PHP 5.1.0 Released

kv9 writes "A new release of PHP5 is available. This version includes over 400 bugfixes, performance improvements over the 5.0.x branch, new date handling code, new versions of PCRE/SQLite/PEAR and over 30 new core/extension functions. A number of security fixes are also present and users are recommended to upgrade."

Re:All of my friends and family use the new PHP

You mean, it sucks less than the previous versions, and the problems with inconsistent "design" decisions, half-assed attempts at support for objects, etc. have all been fixed?

Wow! I gotta' get me some of that...

mySQL support

MySQL support has been droped in favor of using simple flat text files. The performance increase from this has been HUGE and the feature set is the same.

Re:mySQL support

[ajs318]

What is it with the MySQL bashers around here? Have you actually used it or are you just content to parrot what you have heard elsewhere?

For read-only, or even read-mostly, MySQL is blisteringly fast. It slows down when doing many INSERT or UPDATE queries on large tables because the whole table is held in one file, which has to be locked during a write and so slows things down.

On Linux, with a disk caching policy of "Never, ever commit anything unless you have to swap something from RAM, or are about to umount the file system" and enough RAM to cache the whole table file, MySQL writes almost as fast as it reads. OSes with more conservative policies, such as insisting to decache often and verifying before releasing the RAM, obviously won't be so fast {but who'll be laughing at who when the power comes back on?}.


Ah, shit, I'm feeding a troll, aren't I? I wasted fifteen minutes of my life and I can never have them back .....

Re:mySQL support

It would certainly have less confusing licensing.

Re:mySQL support

[CyricZ]

A lot of people who criticize MySQL have directly used MySQL. What we've found is that for lighter tasks (such as many webpages), SQLite often works quite well. And once/if you need a database system that's more capable, it's best just to move to PostgreSQL.

The recent Oracle/InnoDB and MySQL AB/SCO debacles have also made many potential MySQL users weary. There are many users who are now questioning how viable MySQL will be in the near future, both from a technical standpoint with regards to the InnoDB purchase by Oracle, and from a legal standpoint concerning their dealings with SCO. SQLite and PostgreSQL do not suffer from such unknowns.

Re:mySQL support

I wasn't trolling, but you obviously missed the point.

>For read-only, or even read-mostly, MySQL is blisteringly fast. It slows down
>when doing many INSERT or UPDATE queries on large tables because the whole table
>is held in one file, which has to be locked during a write and so slows things
>down.

Sounds like you would be better off using a flat text file. Flat files are FASTER than mysql and can be totally cached in memory and your overall server will perform better without another service running in the background.

For even read-only data you can load the data into shared memory via PHP and get speed that is unmeasurably fast.

Thats the point and the joke about it all.. 95% of what people use mysql for could be done without a database at all, and the other 5% would be better off using a real database.

Re:mySQL support

[Hynee]

From grandparent post

Ah, shit, I'm feeding a troll, aren't I? I wasted fifteen minutes of my life and I can never have them back .....

Uh, yeah, that's an affirmative.

Parent post:

What we've found is that for lighter tasks (such as many webpages), SQLite often works quite well. And once/if you need a database system that's more capable, it's best just to move to PostgreSQL.

Yeah, I'm no DB monkey but I certainly administer them, and just installed Postgre and it's PHP management thingy (phpPGadmin), and it seems quite slick. Can you just do an SQL dump from MySQL and put it into Postgre, no problems? I'm talking phpBB and PHP-Nuke DB's, nothing fancy.

And, uh, where the hell does SQLite store it's tables? Never used it.

Back to the flat text file issue, they're great until you edit them, then you have to do locking if the site has anything more than a few concurrent visitors. Then as you get busier, you have to worry about race conditions with the locks... I don't know if this one has been thought through.

Re:mySQL support

[kpharmer]

> For read-only, or even read-mostly, MySQL is blisteringly fast.

I think you mean that when doing lookups of a very small (less than 1%) set of data from a single table with simple queries that mysql understands the b-tree index in myisam or oracle's innodb is as fast as any other database. In the case of myisam maybe a little more, in the case of innodb maybe a little less.

I'm sure you don't mean that when selecting 10% of the data of a single table of the database (thereby unable to do b-tree lookups) and doing table scans instead that it is very fast at all. It might be competitive with postgresql, firebird, and sqllite there, but falls *completely* behind oracle, db2, informix, sqlbase, and now sql server when using partitioning. Or parallelism.

And you probably didn't mean that it was fast when handling complex queries. It's notoriously bad about handling them.

> On Linux, with a disk caching policy of "Never, ever commit anything unless you have to swap something
> from RAM, or are about to umount the file system" and enough RAM to cache the whole table file, MySQL writes
> almost as fast as it reads. OSes with more conservative policies, such as insisting to decache often and
> verifying before releasing the RAM, obviously won't be so fast {but who'll be laughing at who when the power
> comes back on?}.

Wouldn't this be better resolved through a storage adapter with 128 mbytes or more of battery-backed disk cache, and then turning on write-caching - and having your storage system handle it? In this scenario you are very unlikely to corrupt or lose data due to a power outage or crash.

And you had mentioned large files - what if you've got a 10 gbyte file? Doing lots of concurrent writing to it? This won't fit into memory, so now you're back to the writing-at-the-speed-of-a-snail speed.

> What is it with the MySQL bashers around here?

- too much hype
- company leadership that covered up missing *basic* features in the product for years insisting people don't need them anyway
- unsubstantiated claims (blisteringly fast) that end up being gross exaggerations at best
- most non-ansi implementation in the marketplace
- deliberately complex dual-licensing scheme that doesn't comply with GPL
- inability to handle even moderately complex queries
- absolutely bizarre exception handling issues (silent truncations, etc)

MySQL is a success story, but mostly a marketing success story. It started as a sql layer on top of flat files - not intended to be a database management system - just a file management system. And then people applied this tool to database management - without even the most basic of features (views, transactions, etc).

This isn't to say that people can't successfully use it for database management. Of course you can. You can also pull stumps with a ford explorer. It's just that the explorer wasn't really designed for pulling stumps, and a tractor does it *so* much better.

Re:mySQL support

[Viol8]

"It slows down when doing many INSERT or UPDATE queries on large tables because the whole table is held in one file, which has to be locked during a write and so slows things down."

Jesus , didn't realise mySQL was *that* primative. If anyone had
suggested using that form of implementation for a DBMS 20 years ago
they'd probably have been laughed out of the room , never mind in 2005!
You'd be lucky to get away with that even in a college DB project!

Re:mySQL support

[MikeBabcock]

Actually, using CDB is probably a better idea, and why programs like DJB's tinydns are so fast and reliable. You built a flat file with your data, compile it to a database atomically and depend on the OS' read cache to optimize performance when reading indexed records back.

Light-weight and extremely fast for read-only operations.

You can't do semi-complex queries against it mind you.

Re:mySQL support

[Xugumad]

Could you define flat file precisely? If you're thinking of storing your data in CSV format, for example, then no way is it even close to being a replacement for MySQL, for us.

We have 40-odd different tables, which have to be joined together for most queries. Several of them have over a hundred megabytes of data, meaning that without indexes searching the data would take an unspeakable amount of time. The ability to store UTF-8 in text fields is also a definite requirement for us. Thread safety is of course also an issue. If you really need the speed so much that it's worth writing all the code to handle UTF-8 safe, indexed, thread safe data, go for it, but for most of us it would be more or less re-inventing the wheel.

Beyond that, if we at some point decide we want to, say, use PostgreSQL, there is very little work beyond changing the URLs JDBC uses to connect to the database server, and changing the table LOCK/UNLOCK code to be transactional instead (which is on the to-do list anyway)...

Re:mySQL support

[Bake]

Can you just do an SQL dump from MySQL and put it into Postgre, no problems?

Actually, this can be tricky due to MySQL's tendencies to massage data to fit comfortably into tables. Using defaults such as 0000-00-00 in date fields instead of NULL, allowing values such as 2005-02-30 (i.e. 30th of February).

If you have such values in your MySQL database and intend to migrate that data into PostgreSQL, you first have to make the data conform to the C part of ACID (Consistency) before moving it to other RDBMS systems.

Re:mySQL support

Topic is PHP, not mySQL. Please try to stay on topic.

Re:mySQL support

[Tim+Browse]

And, uh, where the hell does SQLite store it's tables? Never used it.

In a file. SQLite databases are just a single binary file (although it supports building a database in memory too). Before you moan, that's one of the features/goals of SQLite. When you need that simplicity, it's great.

I do wonder if including SQLite with PHP will mean a lot of people think that it's appropriate for a massively multi-user app, whereas that's not really what it's designed for.

Re:mySQL support

[tacocat]

Then you need a real Relational Database Management System, like PostgreSQL.

Re:mySQL support

[chriseyre2000]

This looks like and obvious job for sed. Dump the db contents to a text file and use sed to replace the bad dates with null.

Re:mySQL support

Or a real one that actually works well, like Oracle.

Re:mySQL support

[baadger]

Back to the flat text file issue, they're great until you edit them, then you have to do locking if the site has anything more than a few concurrent visitors.

The file system is often unfairly overlooked IMHO. How many blogs (what is it now... 70,000 new blogs created per day?) actually need to be stored in database backends? This is a mostly WORM (Write Once Read Many) media, statically generate your HTML and seperate your code into purely generative (stuff that just reads the same old stuff from the db, and generates the same old html for all visitors) and your unique per-visitor logic and you could do miracles. Alot of people don't do this though.

In terms of heirarchial data and the requirement of this structure by 90% of PHP users, you really can't whip up anything in MySQL that will offer astounding performance when looking up (reading) all of: sublings, ancestors and descendents, without introducing some redundant fields, no matter which model you use. (Forget about heirarchial/object databases, find me a web host that offers one and then you can argue this point).

IMHO, some of the new file systems emerging with improved performance and features available, specifically on the Linux platform, are probably more suitable for a subset web applications than a fully fledged relational database. And if you do organise your data well, it's not too much more difficult going from this state to a database, than it is going from one database vendor to another if you wish to in the future.

As /.er's are surely aware, the holy slashdotting takes down alot of sites due to database lag or general lack of db connectivity. It's a good idea to statically generate and cache HTML output whereever feasible and this is obviously not done by many of /. victims.

My point is if you end up caching your HTML, like many database driven sites do and more probably should, it doesn't really matter if your data was in flat/many seperate files or a database.

Re:mySQL support

[nicklott]

wtf? Who exactly is questioning the viability of MySQL? (apart from the stallman-esque uber-geeks on certain internet message boards). InnoDB is GPLed, the code works now, so what's the problem? If oracle decide to turn the tap off tomorrow, the existing code will work quite nicely thank you very much. As to SCO, anyone who is truly worried about SCO should get their head seen to. If MySQL AB decide to give them money then fine, that's their problem, but it I don't see that it matters one whit to your normal sane user.

Re:mySQL support

[mattyrobinson69]

Afaik InnoDB isn't the default, MyISAM is

Re:mySQL support

[mattyrobinson69]

statically generate your HTML and seperate your code into purely generative (stuff that just reads the same old stuff from the db, and generates the same old html for all visitors) and your unique per-visitor logic and you could do miracles. Alot of people don't do this though.

that works, until you decide that you want to change something on all your pages, then it becomes messy. if your not doing that much, the overhead of a database isn't going to hurt that much anyway.

Re:mySQL support

[Bloater]

And InnoDB is very slow. You can have MySQL running fast with MyISAM, or with features (eg, ACID transactions) with InnoDB, but not both.

If you want both, go with PostgreSQL 8.1.

Re:mySQL support

The recent Oracle/InnoDB and MySQL AB/SCO debacles have also made many potential MySQL users weary.

I'm hoping you meant "wary" rather then "weary".

Re:mySQL support

[Achromatic1978]

Except that that's an admitted failing of the older branches. The current branch 5.0.x strongly recommends you use 'strict' mode. Problem now is that /many/ applications fail miserably with it on, because of lax programming: notably Wordpress and Gallery, two of the big LAMP apps.

Re:mySQL support

[baadger]

No it doesn't. You just regenerate, with a few clicks, your HTML from your (updated) template files and database/data storage. What i'm talking about is seperating code like this:

<?php
while($row = mysql_fetch_row(...from blog entry table)) {
    echo <<<HTML
    <tr><td>$row['something']</td></tr>
HTML;
}
?>

(generic visitor processing), from code like this:

<?php
if (some_check($_SERVER['REMOTE_ADDR')) { // could check if visitor is using a certain ISP
    echo 'some stuff';
}
?>

(specific visitor processing), wherever feasible.

There's absolutely no reason why the the 'static' HTML cache can't contain server side code, the first code example actually generating the second, it's a nice way IMHO to reduce database hits, important if the queries are complex or the db server is under heavy load.

Take for example your average slashdotted site. Thousands of visitors are all wanting to look at the same page and yet there are loads of database queries being run... IMHO this is a sign of a bad design decision from some web developers.

Yes, with database query caches, and very short life web caches like coral, db overheads can be reduced. But it's still a good idea and there are other benefits, such as what happens when your web hosts database goes down.

Re:mySQL support

[Hynee]

Yeah, I've been aware of the date problem with MySQL, it only checks if the day is in the range 1..31. It kind of makes sense if you're doing a lot of copies withing DB's (copy one date field to another date field, etc), but you tend to do that sort of stuff with relations.

