to write good code -- I just think PHP needs to do provide a framework that encourages good habits. When using a language, people should naturally grvitate towards doing things the right way. Having a base structure in place would do a lot to fix the current state of web application development in PHP.

Re:Why would you write a templating layer in PHP?

[T-Ranger]

I suppose I can claim to be a PHP developer. 70% of the paid work Ive done in the last year has been with PHP. (I havent yet used Smarty). I use Perl for everything else, I have vaguly looked at the various Perl template systems. FWIW, I also once was a sysadmin at a ColdFusion shop, so am vaguly familer with that as well.

PHP was "Personal home page". Just a stupid little template system. Now it is insanely complex. There is PHP-GTK+ bindings. Command line apps are being writen in it. Someone said "PHP needs a temlate system. Enter Smarty. Smarty implements a specialized templae system within PHP, using non-PHP code to control it.

Mason implements a special template system withn Perl, using non-Perl code to control it.

In 5 years, Smarty will be a stand alone language. Someone will come along and declare "Smarty needs a temlate system". And someone will build it.

In 5 years, Mason will be a stand alone language. Someone will come along and declare "Mason needs a temlate system". And someone will build it.

Rinse. Lather. Repeat.

Smarty is a joke.

[neiras]

I'll say it again: Why would you write a templating language in PHP? Smarty fills a need that does not exist. The separation that needs to be there is between PHP code that affects layout, and PHP code that does stuff like writing to databases, processing forms, etc.

You don't need a "templating engine" to gain that separation. You need a standard, well understood way of organizing your PHP application, and some libraries of code to support that method of organization - that is, you need an application framework. And PHP sorely needs a *standard* one. It may not be the language developers's job to create it, but it would certainly boost PHP's image if they did - imagine the flood of nice, interoperable applications that would emerge!

CPAN is not a framework, it's a massive library of code libraries, same as PEAR on the PHP side. Code libraries are good, but they don't define a way of structuring your application.

Perhaps one of those frameworks you mention will become a standard, but as long as they implement 'templating languages' I'm not going to hold my breath. PHP may be going in the right direction with the new stuff in Zend 2, but it's still way off the mark for serious webapp development.

Re:If this is not the second post

Klansmen can't handle the scorching heat of Christmas Island.

Try "PHP wants to be done poorly."

[neiras]

I'm not saying it's not possible to write a reasonably high quality aplication in PHP. I'm just saying that PHP has to do better than a few syntactical differences and extension upgrades before it can even be seriously considered in the enterprise, where Java is the standard (for good reason). It's got a long way to go.

If you don't agree, you've probably not had to work on a PHP site that gets thirty million hits a day, nor experienced the near-euphoria of moving to Java after dealing with that class A mess.

It's a lot harder to screw up the basics(content/logic separation, database abstraction, request parsing, validation) in, say, an EJB/servlets/JSP system, since those technologies encourage proper application structure and separations between subsystems are clear.

I find PHP's big-business aspirations amusing, given the state it's in.

I write web apps efficiently...

[Phil+John]

...using n-tiered when it suits the domain (just finished a rather tasty J2EE system for a large client). Even a fairly complicated e-commerce engine can be done quickly and efficiently in PHP though if it's being done by someone who has years of "real programming" experience, not someone who comes along and hacks together a personal webpage or pet project (which invariably requies register_globals to be on, yuck).

There is a framework out there that is proven, reliable and very easy to start using, it's called Fusebox.

It has increased our productivity, encouraged code-reuse (instead of write-once never touch again hacks) and meant we get every single project out of the door on time and under budget.

And now with Smarty being taken under PHP's wing so to speak (http://smarty.php.net) you can truly separate display from business logic in a nice simple way.

But once again it comes down to this: Use the right tool for the job! I would never think of using PHP to power an online banking system, but then again I wouldn't use a 3-tiered enterprise system to run a bulletin board.