Basically it surprises me that it stores the date as text, I would expect it to use number of days since 1970 (Unix) or 1 AD.

Re:mySQL support

[Hynee]

That Mysql 5.0.x not PHP 5.x.x right? I've had plenty of experience with PHP 5 tripping up big LAMP apps, mostly because of changes in array_merge(). Now 5.1.x trips up apps that pass unreferencable variables to functions that have parameters passed by reference,

function foo(@a) {
a=1
}

bar(baz(1));

Previously PHP gracefully switched to pass by value.

Re:mySQL support

[Hynee]

SQLite databases are just a single binary file (although it supports building a database in memory too).

Thx for the info, I could have RTFM I guess.

Before you moan, that's one of the features/goals of SQLite. When you need that simplicity, it's great.

That's fine I think, I guess it just bogs down when the number of rows gets to a certain threshold. It sounds like the DB has to be loaded at least partially into memory each time a script is executed, whereas the advantage of a dedicated daemon/service is that the binary is always running. Does it do anything fancy like "stay resident" when PHP is used in CLI mode?

Re:mySQL support

[Tim+Browse]

Does it do anything fancy like "stay resident" when PHP is used in CLI mode?

No idea. All my experience of using SQLite comes from using it as a library in C/C++ programs. It's very good at that, certainly - very fast.

This is particularly amusing.

Re:mySQL support

[tod_miller]

That took fifteen minutes? Do you use some kinda head pointing device to type?

honest question...

Re:All of my friends and family use the new PHP

Really? All my friends and family use good old fashioned PCP.

Sendmail

[jrockway]

> A number of security fixes are also present

I think we've finally found a replacement for the security disaster known as sendmail -- PHP.

Re:Sendmail

[Jotii]

Is there a sendmail security hole? That might explain bots filling in forms with random e-mail headers on my site.

Re:Sendmail

"A" sendmail security hole? You're kidding, right?

This news just in: bind may also contain explotable holes.

Re:Sendmail

That's almost certainly a problem with your code, extra headers being injected because of improper input validation.

Always check that your input is well-formed, an email address is actually an email address and so on.

If nothing else, stripping newlines and carriage returns will thwart most of those bots.

Unfortunately it's a common problem, but if you code properly it's entirely avoidable.

Re:Sendmail

[davegaramond]

Blame those brain-dead PHP "architects" for designing the API for the sendmail() PHP function. The fourth argument accepts arbitrary headers. The 4th arg is used a lot because the damn function doesn't even provide another argument for the From header! It's easily exploitable because those idiotic PHP "programmers" never check values they send to functions, thus sendmail($to, $subject, $body, "From: $from") is easily exploitable by spammers through injecting nasty values to $from. I hate everything PHP-related.

Re:Sendmail

[Alioth]

You know PGP stands for 'Pretty Good Privacy'?

I think I've worked out what PHP stands for -- "Pretty Hopeless Privacy"

Re:Sendmail

[jZnat]

So, how long until GCC includes a PHP compiler that's supposed to address all the issues that PHP allows programmers to get away with? :P

Besides, most of the bad programming practices that PHP allows are due to it being written in C, so your crappy C coding practices will also work in PHP.

Re:All of my friends and family use the new PHP

While the parent is a bit of a flamebait, he actually brings up a few good points; especially regarding inconsistent design decisions.
In fact, reading through the php_internals mailing-list is one of my favorite things to do - it's hilarious!

Many improvement...

[masklinn]

...and still no damn fucking namespaces.

Go PHP, ride on to the 20th century!

Re:Many improvement...

They are considering namespaces for PHP 6 - Read the meeting notes here:

http://www.php.net/~derick/meeting-notes.html

http://www.corephp.co.uk/archives/19-Prepare-for-P HP-6.html

Re:Many improvement...

[g2devi]

Relating to this comment:
http://developers.slashdot.org/comments.pl?sid=169 325&cid=14113043

It's true that PHP suffers from various naming conventions, but namespaces might me the answer.

For PHP 6.0, does anyone know if the core developers are thinking of moving most builtin libraries into namespaces? For instance:
. . . http://ca.php.net/manual/en/function.oci-commit.ph p
could be placed in the "builtin\oci" namespace and
. . . http://ca.php.net/manual/en/function.ocicommit.php
could be placed in the "builtin\legacy\oci" namespace.

You could quickly convert all PHP5 to PHP6 simply by adding the line:
. . . import builtin\*;
to the top of every file to make all builtin functions global (the way they are in PHP5).

Apps written in PHP5 would still work without the import, but they'd get a warning (which could be switches off in the php.ini).

Re:Many improvement...

Why change the entire language engine (again) just to write import builtin\mysql; when you can just do $a = new mysqli; ?

Re:Many improvement...

[HermanAB]

Hmm, one big reason why Perl is better for large applications.

Re:Many improvement...

[uss_valiant]

They are considering namespaces for PHP 6 - Read the meeting notes here:
http://www.php.net/~derick/meeting-notes.html

Not only that, but what I enjoy the most about these PHP 6 planning meeting notes is:
http://www.php.net/~derick/meeting-notes.html#safe -mode

Issue: safe_mode is a feature in PHP that checks whether files to be opened or included have the same GID/UID as the starting script. This can cause many problems, for example if an application generates a cache file, it will do this with the user ID that belongs to the web server (usually "nobody"). As an application is usually uploaded by the user belonging to the web account (say "client") the scripts can no longer open the files that the application. The same problems happen when for example an application generates an image.

Discussion: As safe_mode is a name that gives the wrong signals as making PHP safe, we all agreed that we should remove this function. It can never be made totally safe as there will always be ways to circumvent safe_mode through libraries. This kind of functionality also better belongs in the web server or other security scheme. open_basedir is a feature that we will keep, and we will point users to this functionality in the error message that is thrown when we detect this setting on start-up.

Conclusions:

1. We remove the safe_mode feature from PHP.
2. We throw an E_CORE_ERROR when starting PHP and when we detect the safe_mode setting.

Finally!! Take that you silly "security experts" who insist on using PHP safe_mode and putting down all "alternatives" aka really secure environments. :)

chroot jail + php-fastcgi + suexec + apache2 = fun for everyone

Re:Many improvement...

[tacocat]

Namespaces? Like Perl Modules have namespaces starting the main::?

Re:Many improvement...

[tacocat]

Well put.

I find it ironic that PHP came out many years ago as a cheap and easy way to make more dynamic web pages with a simpler structure than perl. It was also a greatly reduced structure from perl.

Then someone added a bunch of MySQL to it, hyped it up as LAMP and now everyone's on that bandwagon. And those that weren't were bitching about how if you want to do a real web application you would be better off using Perl and PostgreSQL.

And now here we are years alter and from the threads I've seen herein:

• PHP has some horrible security pitfalls that are now being addressed.
• MySQL is being dumped for SQLite which is just a flat file system, but then so it Berkeley DB which seems pretty damn fast too
• PostgreSQL is still the last viable option for a real database that you can afford.
• And PHP 6 is talking about adding NameSpaces.

What I see here is that as time marches on, PHP is becoming more difficult to use and more like Perl.

So when PHP rivals Perl in capability, it will likely rival Perl in complexity as well, only Perl has had 10+ years to settle out the bugs.

And what simplistic dynamic web page application will come along to replace the original implimentation of PHP? After all, the who reason PHP was so popular was the fact that is was simpler to follow than Perl was. But if it's as complex as Perl.... What next?

I am beginning to thing that PHP would be better off, in the long run, if they just left themselves to the area of making a bitchin' fantastic scripting tool for making dynamic web pages without trying to compete directly with Perl, Java, and C at the same time. It's kind of stupid.

Everything has a place.

Re:Many improvement...

[bad-badtz-maru]

And another big reason is that the perl libraries (ala CPAN) do not require a recompile of perl itself. I cannot count the number of times I go to do something in PHP only to discover that PHP has to be recompiled with the switch to include such-and-such library. Need to work against an Oracle database in PHP? Bring down the production web servers to install a new PHP with OCI support enabled. Need to work against Oracle in Perl? Just install the appropriate perl module, no need to do anything drastic.

Re:Many improvement...

You don't have to use the OO features of PHP. You can still write all the simple / fast pages you used to. PHP is simple, and with a byte-code cache, it's so much faster than other web languages that there is no real competition (sorry Java, you suck).

The extra features just make it easier to program for larger teams and give more experienced programmers more options.

Re:Many improvement...

[Mattintosh]

I find that somewhat humorous as well, since the Windows port of PHP allows for exactly what you describe.

You drop the appropriate DLL's into the system %Path% (which should include the PHP directory) or, if you're using Apache 2, the PHP INI Directory specified in your httpd.conf. Alternatively, you can add them to your php.ini's extension_dir, whatever you set that to be. Then you edit the PHP.INI file and uncomment or add the modules you want to use. Then restart Apache and pray. I say "pray" because Apache chokes when it can't find/load things that way. This usually only happens if you don't have %Path% set to include your PHP directory, though.

So... How many times to I go into PHP and find that it needs a recompile to do what I want it to? Almost never. When is that coming to the Linux version? Or is it too "easy" for Linux people?

Re:Many improvement...

[bad-badtz-maru]

Seems to me you've found the one case where Windows is better than Linux!

Re:Many improvement...

[jZnat]

Oh great, another excuse for the server admins to stick with PHP 4.3.x (or in some cases, 4.2.x).

Re:Many improvement...

[jZnat]

Search the Debian unstable/ repository for PHP and you'll find a bunch of *.so modules for PHP that can be run dynamically. I prefer the CPAN method though, but they should make it easier for Windows servers to use CPAN modules.

Re:Many improvement...

[masklinn]

Yes, and like Python, Ruby or Java modules/classes have had for years, and like that little thing C++ has had for 20 years.

Re:Many improvement...

[JabberWokky]

You can do that with PHP... as somebody notes up above, it's pretty common with the Windows version. On linux you use standard .so library files.

Most packaged PHP (a la debian and ubuntu apt-get and SUSE repositories) handle it the way you're looking for - shared libraries. I think pear handles it that way as well. I'm not sure; I don't often use it. All of the closed source third party libraries are, of course, done that way as well.

I'm not sure where you got the idea that PHP can't use new shared binary libraries. You can certain choose to compile libraries directly into PHP... maybe you took the fact that it is an option as a mandatory requirement?

--
Evan

Re:Many improvement...

[bad-badtz-maru]

I got the idea from the "To get these functions to work, you have to compile PHP with --with-whatever" installation instructions for the various extensions. If that isn't required then the damn docs need a serious overhaul or I need to become a mindreader.

Re:Many improvement...

[aled]

and changing the extension from .php to .java...

this gets better and better, didn't thought a PHP article could bring so much fun.

Re:Many improvement...

[Domstersch]

what simplistic dynamic web page application will come along to replace the original implimentation of PHP?

Uhhh, Ruby? :-)

Re:All of my friends and family use the new PHP

[masklinn]

Rails still isn't a language, it's a framework.

(calling Ruby a "toy language" when comparing it to PHP is hillarous though, thanks for the laugh)

Beware of PHP 5.1

You don't have any classes named Date, do you? It's an extremely uncommon name. Good thing we have namespaces.

http://news.php.net/php.internals/20352

Re:Beware of PHP 5.1

[Tim+Browse]

I've only messed around with PHP for my personal website and a small catalogue style website for my parents' business, but I noticed there were no namespaces, so I simulated them by prefixing class/function names with short prefixes, e.g. twbb_GetForumThread() etc.

I don't envisage having any problems with the new PHP core functions colliding with my names. But then maybe that's because I've worked with other languages that don't have namespaces (e.g. C, which I believe had some brief border-line success/popularity at one point, despite being crippled by lack of namespaces), and also I have a fucking clue what I'm doing. Idiots, on the other hand, will always run into problems.

That's not to say I wouldn't like to see namespaces in PHP :-)

Re:Beware of PHP 5.1

[CaptainPinko]

I think include files simulate namespaces nicely. Well, as nice as anything in the C language.

Re:Beware of PHP 5.1

No, it's okay, because PHP's Date class will be complete, general, and very powerful, yet have high performance. Not to mention, very secure. You'd never need to write your own.

*snicker*

Re:Beware of PHP 5.1

[imroy]

While C doesn't really have namespaces (look to C++ for that), at least the compiler will throw an error when you try to redefine a function or variable. Plus it also has proper scoping. I can't believe a modern programming language still gets around without that. All variables are global, oh except within functions. Another poster told a story of cleaning up a heap of PHP code he inherited. He moved some repetitive code into a function and the code initially didn't work because he forgot to declare global $something; in the function. My god PHP is a backward language!

Re:All of my friends and family use the new PHP

[SolitaryMan]

My Mom likes PHP too! However, I don't see what it has to do with /.

Re:All of my friends and family use the new PHP

[ToasterofDOOM]

That's for sure. Ruby might not yet be of perl's power, but it definitely isnt a toy. It is at least as capable as Python and Perl, just not quite as popular.

Re:All of my friends and family use the new PHP

[Jotii]

Yeah, putting PHP stuff Slashdot's PHP topic makes no sense.

Bug fixes should go into 5.0.x

[halfnerd]

I was under the impression that when using a x.y.z -versioning scheme, bug fixes should be released with increments of z, new features with increments of y, unless they break compatibility, when x should be increased. But when has even PHP done some something in a standard way.

Re:Bug fixes should go into 5.0.x

[CableModemSniper]

I was under the impression that versioning schemes are pretty much arbitrary.

Re:Bug fixes should go into 5.0.x

[e-bart]

Or maybe PHP 5.1 also has some new features??

Re:Bug fixes should go into 5.0.x

[1110110001]

Take a look at the changelog: http://www.php.net/ChangeLog-5.php#5.1.0

The lines with Added, Changed or Improved are mostly new features, the lines with Fixed are Bugfixes. 1/3 of the Changelog are therefore new features.

b4n

Adding even more functions?

[A+beautiful+mind]

"(...)and over 30 new core/extension functions."

Ugh. Adding still to the inconsistent, namespace mess, PHP functions have? Worst. Decision. Ever.

Re:Adding even more functions?

[Sithgunner]

better approach is to say so on the mailing list when in development, not when it hits /. and on /. comment

Re:Adding even more functions?

[A+beautiful+mind]

Your post is the stupidest comment I've read whole day.

The criticism I've brought up is what pretty much everyone critical of PHP is saying for years now, I most certainly don't have to point this out to the PHP developers. If the developers didn't bother to fix this already, then writing a mail to their mailinglist could only possibly start a flamewar at best.

Re:Adding even more functions?

[Sithgunner]

so, whats the point saying in here again if its so obvious?

if its because it doesnt start a flame war, which means people who cares arent looking, then not much point.
otherwise, you are just steaming it out somewhere for not much reason except having attention to people who dont give much about php's political part of development.

Is any work being done to improve security?

[CyricZ]

It's widely known that PHP is used by a lot of "developers" without much background in writing secure software. As such, the coding techniques used are often less than ideal, and have lead to numerous security problems in the past.

Are the PHP developers actively doing anything to help prevent those without much experience from writing code that can lead to a server being compromised? Not that they should restrict those few developers who do know what they're doing, but they should perhaps be taking a look at making it far more difficult to write dangerous code.

On the hardware front we have AMD and Intel adding support for non-executable stacks to their processors, for instance. GCC has StackGuard and StackShield. I think it's time for the PHP developers to step up to the place and try to limit the possible damage that can be done when using PHP incorrectly.

It's easy to continually blame the inexperienced PHP users for writing insecure code. But I do believe that it is up to the PHP developers to use their skills to help mitigate such problems.

Re:Is any work being done to improve security?

[Jotii]

The main reason for PHP being insecure is the huge amount of functions for "securing" form data before using it in an SQL query. It's just comical that both mysql_escape_string() and mysql_real_escape_string() exist. PHP should be purged from all of the unused and misused functions soon, or it will never be safe.

Re:Is any work being done to improve security?

http://www.hardened-php.net/

Re:Is any work being done to improve security?

[__aaxwdb6741]

It is also widely known that many server administrators are known to install many applications as root. PHP and apache, among many others.

Who should be held responsible for THAT? (Set an X)
[ ] The Apache developers?
[ ] The Linux developers?
[ ] The server "administrator"?

Re:Is any work being done to improve security?

[Frekko]

Yes they are. Check out the filtering extension which allows you to set up automatic rules on what variables are accepted and the format they should be in. This in combination with a PHP framework of some sort (e.g eZ components from eZ systems... yes this is a commercial) should close at least one door.

Re:Is any work being done to improve security?

"Are the PHP developers actively doing anything to help prevent those without much experience from writing code that can lead to a server being compromised?"
They are doing quite a bit actually. PHP6 will see a full input_filter mechanism added, safe_mode (misleading name) removed, and other substantial changes that will deeply improve security for programmers.

In addition, there is discussion of adding namespaces in php6, a feature that would easily improve security in virtually every app by preventing unintended variable overlaps.

The PHP Internals team takes security very seriously, and is merging the majority of the PHP Hardened script for just that reason.

Re:Is any work being done to improve security?

[Ford+Prefect]

Short of removing all input/output functionality, people will always manage to write insecure PHP scripts. I've seen things you people wouldn't believe - SQL injection attacks on fire off the blah, blah blah...

*Ahem!*

But anyway. I'm not aware of any built-in security problems - most of what your average Slashdotters regard as 'OH THAT'S SO INSECURE WHY CAN'T THEY FIX IT????' seems to be down to shitty programming by end-users rather than PHP limitations. Idiotic PHP features like magic-quoting of input strings seem to be those added in an attempt to improve security, and have ended up acting as a crutch for poor programmers when the 'correct', unchanged behaviour might have broken things more regularly and actually taught a bit of good programming practice.

My code is immune to SQL injection attacks. It's piss-easy to write things that way. It's more a matter of understanding what's going on, rather than blindly hopping and skipping through the happy haze of 'helpful' features which can easily go wrong. I'd much rather have a PHP where I can blow my feet off with the twelve-bore shotgun of features rather than have some neutered, brain-dead, drool-proof and beginner-'friendly' mess...

Re:Is any work being done to improve security?

[e-bart]

PHP is a very "server-safe" web-scripting languages as long as you install and configure everything properly.

Re:Is any work being done to improve security?

[bad-badtz-maru]

What in the hell is "server safe"? How about this?

$sql = "select username from accounts where username='".$_REQUEST['username']."' and password='".$_REQUEST['password'].'";

What percentage of php developers use inline variables in their SQL and what percentage instead uses bound parameters?

PHP doesn't even support remedial sanitization warnings like perl's "taint" mode. Every piece of PHP code I have ever seen uses inline sql with the "addslashes" crutch. It's the worst of all worlds.

But hey, PHP has wrapped the entire pthreads library, now THATS useful!

Re:Is any work being done to improve security?

It's Bush's fault.

Re:Is any work being done to improve security?

[e-bart]

That example would only compromise a single web app and database. If everything is configured correctly it won't compromise the server. That's what I meant with "server-safe".

The cool thing about PHP is that you can host it to some n00b developer, that does things like the example you gave, without getting your server hacked.

Re:Is any work being done to improve security?

[tehshen]

Idiotic PHP features like magic-quoting of input strings seem to be those added in an attempt to improve security, and have ended up acting as a crutch for poor programmers when the 'correct', unchanged behaviour might have broken things more regularly and actually taught a bit of good programming practice.

Indeed! Microsoft is often criticised for trying to do things for the user, instead of showing the user how to do them. The same criticisms apply to PHP here.

PHP is renouned for having good documentation; would it not hurt to have Remember to use addslashes() on any query before running it! in big and bold on any sql-query-sending page?

Re:Is any work being done to improve security?

[bad-badtz-maru]

But a noob will do the same thing with the backtick or exec. I still don't see the "server safe" thing. Or I don't see any additional attempts at safety beyond what is already offered by the web server or OS (for example, apache running as a user with restricted rights).

Re:Is any work being done to improve security?

[e-bart]

You can disable certain functionality in PHP like backticks or exec or other functions. And, like you said, you can also run Apache as a user with restricted rights.

Furthermore. The security issues that can be solved at PHP-level aren't all the fault of PHP. A lot of it is, in fact, the fault of Apache! Security would be much better if Apache would be able to run different instances with different user rights like, for example, IIS does. Luckely PHP is so cool that it runs on IIS as well. ;)

Re:Is any work being done to improve security?

[TheLink]

"would it not hurt to have Remember to use addslashes() on any query before running it! in big and bold on any sql-query-sending page?"

Yes it would hurt. addslashes is actually the _wrong_ way to do things. It is bad design. But it is shameful that even up till now in PHP it's not clear what to use instead. pear db or pdo?

Whatever it is, you should use a database specific quoting method.

In perl if you have a db object $dbh you'd call it like this:
$quoted_stuff=$dbh->quote($stufftoquote);

However, you should usually use prepared statements and placeholders. You can do this in Perl, Java etc.

Thing is, PHP should have done this a LONG time ago, instead of coming up with _stupid_ stuff like magic_quotes and addslashes, which makes it easy for people to do the _wrong_ thing quick.

It's pretty annoying that PHP made it hard to do things _properly_.

If the devs only talk/think about input filters it means they don't get it.

Your program should have input filters so that _it_ can cope with data sent to it. But it should also have output filters tailored for each thing it talks to (e.g. DB, web browser, some other program), so that things are quoted and filtered properly and the destination programs can handle the data correctly.

Magic quotes is bad design. Automatic input filtering with magic_quotes means that all data is quoted in the same way, for "nobody" in particular. That causes data corruption in many cases when the program submits data to itself. That's why you see stupid things like \\\' in some websites.

So much of PHP is bad design that it isn't funny.

I suspect that when you remove all the "convenient" PHPism that are bad design (global track vars, magic_quotes, addslashes, etc), you'd probably end up with stuff that's just as "hard" as Perl.

Re:Is any work being done to improve security?

[jZnat]

would it not hurt to have Remember to use addslashes() on any query before running it! in big and bold on any sql-query-sending page?

Yes, that would hurt because you're supposed to use the dbtype_real_escape_string() function instead. addslashes() practially adds random slashes to hope that it won't fuck anything up.

Re:Is any work being done to improve security?

[tehshen]

Gah! That is what I meant (honest). Magic quotes and addslashes seem worse and worse by the day.

Power?

[Grendel+Drago]

It's really vague to compare two languages' "power". The only definitive comparison you can make is whether they're both Turing-complete. In that case, Perl = C = INTERCAL = Unlambda.

Re:Power?

Well, then C = Brainfuck.

Re:Power?

[00lmz]

Yes, but as Alan Perlis said in one of his epigrams...

Beware of the Turing tar-pit in which everything is possible but nothing of interest is easy

Using your example, Perl is as complete as C, but IMHO interesting things are easier to do in Perl (or ruby, for that matter).

Re:Power?

I have. You know how much of that knowledge is required to understand the GP? Zero. Stop being a moron, moron.

Re:Power?

[TheRaven64]

A more interesting metric is whether you can write a complex program in a language without writing an interpretor for another language in that language. Sure, I can write dynamic object oriented code in C (and I have done) but by the time I'm finished I've implemented enough of an Objective-C runtime that I may as well just use Objective-C or Smalltalk.

The other side of this metric is how easy it is to write an interpretor for another language when you need to. It is possible, for example, to write a Prolog interpretor in about 20 lines of LISP.

These are far more useful measures than Turing Completeness, since they tell you something about the ease of programming in a language. It is also worth noting that it is easier to write an optimising compiler for a language that doesn't throw away high-level information. I can implement vector operations in C by itterating over a loop, but it's much easier for a FORTRAN compiler to look at a vector data type and a vector operation on it and emit code for a vector unit than for a C compiler to try to work out that my loop can be unrolled and transformed into vector code.

Re:Power?

[spammyd]

LISP: I hate lisp, and i hate prolog/scheme what i hate most is how lisp enthusiasts try to say i dont need to write that program using 50 lines of C, i only need 4 lines of lisp

Re:Power?

[dkf]

Bah! Turing-completeness just buys you a seat in the game. It's practical power that really matters, and that's something else entirely. After all, unlambda's all very well but it's nice to be able to open sockets, build and run GUIs, render webpages, query databases, etc. It's the libraries (and the cool things you do with them) that really count.

Advances/Alternative to the server

[Kunta+Kinte]

PHP's big problem is not language features anymore. It's the lack of innovation in the PHP server program.

Zend refuses to add basic features such as a basic accelerator ( PHP scripts get recompiled on every request ). In fact, there was a rumor that Zend bought and killed http://sourceforge.net/projects/turck-mmcache/, the best accelerator out there because it competed with their commercial product.

I understand that money has to be made for development to continue, but that's no way to compete.

PHP server needs true session and application scope variables. File-based session variables it has right now means that any variable that's not serializable ( eg. file descriptor ) can not be saved in the session scope. This is a huge problem. It results in developers making countless round trips to their database to serialize data, and hence making PHP scripts more dependant on close/performant database in general. There was an mmap based solution being worked on, but haven't heard much about it lately.

Other web environments have had these features for years.

I'm guessing that that sought of restriction on the PHP server will continue until an alternative server is developed and begins to gain popularity.

Re:Advances/Alternative to the server

"Zend refuses to add basic features such as a basic accelerator"
They have already agreed and committed to doing so in php6. The current leading candidate is APC, and it will be part of the php core in php6.

"File-based session variables it has right now means that any variable that's not serializable ( eg. file descriptor ) can not be saved in the session scope"
Thats why you can use database-based sessions instead if you so choose, and have been able to since php4. However, if you don't like the speed hit, there is already discussion about php6 having a different permanent data global that will solve the situation you describe. Not to mention, mmap has been functional for a while now, so I think you are just rehashing old fud.

Re:Advances/Alternative to the server

[naugrim]

The turck accelerator was continued in the eaccelerator product (http://eaccelerator.net/HomeUk). They are however starting over on it due to licensing issues. In the meantime, their current version works on PHP5, but I'm not sure if it works on the new 5.1 or not.

Re:Advances/Alternative to the server

I have recently upgraded a few sites from php4 to php5. The biggest problem? The accelerator..basically php is really unusable in any real production environment without installing some accelerator/opcode caching mechanism this makes php go 2-5 times faster. The problem with php5 however is that there are two options 1. ZEND $1000(1CPU)-1500(2CPU) (PER YEAR!!) for each server or using APC from PECL which is free but buggy and unstable(supposedly Yahoo uses this but I and others have had major problems with it). The Zend solution is very nice but is quite pricey for someone without a large bank account. Acceleration options should really be built into the php release.

Re:Advances/Alternative to the server

[NineNine]

Do you mean that you can't store objects as session or application variables? I work with ASP, so I just assumed that PHP has had this ability for well... years.

Re:Advances/Alternative to the server

I'm confused. Could someone explain this? At http://sourceforge.net/projects/turck-mmcache/ it says the license is GPL. But at http://eaccelerator.net/HomeUk it says "There is also the license problem. Frank Alcantara has done his best in the discution with Mr Turck, the owner of the copyright (Dmitry Stogov is in fact the original coder), about the idea to modify the license to avoid problems to distribute eAccelerator with Debian. But Mr Turck doesn't want to give us the permission." I don't get it - is Turck MMCache GPL or not?

Re:Advances/Alternative to the server

[CiaranMc]

You can store objects in the session, just not objects that don't serialise properly.

Re:Advances/Alternative to the server

[lattepiu]

Mmap based sessions have been supported in PHP for years... just use session_module_name('mm'). And of course you can always use your own handler to do whatever you like with your session data.

I don't understand why bashing PHP has become such a popular sport nowadays... To me, it seems one of the few languages trying to really do something new to make development more fun, instead of just drooling over endless specs. I really enjoy coding in PHP, especially with the new super cool iterator interfaces and magic methods... Is it just me?

Re:Advances/Alternative to the server

1. Zend hired the mmcache author, who developed things like the SOAP extension for php

2. PHP6 will have an opcode-cache (APC): http://www.php.net/~derick/meeting-notes.html#add- an-opcode-cache-to-the-distribution-apc

Re:Advances/Alternative to the server

[bad-badtz-maru]

A databased-based session will serialize a file descriptor?

Re:Advances/Alternative to the server

[1110110001]

PHP scripts can't share file handles like every other program written in i.e. C. I don't see a problem with this. If you need data every time and need it fast you can use shared-memory. There's a nice extension that even works on Windows. If you need to share data between servers you have bigger problems than the time opening a file takes.

b4n

Re:Advances/Alternative to the server

[1110110001]

Try APC with 5.1. It seems like Yahoo and Rasmus are focused on 5.1. and have skipped 5.0. That's why there can be problems with this version. There were some engines changes which makes 5.1. even faster than 4.3. and thus for the cache there can be some difference between 5.1. and 5.0.

If you have a big server farm you could of course also talk to Zend. The Zend Platform is much more than just an accelerator. And if you are a good customer anyway why should the mind about a little price drop.

b4n

Re:Advances/Alternative to the server

[e-bart]

Not just you... Me too!... :)...

Re:Advances/Alternative to the server

[Sentry21]

In fact, there was a rumor that Zend bought and killed http://sourceforge.net/projects/turck-mmcache/, the best accelerator out there because it competed with their commercial product.

What happened was that Zend hired the author of turck-mmcache because they wanted his expertise on THEIR project. I don't think that's entirely unfair. The reason that Turck is pretty much dead at this point is that no one else understands 1) The Zend engine internals, and 2) The author's code nearly as well as the author did.

Re:Advances/Alternative to the server

hi. You don't know what you're talking about. One intentional design feature of unix is that child processes inherit their parents file descriptors. That's completely unrelated to the language used. PHP on unix is the same as C or any other language with this regard.

Re:Advances/Alternative to the server

[1110110001]

I know what I'm talking about. PHP is request based. That means before the request is after the request. Every zval gets freed by the GC. And while freeing the zval for a resource its destructor is called.

Of course if you fork you inherit the zvals and therefore the open file handles. But in a web enviroment you're scripts don't run long enough to make that useful.

You could write your own webserver in PHP (or fcgi server). But the GC is optimized for the request based approach. That means the memory only gets really freed when your script ends.

If you know enough C to write an extension you could still write your own persistend file handle extension. It's not that hard.

b4n

OO

[smallguy78]

I use to use PHP a lot day to day for several years (lamp), and found it kicked the ass of ASP for doing really fast web apps. Bigger web applications however, is where its mechanics started to erode - specically includes and the old module level variables issue.

PHP 5 brought more OO features but it's still loosely typed and not compiled, meaning its OO features pale in comparison to JSP and ASP.NET. Until these two features are added by default (yes I know there are compilers), I can't really see how people will want to make use of its OO features in a business scenario. It handles strings (atleast in 4) about 50x slower than .net and seems to be stuck between a scripting language and a fully fledged OO language.

Re:OO

[Dasch]

One word: Ruby.

Re:OO

[moro_666]

you forgot to add that real programming languages are pretty much backward compatible, whereas php's backward compatibility doesn't just suck, it's nearly non-existant. references, oop parent class calls, global variables etc. this language gets ever more messed up with every new version and with zillion little configuration flags that affect the very basic functions and breaks down even the most patient code.

php has it's good sides but it the long run it's definitely the loser platform from my point of view. even perl is more stable and readable after 3 years of support on the same code (on php you either do very expensive upgrades to the software every time there are some major changes or you do cheap fixes and the code turns into a mess).

have you ever tried to read a well organized OOP php source that is supposed to work with every version from 4.0 to 5.x ? nope ? give it a try, i'm sure you will fall off the fgging chair.

i suggest you use something else, use python, use ruby, if you need to kiss your bosses ass you might even use java but keep your fingers away from php while you can.

Re:OO

[e-bart]

I have no idea what you're talking about. I wrote my app for PHP4 3 years ago. It's pretty big and complex (and ugly ;) ) and it's currently running on PHP 5 without the need for any modifications! I don't have much experience with other programming languages. But, as a PHP developer, I feel they pay good attention to backwards compatibility. Good enough for me at least. :) I have never experiences serious issues with this.

Re:OO

[dkf]

So, you think strong typing and heavy compilation (with all the attendant futzing around with silly little converter classes and twiddling your thumbs while the whole lot grinds through the compiler again) are necessary for OO-in-business-scenarios? Interesting. Can't say I agree though. Highly typed languages are overrated (and PHP is definitely not best-of-breed in the light-typing end) and compilation to native code is not so useful as you might think; there's usually a better level of abstraction to use as a compilation target (i.e. which allows for very fast compilation while providing decent speed), assuming you're not writing some real CPU-heavy code like image manipulators. But then most web-apps aren't about that; they're "parse the input, diddle with the DB, possibly contact some other service, format the output". All the scripting languages are good choices for that sort of thing, though some are better than others for mundane reasons. Reasons like "the natural way to write code is the secure way to write code!" But you take your pick according to your personal preferences (or sometimes those of your boss, alas.)

Re:OO

Buzzwords confusion! What the hell does OO have to do with loosely typed and compiled? No OO in Python either?

Re:OO

[masklinn]

Javascript is a weakly, dynamically typed language, and yet PHP had to wait till PHP5 to get better OO than JS (respective strengths & weaknesses of class-based OO versus prototype-based OO aside)

Re:OO

[bani]

perl stable? maybe. we'll see what happens when perl 6 comes out. i suspect when it does, most of the whining about "unstable PHP syntax" will cease. :P

readable? hah. perl is famous for winning obfuscated code contests. it's worse than C, and that really says something.

python syntax is ok, but applications written in python tend to be fragile.

java is "write once run nowhere" thanks to platform-specific bugs and incompatibilities in JVMs.

even then, nobody is forcing you to upgrade php, just like nobody is forcing you to uprgrade perl. there are incompatibility issues with the change from perl4 to perl5 (and there will be many more in perl6) but you're not forced at gunpoint to upgrade. you always have a choice.

Did you look at the PHP 6.0 codebase ?

[Gopal.V]

Sometime back, I pulled out the CVS HEAD and tried to hack on top of it. Needless to say it looked alien, with all the hash tables walking around with unicode all around. Php 5.1.xx is only a small step, 6.0 is going to really come crashing down.

I'd like to take this oppurtunity to complain about __autoload in PHP5. It is one functionality which I find tremendously inconvenient when coding something like APC . File inclusions were never supposed to be that dynamic, it ends up with different compilations of the same file for different places it is included in (apparently some are still fighting).

Re:Did you look at the PHP 6.0 codebase ?

[Bloodwine77]

I use __autoload() with abstract classes to mimick very simple namespaces.

I'm sure that is a perversion of the original intent of __autoload(), but now I don't have to litter my scripts with require()'s and I can just call Foo::bar() and the Foo class is automagically loaded. Of course I don't use any accelerators or caches, but I could see how __autoload() could cause problems.

I'd be more than happy to use a "use Foo" type inclusion at the top of scripts, but when you have directories and sub-directories of scripts it is a pain in the butt to do a bunch of "require_once(dirname(__FILE__).'/../../class_Foo. php');"

Hopefully the developers of PHP will come up with a better solution in a future release. I would really love real namespaces (so I can nest namespaces), but the problem with the PHP developers is that they are very stubborn and if they personally don't feel like a feature is important then they won't do it, no matter how many people ask for it.

The best news about PHP 5.1 is PDO. If people start using PDO by default that should really cut down on the explicit dependance on MySQL.

Backgrounds of the PHP developers.

[CyricZ]

What are the backgrounds of the main PHP developers? Do any of them have any serious credentials, or even background in language design at a graduate level, for instance?

One thing I find about PHP is that, rightly or wrongly, we always hear about how it's quite lacking as a language. Could that be because it is designed by people who have very little experience designing modern programming languages?

Re:Backgrounds of the PHP developers.

[A+beautiful+mind]

PHP wasn't always a "language" (I personally think it still isn't), but as a bunch of Perl CGI scripts, maybe thats why. It wasn't designed to be a language.

Re:Backgrounds of the PHP developers.

[trifakir]

Since when is language design a grad. discipline? The Zend guys happen to be damn good programmers - have a look at the code of the interpreter.

Re:Backgrounds of the PHP developers.

[Elrac]

The Zend guys happen to be damn good programmers - have a look at the code of the interpreter

That sentence illustrates the problem and your lack of understanding of it.

Design and programming are two distinct disciplines. Some brilliant developers are good at both, but many people, myself included, get too much satisfaction from diving into coding to thoroughly think about what they are embarking on. The result is a program/system/language/whatever that starts with a clean small core but grows ever bigger and uglier as changes are bolted on. I tried PHP a couple years back and was disgusted by it. There's a reason why computer language design is a discipline of an academic subject, Computer Science: A wealth of knowledge has accumulated on how to do this kind of thing "right," and applying that knowledge will usually lead to a better end result.

Specifically, my beef with PHP summarizes down to: It makes simple things simple in a way that encourages sloppy coding. PHP is to the current would-be Web geek generation what BASIC was to teenage would-be hotshot coders in the late '80s: A way to achieve "gee whiz!" effects easily and cheaply. It's possible to write large, elegant programs in PHP, but that's not what usually happens.

Re:Backgrounds of the PHP developers.

[jacksonj04]

But on the plus side of PHP it's a nice convenient stepping stone between plain HTML and the godawful mess of punctuation that is Perl.

I code in PHP because I can quickly roll out powerful scripts, but the namespaces really need an overhaul.

Re:Backgrounds of the PHP developers.

[trifakir]

I disagree. Plenty of software in general, and some languages in particular suffer from the "too much design" disease. On the other hand, software which is being written well (for some definition of "well"), tends to outgrow the flaws in its initial versions even if at the end one can hardly recognize that this is the same software.

The classical example of an "overdesigned" language is Java (I am lousy at separating the language from its APIs). What you get is some more "reuse" at the price of unnecessarily complicated framework. With languages like PHP you learn the right way by mistake (which is not necessarily suboptimal) and you should have the guts to break compatibility from time to time.

As for being disgusted by PHP -- usually you don't get disgusted by the language but by what people have written in it (or around it - talking about some PHP extensions). One can always find examples of an extremely ugly LISP function with LISP being one of the most beautiful languages ever.

But I'm heading towards a treacherous field - discussing programming language merits - wasn't it "the best tool for the appropriate job"? So, let's keep PHP for all these "gee whiz" tasks which apparently the society needs, otherwise go explain the x millions of PHP-sites...

At the end we will all grow software like plants :)

Re:Backgrounds of the PHP developers.

[HermanAB]

I dunno - when I write Perl, it looks exactly like block structured C and people have no problems reading my Perl code. I suppose it is possible to create a mess in any language, if you try hard enough.

Re:Backgrounds of the PHP developers.

[bad-badtz-maru]

Is the interpreter written in PHP?

Re:Backgrounds of the PHP developers.

[CaptainPinko]

You can write perl like that --I do-- but that's really against the Perl culture. Like assuming $_ for many operations. Sure you can state it explicitly but the custom and culture is to assume it. Perl is meant to be written in a 'clever' manner. When I have to write Perl I write it similarily to the way I write my Java code, but that's not really kosher. I once saw code written in Java but in the style of LISP and it was painful. So in summary: writing neat readable Perl code is possible but it is not usingthe language as it was intended to be.

Re:Backgrounds of the PHP developers.

[dragonman97]

Unlike some of the other replies, I agree wholeheartedly. I am a Perl programmer, who actually has a clue about programming. (And I write legible Perl, thank you very much. [most of the time ;)])

I've just 'inherited' a PHP project, and I want to scream. I've finally had to 'learn my enemy.' So, wanting to know what the heck I was getting into, I bought a ton of O'Reilly books, and I read through a bunch of "Programming PHP" before beginning, so I wouldn't make the mistake of just slapping together whatever worked. Getting right into it, I was appalled at how poor the 'design' of the language is. It's a poor ripoff of many decent languages, slapped together in whatever Q&D way would 'make it work.' Why are phonetic string comparison functions part of the core language?! Those should be in a library! Why, oh why, was the scoping done so utterly backwards?! I was cleaning up some code, moving it into a function, and suddenly it stopped working. I had realized the answer the first time I tweaked it, but summarily forgot the second time around. What was it? Why, naturally, I had forgotten to do 'global $foo' inside my function - how stupid could I be to think code inside a function wouldn't pick up the contents of the variable as declared outside it?

*sigh* I've gotten a project with 15,600 lines of 'code,' and already gotten rid of 1200 lines of repetitive junk by applying some common sense to it. I have another 120 lines lined up to be shot today. (A diff -uw of 2 files turned up exactly 5 differences.)

PHP makes it way to easy for people without a clue to 'write code' that 'works.' Thank you all the same, but I prefer to keep my brain engaged in 'drive,' rather than 'park.'

Re:Backgrounds of the PHP developers.

[Dirtside]

It makes simple things simple in a way that encourages sloppy coding.

Frankly, sloppy coding is 99% the fault of the programmer. You sound like a carpenter who's angry at the hammer because he hit his thumb with it.

Re:Backgrounds of the PHP developers.

[I+Like+Pudding]

I think perl looks normal 80% of the time, but gets really nasty when you try and do something moderatly complicated.

Examples (package and var names chaged to protect the guilty [me]):

# This is using a DI container to pull down a closure $functionName
# and execute it with the args @args
$result = eval { &{$registry->locateService("/functions/$functionNa me")}(@args) } ;
 
# This is just scary
return "Foo::$class"->new($con->find('session'), $objectID)->$methodName;

Re:Backgrounds of the PHP developers.

[porneL]

Ou yeah? Eat $this->!

Re:Backgrounds of the PHP developers.

[iluvcapra]

Too much design can be a bad thing, but OTOH, if we could only convince those Zend guys that a hash and an array are two different things...

Re:Backgrounds of the PHP developers.

so when is perl 6.0 coming out?

hahahahaahahahahaahahaahahaaha call me in 30 years when that happens

Re:Backgrounds of the PHP developers.

quote: Specifically, my beef with PHP summarizes down to: It makes simple things simple in a way that encourages sloppy coding.

So you'd prefer language that was hard to use so only those who are dedicated to good programming methods will use it?

Re:Backgrounds of the PHP developers.

[aled]

Unless your hammer have the form of a letter J?

Re:Backgrounds of the PHP developers.

[CaptainPinko]

Perl should have stayed as a nice menage-a-trois of Bash, Sed, and Awk.

Re:Backgrounds of the PHP developers.

[aled]

I am lousy at separating the language from its APIs

Perhaps you are the one with the problem here. After all Java, like some other languages, have about 50 keywords, all the rest is API and is clearly noted as so in the documentation (see Java 2 Platform API Specification. Don't see how can be any confusion there.

Re:Backgrounds of the PHP developers.

[killjoe]

Personally I think the use of the "global" keyword is something PHP got right and every other language (except ruby) got wrong. When you are reading a function it's good to know where all the variables are coming from. In ruby they use a sigil, in PHP they use a keyword, in every other language you have to search through the function to see where and if the variable was declared and deduce that it was either a global variable or a typo.

To recap. PHP got it right, perl got it wrong. You are annoyed because it's not the way you are used to working but that has nothing to do with the merits of the scoping rules.

Re:Backgrounds of the PHP developers.

[aled]

Since when is language design a grad. discipline?

"Linguistics is the study of languages; it converges with computer science in such areas as programming language design and natural language processing."
http://en.wikipedia.org/wiki/Computer_science

Re:Backgrounds of the PHP developers.

[rycamor]

Agreed.

Heh, of all the things to complain about with PHP, why would someone pick *that* issue?

Re:Backgrounds of the PHP developers.

[A+beautiful+mind]

Perl makes easy things easy and hard things possible.

About your example, It seems very clear to me, but I'm writing obfus atm ;)

Re:Backgrounds of the PHP developers.

[SimHacker]

Oh, come on, don't be such an apologist for what is clearly Bad Programming Language Design. PHP is the vice grips of programming tools, which damages everything it touches, and doesn't do anything very well.

So you can concede that PHP is a badly designed broken tool, but you claim that it doesn't matter, because 99% of the time it's the fault of the programmer? Maybe PHP just attracts and cultivates bad programmers? Why would you choose a deeply flawed tool like PHP, when other excellent well designed tools like Python and Ruby are available for free?

-Don

Re:Backgrounds of the PHP developers.

[Electrum]

Personally I think the use of the "global" keyword is something PHP got right and every other language (except ruby) got wrong.

What is annoying about PHP is that you can't declare "superglobal" variables. It would be very nice to be able to use global outside of a function.

Re:Backgrounds of the PHP developers.

[crucini]

I agree with your distinction between langauge design skills and programming skills. But maybe you missed an important point: the experts who have studied the field thoroughly don't always create useful stuff for the rest of us.

Remember Tanenbaum's comments on Linux? Well, Linux works well in tons of applications despite being completely unsatisfactory to one of the world's leading OS experts. Same for Perl and PHP. They're practical, but ugly.

If PHP didn't exist, most of the PHP apps wouldn't be beautifully written in C++. They just wouldn't be written at all, and the world would be poorer for it. Also, much of what's written in PHP will be thrown out within months of completion. Why pour time into "properly" writing something with a short lifespan?

Re:Backgrounds of the PHP developers.

[dkf]

Personally I think the use of the "global" keyword is something PHP got right and every other language (except ruby) got wrong. [...] PHP got it right, perl got it wrong.

Tcl is another language that uses that approach (i.e. variables are always local unless explicitly declared otherwise). You're absolutely right that Perl got it wrong, even though they later hacked in something that goes some way towards correcting the mess (which is itself absolutely typical of Perl...)

Re:Backgrounds of the PHP developers.

[BuildGate]

>> The classical example of an "overdesigned" language is Java

The language itself is not "overdesigned". It is the Java programmers/developers who overdesign their programmes. All Java API/Technology exits for some reason:

eg.
Servlet/JSP/JSF - Web development
JTA - Transaction management
EJB - Enterprise stuff

Right tools for the right jobs. You don't need a J2EE Application Server when you just use Servlet. PHP is best for small app. But when you are talking about enterprise stuff, I won't consider PHP.

For Java,
App Framework: Spring (providing DI, AOP, Hibernate integration and more)
Security Framework: Acegi
Web Framework: JSF
ORM: Hibernate
...

All are production-level free stuff. Can you find similar stuff for PHP?

Re:Backgrounds of the PHP developers.

[rycamor]

Maybe you can't declare your own superglobals, but you can easily redefine (basically "repurpose") the existing ones. Here is a stupid example:

<?php
phpinfo();
$_GET = "Not what I put on the URL line";
function getit()
{
        echo "<br>{$_GET}</br>";
}
getit();
?>

Now run this in your browser and throw some vars in the URL and you will see that they show up in phpinfo() output, but $_GET is redefined afterward and available inside a function. Since $_GET or the other superglobals can be of any type, including multidimensional arrays or objects, you can easily exploit this to have truly global data structures. And in so doing, you can possibly even increase your security against URL request hacking.

Re:Backgrounds of the PHP developers.

[davetufts]

You can, but don't do the following then complain about how sloppy PHP is. You're making a sloppy decision. PHP is just letting you do it:

$GLOBALS['foo'] = 'bar';
echo x();
 
function x() {
  $out = 'foo is ';
  $out .= (isset($GLOBALS['foo'])) ? $GLOBAL['foo'] : 'not defined';
  return $out;
}

Re:Backgrounds of the PHP developers.

[bani]

yes yes yes!

this is one of the most annoying things about perl (other than the syntax, heh). perl's scoping is broked. PHP actually got it right.

Great, now what about hosting companies

[CastrTroy]

Are there any good (shared) hosting companies that support PHP 5(.1). Most of the ones out there seem pretty old in the stuff they support, with Apache, 1.3, a 2.4 kernel, running mysql 4, and php 4. Are there any good hosts out there that run new software? I know the old stuff is reliable and works, but sometimes it would be nice to have hosting with cutting edge tools, when stability doesn't matter so much.

Re:Great, now what about hosting companies

[CyricZ]

If you want cutting edge, then you'll most likely need to run your own server.

Serious hosting companies just can't risk running software that hasn't been widely tested. While there may be benefits from running the new versions of PHP, for instance, it could be a disaster if a security flaw leads to their servers being compromised. An incident like that could financially destroy a small- or medium-sized hosting company. At least the older versions of PHP have undergone more testing than the newer releases.

Re:Great, now what about hosting companies

my host runs 5.1.0 RC1 currently, so im sure they'll be upgrading real soon i love my host (phpwebhosting.com)

Re:Great, now what about hosting companies

[NuclearRampage]

You can try http://www.powweb.com/ They usually keep on top of upgrades and have had php5.0 running for a while now.

Re:Great, now what about hosting companies

[alan.briolat]

I agree completely - There is nothing more irritating than trying to write something that would benefit from features in PHP5, for example decent SQLite support, but not being able to because the script in question needs to be deployed on the 'average' (read: stone age) webservers. For the most part, things written in PHP4 work in PHP5, however the big scripts are sloppy in places, and as a result don't work in PHP5. And of course most of the webhosts' customers want to be able to run such scripts. So we are all stuck with PHP4, unless we are writing something that is only going to be deployed on a server we have control over.

Roll on PHP6 and its even longer list of problems for webhosts!

Re:Great, now what about hosting companies

[e-bart]

Agreed. I've been waiting years for PHP5 to hit the hosting market. A great part of my code is stuck because it won't run on current webservers. But maybe there's some good news. I've heard that hosting companies wait untill a x.1 release before adopting it. So, maybe now that PHP 5.1 is out, we'll finally see it popping up on webservers. :)

Re:Great, now what about hosting companies

[alan.briolat]

I'm afraid that until people like IPB, and phpBB, and phpNuke, and all those get their acts together, it's quite possibly just wishful thinking... That or maybe someone will set a trend by doing something bold like actually changing a few servers, and giving customers the choice.

Re:Great, now what about hosting companies

[e-bart]

T think it all depends on the server administration tools like Plesk. They're the ones that need to support it in their products.

Re:Great, now what about hosting companies

[dreadlock9]

I run a few PHP sites at DreamHost. For each domain you can choose PHP 4 or 5. I run all my domains on PHP 5, it works out well. You can host unlimited domains on any account, and your disk space and bandwidth are increased every week. It has a nice community atmosphere with forums, voting on new features, and a humorous newsletter.

Follow the link to find out more (note that if you sign up with this link, you'll be my referral)
http://www.dreamhost.com/r.cgi?sproutworks

Re:Great, now what about hosting companies

1and1.com has offered PHP5 for some time... find a better host

Re:Great, now what about hosting companies

[Bitsy+Boffin]

Excuse the shamless plug :-)

Re:Great, now what about hosting companies

www.serverseed.com

php 5 option.

Service rocks! Ive been with them on the php5 option for a year now and absolutely dig it.

The absolute latest php and mysql on apache 2, all wrapped in cpanel for admin'ing.

Re:Why am I getting spam from Linspire?

[ajs318]

I had one of those too. I use Virtual Hosting, and so give everyone slightly different versions of my e-mail address -- then I can tell who's been selling my address on.

The one they used to contact me was one I had supplied in an e-mail regarding the nVu HTML editor. {In the end I couldn't get to grips with it, and went back to kate, which -- like most of KDE -- has gone from strength to strength}.

PHP Security

[shiflett]

Some of us are trying to help the situation by educating PHP developers. For my part, I try to write articles (and make them available for free), give talks at conferences and user groups, and answer questions on mailing lists and forums.

There's also the PHP Security Consortium, the Zend Framework (which will hopefully include most things on my wishlist as well as solve other problems), and a new input filter extension.

As BP says, it's a start.

Re:PHP Security

[bad-badtz-maru]

Your wishlist is excellent, I would absolutely love to see those items go into PHP instead of useless items like the pthread wrapper. I am sure that community and industry response would be positive, as well.

Do they really take security seriously?

[CyricZ]

It strikes me as odd to suggest that they take security seriously, yet it will take them to version 6 to get something that is remotely becoming secure. Not only that, but it sounds like they've had to take such security enhancements from the Hardened-PHP project, rather than implementing it on their own.

Re:Do they really take security seriously?

[shokk]

Yes! Damn those code contributors! They've ruined open source since 1985.

Re:Do they really take security seriously?

[CyricZ]

The problem is obviously not with the Hardened PHP project contributing their work. The problem is that the developers of PHP appear to be unable to include basic security functionality into PHP themselves, and thus must resort to having 3rd party developers do the work they should be able to (but apparently cannot) do.

Re:Do they really take security seriously?

The problem is crack you fucking one eyed one legged crack whore. CRACK!!11one

Re:Do they really take security seriously?

"It strikes me as odd to suggest that they take security seriously, yet it will take them to version 6 to get something that is remotely becoming secure."
It is already secure, they are making it more secure by default. Yahoo uses it for huge sections of their site, and thousands of sites run on php - securely. Your perception and opinion of the relative security it offers is nothing more than trolling. Nevertheless, php4 is frozen, as is 5.0. 5.1's new feature set was already determined months ago. 6.0 is the right tree for substantial changes. Yes, it takes time to get there, but that also means time to polish, and ensure that its not buggy. I'll take slow over buggy every day.

"Not only that, but it sounds like they've had to take such security enhancements from the Hardened-PHP project, rather than implementing it on their own."
They are one and the same. The members of Hardened-PHP are also members of the PHP internals team. The Hardened-PHP project exists to offer more security *sooner*. Much like many of the features of OpenBSD make their way into NetBSD eventually, the features from Hardened make their way into PHP - when the time is right for it.

But even if it was a third-party team (and its not), thats what opensource is about - accepting good ideas from anyone!

Re:Do they really take security seriously?

[shokk]

Not if you consider the two groups a single community.

Re:Why am I getting spam from Linspire?

[arkanes]

FYI (if you didn't know already), nVu is funded and developed by Linspire, so it's unsuprising that they signed you up for the email list. I bet the privacy policy even says so. So while I know that it's annoying, it's not that nVu sold your email address to Linspire, or (neccesarily) that Linspire buys email addresses - nVu *is* Linspire.

Some more alternatives to MySQL

[Elrac]

I apologize for being a bit off topic, but I'd like to throw in a couple of cents' worth on newly emerged alternatives in the "free DB" arena. Hopefully PHP support for these will be forthcoming forthwith:

• IBM has spiffed up Cloudscape to be somewhat compatible to DB2, renamed it to Derby and is giving it away
• Oracle is giving away a mildly crippled version of its DB, I don't remember the exact circumstances
• ADABAS, also known as SAP DB, is now also FOSS
• Firebird, née Interbase, was freed years ago and is said to be working well and under active development. I don't know why so few people seem to like it.
• I believe I heard about SQL Server being "free" under some circumstances too, but I'm not sure.

So... many thanks to MySQL for being a forerunner in the "free DB" department, and more thanks to other, formerly proprietary-only vendors for making their products a little more accessible to the common man!

Re:Some more alternatives to MySQL

[TheTomcat]

PDO is a free solution to most of these. It's slated to go stable this weekend.

IBM has spiffed up Cloudscape to be somewhat compatible to DB2, renamed it to Derby and is giving it away
PDO_ODBC, Zend Core for IBM

Oracle is giving away a mildly crippled version of its DB, I don't remember the exact circumstances
PDO_OCI, Zend Core for Oracle

ADABAS, also known as SAP DB, is now also FOSS
This one, I know very little about..

Firebird, née Interbase, was freed years ago and is said to be working well and under active development. I don't know why so few people seem to like it.
PDO_Firebird

I believe I heard about SQL Server being "free" under some circumstances too, but I'm not sure.
Correct, it's called "SQL Server 2005 Express Edition", formerly MSDE. (although, I've not tried EE2005, only MSDE -- it worked well)
PDO_DBLIB

S

Re:Some more alternatives to MySQL

[killjoe]

There is a crippled version of SQL server available for free but it only runs on windows. This is basically because the primary purpose of SQL server is to lock users into a windows platform. A very good example of this is the fact that SQL server enterprise edition will not run on windows server 2003 but requires windows server 2003 enterprise edition.

If you want an excellent but crippled database you are better off going with oracle which does not shove an operating system down your throat and will work with every platform.

Having said all that there is no real need to run a crippled version of anything when there are so many excellent, proven open source databases on the market. See firebird, sapdb, ingres, etc.

Re:Some more alternatives to MySQL

[tod_miller]

Oracle is giving away a mildly crippled version of its DB, I don't remember the exact circumstances

Same flavour jam, but only 1gb ram and 4gb of pr0n db goodness per machine. Probably limited to 2CPU's as well. Or less. Or Maybe no CPU limit.

select * from oracle_customers order by db_size ram_size group by db_size ram_size

Take the bottom 2% and they are the specs you release as 'free'

*note to self, ctrl-x-s is not how to post a message in slashdot o.0

TROLL!

MySQL support has NOT been dropped!

Re:TROLL!

> MySQL support has NOT been dropped!

I am Jack's complete lack of clue.

Re:TROLL!

[HermanAB]

Well, he didn't say 'dropped', he said 'droped' - whatever that means...

What's up and coming in PHP6

[Philmeeh]

If anybody is interested in what is coming up in PHP6 you can read an overview here. Looks like the main push of the next release is to stop people coding things wrong (by depending on register globals and magic quotes). Oh and the small thing about adding Unicode support. Unfortunately this will probably mean a slower adoption than PHP5 as it is likely to break popular scripts (such as forums, blogs etc) which will mean that Hosting Companies are unlikely to touch it till the script writers update their scripts.

I here lot's of bickering about PHP 5 ...

[Qbertino]

... still having no namespaces and lacking in full-blown OOP and all.

So what?

PHP is the web generations basic. No more. But no less either.

Given that loads of very usefull webapps out there are built in PHP
I'd say the criticisim is mostly inadequate whining. If PHP doesn't
cut it for your job, take something else. No big deal.

Re:I here lot's of bickering about PHP 5 ...

Finally, someone who gets it. PHP isn't your only option, but its more than just senseless whining and complaining with these holy wars between programming languages. It's the entire principle behind the complaints. PHP is being heavily criticized in the least important areas. PHP is a fine language. To this day I still program in PHP4 on a daily basis practically and sometimes I don't even use OOP. I honestly just don't understand the /. community. An article about C++/Java/whatever comes out and there is a flood of trolls complaining about OOP and how horrible it is and how god himself would use C. The next day, a similar article comes out and there is nothing but whining about how there isn't enough OOP! Developers need to stop being so critical of the language. Don't get me wrong... sure, they're are times when languages (any/all languages) have shortcomings and it does merit complaints, but what I don't understand is developers blaiming the language for their crappy code. Ok fine, blam the language for lack of features or functionality, but for gods sake, please don't blame the language because you're too lazy to optimize your code or think about security or whatever other concern you have. The language, can help you with that, but it seems as though developer's are becoming far to dependant on these tools and are writing code with little to no planning before hand about design, security, or usage of the language's syntax (such as OOP). I myself code with OOP almost all the time with only a few exceptions on small projects, but the difference between a good programmer and a bad one in which language they use is their ability to adapt to what that language has to offer. Just because you can't code in PHP the way you can in Java doesn't mean it's a bad language. It means you need to adapt to it. Once you adapt to the concepts associated with that language it becomes easier to find the shortcomings and use other methods to produce quality code.

Re:I here lot's of bickering about PHP 5 ...

I agree... I'm using PHP since PHP 3 and it's one of the best languages for easy programming. When i was starting programming PHP enabled me to do a full-blown app in a month. A badly designed one let me add, but I can do it. In Java it would take me a month just to learn the basics.

I think PHP is a fun language because you can start programming and doing small stuff in 1 hour, the docs are good and right now with php5 it also has appeal to advanced programmers. PHP started as a "easy to use" language but right now i think it can also appeal to advanced programmers doing complex stuff. At least I still like it and right now i'm using it to build very complex websites.

Security is an issue in PHP because the programmer has to do it, i don't know if that's good or bad but when i was learning PHP i was alerted many times to protect my forms, etc.

I agree that PHP has many flaws, some design/sintax issues but it still is easy to learn and also easy to master (ok, my webhost doesn't have ruby so i can't use it :P).

I don't need namespaces and i don't see how can they improve my apps (well, i can see but i prefer not). Just because other languages has it doesn't mean I need it. Do you want every language to have exactly the same features? I don't... i want languages that are easy to learn, hard to learn, languages strongly typed, loosely, etc...

Umm

[rsax]

[X] Microsoft ?

My pet peeve with PHP

I have been developing (or trying to develop) web apps with PHP for a couple of years and I dislike it more and more every day. I realized it was a shitty language upon discovering that there was no way to avoid loading my application classes and objects with every damn page view, but the single most irritating "feature" for me is that an included file does not "know" where it lives in the directory tree, so that if you want to include another file from the included file (to properly use an esoteric and modern feature like inheritance), PHP will not look for it relative to the first included file directory, but to the ORIGINAL SCRIPT position! Forget about any system variable that tries to tell you where you are, as those do not work consistently across versions, systems or whatever. You are basically precluded from using anything but absolute pathnames in your include files if you plan to include the same file from (gasp) scripts in different directories.

PHP, is it API or language?

[freezin+fat+guy]

Now that PHP is popular it is undergoing something of an identity crisis. Rasmus said it was an answer to "the web problem", a very simple answer. A "right to the point" approach, terse rather than elegant.

But as more "serious" developers pick it up, more "serious" features are requested.

The fact is, if you're flexible you can build whatever you need in PHP4. It may not always be the way you prefer to code, but you can do it.

PHP is what it is. And it won't appeal to everyone. Fortunately there are many other platforms for the unsatisfied. Take your pick.

If your primary gripe with PHP is that it isn't enough like Java, shut up and use Java. Same for - insert language here -

I am very interested to see the new framework being promised by Zend and IBM. (http://www.zend.com/php-collaboration/) Can they really deliver on their promises? If not, I do predict a mass exodus to ROR. PHP could wind up being relegated to individual scripts or 5 page websites.

Re:PHP, is it API or language?

[Q2Serpent]

You know what, I'm sick of this argument. Even if I don't choose PHP for any of my projects, it matters to me who chooses it and how popular it becomes.

Why?

1) The more people who think it's a good language and start using it, the more poorly-written, insecure web sites there will be. Yes, you can write secure pages in PHP, but you can also write secure pages in assembler. Do you think either one is a good idea?

2) The more people who think it's a good idea to uses PHP, the more people are in need of third-party libraries. This means fewer third-party developers working on libraries for decent languages.

3) The more people who use PHP, the more projects are floating around, and the chances of me having to maintain one increases. Have you ever had a PHP project dumped in your lap? Did you appreciate it?

So no, I don't buy the argument that I should just keep quiet and let people use whatever they want to use, because it DOES affect me. I believe that the proverbial "we" would progress much faster in all areas of computing if certain languages just died. Too bad I don't think natural selection works in the current market place because I don't believe it truly is a free market.

-Serp

PHP alternatives

[sprintstar]

I currently code in php (and use MySQL). I like some of it (a very rich language), but dislike other bits (a very rich language). Its like a programming language designed by a programmer, but that doesn't necessarily make it any good. Can someone give me a list of alternatives? Someone mentioned Ruby, I will look into that one. Any more?

Re:PHP alternatives

Perl. It has CPAN, it has DBI (one of the best database-access systems around, for any language), it has mod_perl, it is a "real language". BTW, it has most of the fancy functional programming features, tuples (cons) being, probably, the only exception.

Re:PHP alternatives

[iluvcapra]

When you hear Ruby in the context of web applications, the speaker definitely means Ruby on Rails. For writing more than the simplest web application, it's probably a php killer, on account of its price ($0) and relatively flat learning curve (even if you've never done ruby). Others have observed that RoR has subtle ways of making you do the right thing in a given programming situation, even if you don't know what that is at the time. I dare say that rails teaches the coder alot about object-oriented programming just by using it.

RoR is just 1.0 now, and though the API is still shifting around a bit, it does so only about as much as php, and rails is just a framework, not the whole language. The ruby language itself is quite stable at this point. OTOH, I found that porting my existing web app over to RoR was impossible, or at least so difficult that it wasn't worth the trouble over re-coding it from scratch (and making it a much better app in the process).

Re:PHP alternatives

I currently code in php (and use MySQL). I like some of it (a very rich language), but dislike other bits (a very rich language). Its like a programming language designed by a programmer, but that doesn't necessarily make it any good. Can someone give me a list of alternatives? Someone mentioned Ruby, I will look into that one. Any more?

Start with dumping MySQL for PostgreSQL. At that point, you'll have a real database instaed of an unstable toy and can concentrate on finding the best language for your application.

Re:PHP alternatives

[sprintstar]

I hear talk of Perl a lot, I will read up on that too.

Re:PHP alternatives

[sprintstar]

Ah ok, Ruby on Rails. That link makes some good reading..

Re:PHP alternatives

[sprintstar]

Well to be honest MySQL has been fine for what I have been using for, mainly blog entries on www.fastbug.net, which is pretty light work. I am aware that its not so suitable for large databases.

Re:PHP alternatives

[masklinn]

Ruby has gained a LOT of momentum lately (it was virtually unknown a mere year ago in the western world) thanks to the impressive Ruby on Rails lightweight framework (where lightweight means that it's not a damn full blown J2EE heap of garbage for you Java guys).

Another nice alternative with a language that is actually worth coding in is Python, either raw (Library Guys for the win !) or using one of the numerous frameworks (Turbogears and Django are quite good, just so you know).

Re:PHP alternatives

It also has illogical program constructs ("while (<>)" and "$_" come to mind). Plus, most code is almost indistinguishable from line noise or the output of /dev/urandom.

Since this is a language flame, I'll remain AC. :)

And still no sign of work on #29337.

[geminidomino]

Strange how this bug doesn't even show up on a search, but punching it in manually brings it up, and google shows you where it is.

Apparently the ticket hasn't been touched since it was reported 16 months ago.

Re:And still no sign of work on #29337.

PHP's source is available. The bug reporter clearly know how to fix it. Why not fix it themselves, and distribute the patch, and even post a diff on the bug report, and maybe, who knows, it'll be added?!

Re:And still no sign of work on #29337.

Fixed, submitted then rejected. Open Source at its best!

Re:And still no sign of work on #29337.

[geminidomino]

Do you happen to have the patch still available? I've got a personal project that could reall uyse it.

PHP is a joke

It's so widely deployed, yet is still very much a language in development. Core changes are made frequently which break compatibility with previous releases, it's very annoying and frustrating for a developer to keep up with this sort of thing, considering that PHP isn't the only language needed to be known. Poor are the folk who have to keep up with the latest programming fads. The world needs more standardization. PHP needs to be standardized, with no more drastic changes/extensions made to the core. After that is done, tweaking performance and security should be focused on, considering the nature of PHP.

Re:PHP is a joke

I won't take PHP seriously as long as the core developers continue to think that the lack of an equivalent to asp's "Option Explicit" or perl's "use strict" is a good thing.

Re:PHP is a joke

Then you can set the error reporting level to E_ALL:

error_reporting( E_ALL ); // for run-time

RTM: http://www.php.net/error_reporting

Re:PHP is a joke

That's a poor replacement for option explicit/use strict/etc as it requires a change in php.ini to even enable displaying of the error.

Re:Still no namespaces ..

[RedLaggedTeut]

Couldn't one abuse classes as namespaces?

The only thing missing is the ability to alter the class def a la adding "friend"s

You forgot one.

[Some+Random+Username]

Mysql's "amazing speed" is only for weak benchmarks of a single user running queries in serial. Once you start having many users running many different queries at the same time, its performance falls apart. This is where the mysql speed myth comes from, people comparing 100,000 simple select statements in serial for mysql and postgresql, and mysql being faster at it.

Re:You forgot one.

[jZnat]

Oh boy, I can account for this claim completely. I used to co-program with another person on a large website that used MySQL from the start. Him and myself would constantly look for ways of increasing performance and minimising lag, but we never tried using a different database. With a site that massive at the time, we should've been using PostgreSQL at least, or even Oracle or DB2 or similar if we could get the money to buy it. I even went as far as rewriting the entire system with the most optimised PHP code possible, and we minimised database usage and dependence, moving several things to sessions that would occasionally update from the database. We even used partitioning strategies by placing the main culprit of the data usage, the forum's replies table (nothing would get purged, only archived with an archived bit set to 1), on a separate hard drive that was only used for storing backups of the database. Performance shot up for a few days, but it quickly went back to sucking ass.

Sure, with all that, I've come to learn how to exploit MySQL to get its best performance, and how to use PHP to its maximum performance, but we would've been better off using a transactional database for one, and more specifically if we had used PostgreSQL from the start. Those efforts are primarily available here, but since the inital optimisations, I've transferred everything to use ADOdb Lite. I hope to get this transferred to a PostgreSQL database instead, but it won't matter much for the original site in question as I no longer program with him.

Flamebait my ass, this is true.

[Some+Random+Username]

Mod the poor guy back up, PHP's mail() function is completely retarded. I have never seen a single PHP contact form that isn't exploitable to send spam because of this nonsense.

Re:Flamebait my ass, this is true.

[e-bart]

You should blame that on the PHP developer and not on PHP.

Re:Flamebait my ass, this is true.

Never heard of human input validation?

Re:Flamebait my ass, this is true.

[I+Like+Pudding]

Yeah, just like we should blame all the developers who used zlib for being vulnerable to the double-free.

Retard.

Re:Flamebait my ass, this is true.

[e-bart]

Troll...

Re:Flamebait my ass, this is true.

[Tomnibus]

You can find my forms aren't exploitable due to this problem because I caught it early on and I have a fix in place that they cannot get through.

PHP Performances

[bryxal]

In fact, there was a rumor that Zend bought and killed http://sourceforge.net/projects/turck-mmcache/, the best accelerator out there because it competed with their commercial product.

Did they not buy and Kill Turck MMChache but hired the main developper to work for them thereby "killing" the project.

IMO PHP is great for doing many things it will never replace C/C++ or JAVA but its a quick and simple solution. and Yes there are many bad php scripts out there. theres also a really bad web browser with many security holes let it go nothing will ever be perfect.

Yes there are many features that could use to improve itself but the idea behind PHP is quick and easy. the cost of bulding a program usually rely on the programmers not on the hardware and if you are into making a big site just install APC yourself who cares if a compiler is built in the default. for your default needs it doesn't matter hardware is relatively dirt cheap to your programming costs. What makes php so good and popular is that to write to the screen you don't need 4 classes of buffers and such you go echo to get the contents of a file be it web or not you go file_get_contents(http://www.example.com/ and voila you get stuff done quicker. its not optimized but really you'll get more impact on a script if you have a good algorythm than if you do some real hard core optimizations (like taking MM turk over APC or another that compile first the scripts)

and lets not even talk about the community surrounding PHP with so many open source classes to speed up development. that the power of PHP.

As a side note my wishlist for PHP includes overloading and type hinting/auto converting before namespaces.

How completely inapropriate.

[Some+Random+Username]

Ruby has the exact same problems he mentioned. How is a weak, dynamic typed language that is not compiled supposed to solve his complaint that PHP is a weak, dynamic typed language that is not compiled?

He is wrong though, PHP is compiled. Its just compiled every single time you request a page, making it slow. Accelerators exist to compile PHP once and then cache that. This is not possible with ruby because it is not compiled, it is interpreted.

Re:How completely inapropriate.

[jadavis]

Ruby is a strongly typed, late binding language (dynamic binding, but at a later point than java).

Consider:
PHP (weakly typeed, late binding):
$x = 1;
$y = '2';
echo $x+$y;
# prints 3

Ruby (strongly typed, late binding):
x = 1
y = '2'
puts x + y
# ERROR

Re:How completely inapropriate.

[masklinn]

Ruby has never been weakly typed even in the wet dreams of the zend dev team.

PHP5 deserves any criticism it gets

[tehshen]

Since when has the "If you don't use it, stop complaining" attitude been acceptable? I don't use Windows, but I'm constantly pointing out its faults to people so they're less likely to get infected and have their computer send out spam. I don't smoke, but I'd rather point out the dangers of smoking to someone than let them cut ten years off their life.

A while ago, I tried writing my own blogging system using PHP, because it would be easy to find someone to host me. I kept having to look things up (isnull or is_null? arrlen or array_length? (neither, it's count)), typing mysql_this, mysql_that instead of using namespaces is annoying, lack of a good scoping system very annoying, etc etc. I did want to use PHP, but didn't, because I thought it sucks. Would you prefer it if I didn't say anything, and just let the PHP guys carry on with the mess they've made? Hint: that wouldn't accomplish anything.

"PHP is the web generations basic". Oh great, the web generation is growing up thinking that mysql_query( $_POST['input']) is a good idea. After all, magic quotes will make sure it's safe, so gets(input); system(input); in C should be safe! Intentionally or not, PHP is the first language learned by many people nowadays, so it should at least educate them into good practices instead of just doing stuff for them. (Doing things for the user is one of the things that Microsoft gets flak from here, too). PHP tried this before, with register_globals, and look what that turned out to be.

Surprisingly, people actually want to make PHP a better language, but apparently any complaints should be met with "Don't like it? Then get lost!", leaving PHP as it is. Oh well.

Re:PHP5 deserves any criticism it gets

Since when has the "If you don't use it, stop complaining" attitude been acceptable?

Usually thats a scape goat for a lot of people, but in all honesty they are almost forced to use it because their are just some people that won't get off their backs. It's like when a little kid asks "why?" too much, an educated parent would simply say "because I said so."

A while ago, I tried writing my own blogging system using PHP, because it would be easy to find someone to host me. I kept having to look things up (isnull or is_null? arrlen or array_length? (neither, it's count)), typing mysql_this, mysql_that instead of using namespaces is annoying

Namespaces would be nice, but I honestly don't see whats so bad about the current system. I've written some very nice projects without using namespaces at all, and guess what, entire operating systems have been built without namespaces! Also, your inablity to memorize function names is not the fault of the language. You are obviously trying to turn php into something its not by suggesting that ABC naming system is not as good as XYZ naming system. Don't blame the language just because it does functions a little differently. It's part of learning the language. The more you use them, the better you'll know them and the more natural it will seem. Just try not to force that natural state you've come to acquire into another environment when learning a new language.

"PHP is the web generations basic". Oh great, the web generation is growing up thinking that mysql_query( $_POST['input']) is a good idea. After all, magic quotes will make sure it's safe, so gets(input); system(input); in C should be safe!

No one ever said magic quotes would make these things safe. NO ONE! This paticular quote of yours is 100% plain and simple a lack of knowledge. Php has a wealth of functions that will strip slashes and quotes and html elements to make input safe. In the end though, its up to the developer to make sure the input is safe. Your little examples are totally pointless. You could write any variation of that system(input); example in ANY language! You seem to think because php is a web language that its exempt from this. Well it's not! Any developer in their right mind knows mysql_query(input); is insecure... but again, how in the world do you think thats the fault of the language???

Intentionally or not, PHP is the first language learned by many people nowadays, so it should at least educate them into good practices instead of just doing stuff for them. (Doing things for the user is one of the things that Microsoft gets flak from here, too).

three letters... wtf?! PHP does a fine job of educating people on good practices. If some noob comes along and copies and pastes crap code from a tutorial site on geocities whose fault is that? The developer's or the languages? That's like blaming Toyota because some jerk is a bad driver. The thing that really dropped my jaw on your statement is the part about php "just doing stuff for them". What are you talking about! What is it that php does for them? Provide commonly used functions to make development easier? Thats "doing stuff for them"???? It's pretty clear you've never programmed using Microsoft technologies or in php. The reason MS got so much shit was because their IDE messed with people's code with their autocomplete feature. On top of that, it is VASTLY improved now. Have you ever used VS.NET 2005? Hell I bet not. You're still living in the 90s. I bet after a long hard day of posting non-sense to /. you head over to Sun's website and post "Java is slow" all over their message boards. You have no real world expierence with this kind of stuff and base your entire opinion on some goof-ball posted on a message board. Please... LEARN php and learn it well before stouting your uneducated opinion. And don't bring up MS references if you have no idea where they come from. Please, do some research.

Re:PHP5 deserves any criticism it gets

guess what, entire operating systems have been built without namespaces!

Well firstly, "entire operating systems" could be anything from a few thousand lines to a few million lines, so that's pretty meaningless. Secondly, other languages without "namespaces" generally have some other mechanism to manage the namespaces; this isn't so with PHP, as everything is included by default (e.g. the Date class is there without having to #include <date.h> or similar).

Also, your inablity to memorize function names is not the fault of the language. You are obviously trying to turn php into something its not by suggesting that ABC naming system is not as good as XYZ naming system.

You're missing the point. He's not saying that one naming system is not as good as another. He's saying that any naming system is better than none at all.

The more you use them, the better you'll know them and the more natural it will seem.

I've been using PHP for years, and it's not natural in the slightest. This isn't about having to learn a language, it's how usable the language is in general.

No one ever said magic quotes would make these things safe. NO ONE! This paticular quote of yours is 100% plain and simple a lack of knowledge.

WTF is magic quotes for then?

In the end though, its up to the developer to make sure the input is safe.

And since magic quotes defaulted to on for such a long time, legions of developers made sure the input was safe by doing nothing whatsoever. Of course, it was only safe on default installations, and it wasn't safe once the default configuration changed in newer versions, which is precisely the problem.

You could write any variation of that system(input); example in ANY language!

Yes, but no other language shipped with a default configuration that made it safe but unreliable for years.

PHP does a fine job of educating people on good practices.

Bollocks, and the magic quotes feature is a prime example. You've just finished explaining how no sane developer would pass user-supplied data directly to the database, but that's exactly what magic quotes was developed to allow.

The thing that really dropped my jaw on your statement is the part about php "just doing stuff for them". What are you talking about! What is it that php does for them?

The statement was "it should at least educate them into good practices instead of just doing stuff for them". Magic quotes "does stuff for them", and you've just explained how the intended use for magic quotes is not best practice. You shouldn't be amazed at his statement, you should be agreeing with it.

It's pretty clear you've never programmed using Microsoft technologies or in php.

No, it's pretty clear that he's used PHP and doesn't like it, and you are just a raving fanboy who is willing to gloss over the obvious deficiencies in his favourite tools.

Re:PHP5 deserves any criticism it gets

[tehshen]

Namespaces would be nice, but I honestly don't see whats so bad about the current system. I've written some very nice projects without using namespaces at all, and guess what, entire operating systems have been built without namespaces!

Entire operating systems have been written in Assembly, too - so what? Just because you can do without a feature doesn't mean it shouldn't be included, or we'd all be coding in ASM.

Also, your inablity to memorize function names is not the fault of the language. You are obviously trying to turn php into something its not by suggesting that ABC naming system is not as good as XYZ naming system. Don't blame the language just because it does functions a little differently. It's part of learning the language. The more you use them, the better you'll know them and the more natural it will seem. Just try not to force that natural state you've come to acquire into another environment when learning a new language.

PHP has no naming system to learn! Some functions are ABC (isset), others are XYZ (is_null). It is far from natural - I keep having to look at the docs to find out how to spell the function I am trying to use. Having written some very nice projects, you should know that!

No one ever said magic quotes would make these things safe. NO ONE!

Then what are magic quotes supposed to do? Initially, they were designed to make scripts safer, despite what you want to think. Today everybody seems to have realised what a bad idea it is, and the PHP docs recommend turning them off. Hardly anybody does, though, because having them off by default would break all the poorly-coded scripts.

Any developer in their right mind knows mysql_query(input); is insecure... but again, how in the world do you think thats the fault of the language???

Do you really think that all PHP coders are in their right minds? PHP does not say that mysql_query() is secure, but it doesn't say it's insecure either. A big red "Use mysql_escape_string() first before using this function!" in the docs wouldn't go amiss. If a language doesn't warn about bad security, it's the language's fault, plain and simple.

three letters... wtf?! PHP does a fine job of educating people on good practices. If some noob comes along and copies and pastes crap code from a tutorial site on geocities whose fault is that? The developer's or the languages? That's like blaming Toyota because some jerk is a bad driver.

Car analogies, eh? It's like blaming Toyota because some jerk is a bad driver, when the accelerator and brake are ångstroms apart from each other.

The thing that really dropped my jaw on your statement is the part about php "just doing stuff for them". What are you talking about! What is it that php does for them?

Magic quotes! Register globals! For someone who commands others to do research, you're needing to do a bit yourself.

The reason MS got so much shit was because their IDE messed with people's code with their autocomplete feature.

Actually, I was talking about how Windows just presumes that you want automatic updates installs, assumes that you're too stupid to open ports for any services (it leaves them wide open) and assumed you want to run script attachments in outlook express. Stop putting words in my mouth.

You have no real world expierence with this kind of stuff and base your entire opinion on some goof-ball posted on a message board. Please... LEARN php and learn it well before stouting your uneducated opinion. And don't bring up MS references if you have no idea where they come from. Please, do some research.

Now that's just unkind. I have learnt PHP, and I have tried to use it, but it became so annoying (for reasons that I have already explained) that I stopped. Please, do some research.

PDO

[porneL]

PDO is the first API/extension in PHP that looks like it was designed before writing.

That's big step away from MySQL and magic_quotes mess.

Re:PDO

[jZnat]

I do recall that someone didn't want PDO to be built into PHP. I personally use ADOdb Lite, the much faster version of ADOdb. Now if it weren't such a bitch to port code between different APIs, I'd gladly try out every API under the sun, but for now, ADOdb is fine. Now if only there was a Perl DBI module for PHP and we'd be set. PHP needs more of that.

Re:PDO

[PhYrE2k2]

You'll also note that "I'm working on an alternative at present." is at the top of that article. So note the bias. Of course not everyone will like every extension, addition, or modification in many languages- you get used to a certain style and way.

He is bashing the specific implementation, but the concept is the same. PDO is _A_ solution. It's a good solution. It is technically very stable. It working out of PECL (and just a base is distributed with PHP-5.1) means for easy updates if compiled with shared support.

The idea is simple- A universal layer (a-la DBI) is needed in PHP and it offers it. It does a pretty good job as well. It offers it low-level in C. It emulates features (prepare/execute) for databases that can't support it- a damn good feature.

PDO is a start. personally I'm all for it and think it will take off. Think of the scalability too- During development on your local machine you use flat files. Then you post it to a site and use sqlite during testing. Then you take it to a host with mysql support and use that. Then you take it to postgresql clusters and use that. All with minimal code changes. Most won't have all those steps, but it'll be nice to be able to switch swiftly between them all, and not have foreign methods of doing things all over the place.

-M

Re:PDO

[jZnat]

During development on your local machine you use flat files. Then you post it to a site and use sqlite during testing. Then you take it to a host with mysql support and use that. Then you take it to postgresql clusters and use that.

Well, any self-respecting PHP programmer would skip the MySQL step (except maybe to verify that it works)...

Re:PDO

[aled]

Think of the scalability too- During development on your local machine you use flat files. Then you post it to a site and use sqlite during testing. Then you take it to a host with mysql support and use that. Then you take it to postgresql clusters and use that. All with minimal code changes. Most won't have all those steps, but it'll be nice to be able to switch swiftly between them all, and not have foreign methods of doing things all over the place.

Yeah, like Java... (* me ducks *)

PostgreSQL and Partitioning

[daveed]

The new version of Postgres does have a version of table partitioning. Ain't tested it, don't know how much of an improvement it does on large table scans..... but still.

PDO

[PhYrE2k2]

WHo cares? PHP-5.1 introduces PDO from pecl into the mainstream distro. The idea of course being that it doesn't matter what is behind your scripts as long as PDO is used. Consider it DBI essentially. So your app can work with sqlite, mysql (transactions or not), postgresql, etc. in a much more consistent manner.. Sure there may be slight variations, but stick to the SQL spec and you should be okay.

-M

Never Program- RFC822, workarounds

[PhYrE2k2]

You sir, should never program.

Always validate all input provided by the user that is used in any way. If it's in a database you're smart enough to escape it (or use query replacement methods that do it for you). If you're sending mail, you damn-well be sure it's an e-mail address. You have RFCs to guide you on this:

http://www.w3.org/Protocols/rfc822/
      A field-name consists of one or more printable characters (excluding colon, space, and control-characters). A field-name MUST be contained on one line. Upper and lower case are not dis-tinguished when comparing field-names.

It defines what characters are valid, and if you are about to pipe whatever data you accept into an e-mail, that's something YOU decided to do.

IT IS YOUR JOB to make sure that what you put beside FROM: (or anything in that parameter) is an e-mail address. It shouldn't have a newline. It shouldn't have escape characters. It should probably contain only a limited regex. Would you put an SQL query someone enters into a database? Then why an e-mail address to sendmail?

On a side note, the only way around this is to have a programming language that tags data as tainted if it came from or was derrived from user input and not allow it for input, and having functions that sanitize data and remove that flag. This is first off slower and second not optimal in many situations.

Re:Never Program- RFC822, workarounds

[rycamor]

Indeed. The parent poster sounds like someone who would complain that C won't automatically prevent buffer overflows. Every language designer must make a choice about what level of abstraction that language will attempt to cover. PHP is basically just a scriptified C. Nothing wrong with that, but it is not a hand-holding language. You are still responsible for validating user input at every level. I suppose in that sense PHP is not the equivalent of Java+[giant servlet framework]. It is more the language for someone who wants to design a framework *.

For example, to deal with the mail problem, try using a decent mail handler class like phpMailer

* Unfortunately though, most PHP frameworks are, er... slightly... horrible.

Re:Never Program- RFC822, workarounds

[woolio]

On a side note, the only way around this is to have a programming language that tags data as tainted if it came from or was derrived from user input and not allow it for input, and having functions that sanitize data and remove that flag. This is first off slower and second not optimal in many situations.

I think there may be a way to avoid the performance penalty with the use of strongly typed language...

If I were using C++, I would have several types for "strings". (WebQueryString, CommandArgString, SQL_QueryString, etc). Either built-in (or user specified) methods would santize/convert strings..

For example, if I wanted to use a web form value as a command-line argument (say for a filemanagement script), then the mere act of casting a WebQueryString to a CommandArgString would cause it to be properly escaped.

Similarly, passing a WebQueryString to a function that took a SQL_QueryString type would cause it to be properly escaped... (Well, I'm being a bit sloppy, queries would probably have to be split apart into many different types to represent the different components (noun, verb, etc))

Basically, a strong type system could be used to (either manually or automatically) force the programmer to santize the data... If designed & implemented well, this could result in faster development times and more secure software...

It really annoys me that just to properly write a simple set of PHP scripts (such as an address book with a MySQL backend), a great deal of effort is expended in just parsing and (more importantly) santizing data... Even with all the object-oriented and/or modular programming techniques, it is still all too easy to pass the wrong string (or call the wrong *_escape method) in a way that results in a security flaw...

A work in progress... PHP is getting better

[PhYrE2k2]

PHP is getting considerably better actually at being (a) a mess, and (b) making you learn by mistake, (c) providing simpler frameworks.

This is what PHP 5 and PHP 5.1 are all about. Lets fix the problems in the language and those things that go back to it's origins. PHP at one point did little more than a shell script, and now you have endless numbers of modules, extensions, and database backends.

You'll notice they have E_ALL on by default and highly encourage E_ALL|E_STRICT to be used for good coding practice. You'll notice register_globals is off by default. You'll notice countless quirks are virtually eliminated. magic_quotes are off by default because it's become apparent they don't always work and it's better done by the database engine (which can escape what it needs rather than just slashing random things).

You'll notice in 5.0 and 5.1, they pulled out extensions that are specific or not maintained (payflowpro, fileinfo, and many others) to PECL.

You'll notice they are recommending mysql extensions and others aren't use. You'll notice they're even advising that mysqli isn't used. You'll notice they are focusing on PDO to simplify and eliminate the ~10 driving extensions for each database engine with their own unique ways of doing everything with a universal framework (note: PEAR::DB is written in php classes- this is C and good code).

This is all a method to fix those problems everyone keeps complaining about. It's a pain, and creating even more complaints in the process of broken scripts, classes, and tools with the removal of things like is_a, call-time reference passing, and others- but once these scripts get fixed, and over time once everything goes PDO--- You'll find clean and swift code without much trouble at all.

Give it 6mo for the whole php 5.1 thing to migrate into various popular scripts and you'll find the world will be better for it. It's all in the master plan- simplify. Note that while many things have manual sections, much of it is in PECL and not the distro. At some point that should really be pulled into its own manual making it easier to find the core topics. That's just my opininion.

-M

Flamebait...

Mathematical proof of why PHP programmers tend to be stupid.

Persistance

[PhYrE2k2]

Persistent objects are super, but think of this from a systems perspective. I'd imagine you're thinking of Java, having a nice super-server running and then a small component in Apache sending the actual requests to the Java environment. Now take PHP:
  - each apache process takes some requests. Opening a file-descriptor or database connection in one doesn't mean it'll be available to another process. So the file needs to be opened, database connected to, etc.
  - persistent connections (database) are only useful if you have a database and single/cluster of web server(s) using that single database connection/username. Look at shared hosting. 500 apache processes, 10 web sites with different credentials. So you expect the database server to be able to keep 5,000 connections open? The next request by that user for the session may not come back for 8 hours, so why would you keep a connection open?
  - Locking issues with keeping files open maybe?

Make a class or function that serializes a file. Now of course that's not possible, but emulate it. Find the file position, save the file name and info about it. Then when you reload the session fseek the file and all is well.

Keeping such things (file descriptor/database) with the session is silly in most cases, as there is little gain in most cases.

-=-
So make a php accelerator. Who's stopping you? Introduce it to PECL and people may use it or make a patch. Zend Accelerator (not the optimizer which of course they keep closed due to the encryption abilities- not to mention minimal performance gains), is far from optimal for 99% of Web sites out there. turck-mmcache was the same way as well. If you run a single site, it works fine. As soon as you have multiple sites, and you start caching files, database calls, and output, you have SERIOUS issues unless you know the application. Suddenly your script isn't running as it should some of the time.

-M

Re:Persistance

Regarding how the database connections pool is implemented, you're so clueless you don't even see it. Go back to the basics, read up some more and don't spread BS as you do it now.

Use a few defines and be explicit

[mgkimsal2]

core_defines.php

Have a base controller include that one core_defines.php file, the
include(CLASS_PATH."foo.php");

Yes, it's not the namespace support you're talking about, but it's much better than having all your include() statements use "../../../" notation in them. There are two primary issues with that approach.

1. The path where you store those files might need to change for some reason.
2. It's not as clear from looking at it what type of file is being loaded unless you have class_*, lib_*, and other filename prefixes on each file. include(TEMPLATE_PATH."/foo.php") is very easy to guess at the intent of the include statement.

What I *don't* understand is how using autoload makes this process much easier. If I reference a class that's not yet loaded, autoload() will get called with the name of the class. It seems I would need to have potentially loads of paths to check in the autoload() function to 'find' the particular file I wanted, and hope that it didn't find another class of the same name in another directory before it found the one I was looking for.

I guess you could just push all the paths on to the include_path setting, but scanning multiple directories has its own performance issues. It seems to me that simply being explicit about what packages a particular file needs to execute is, in most situations, the best. Yes, it's a bit more, work, but being explicit makes things easier to understand.

Re:Use a few defines and be explicit

[Bloodwine77]

I have a library/classes directory and inside of it I put each and every class in a separate PHP file and the name of that file is always "class_{ClassName}.inc.php"

autoload() then just does a simple

if (is_file(library/classes/class_{ClassName}.inc.php )) {
      require_once(library/classes/class_{ClassName}.inc .php);
}

(well, that's ugly incomplete quasi-pseudo-code, but you get the idea).

My approach might not work that well if you want to have classes exist in many different locations, but it is pretty darn fast for me since all files are in one directory. I have done my best to split up the functions into different namespaces in terms of subject/context and amount of usage in order to cut down on the # of file inclues per page request.

Re:Still no namespaces ..

[masklinn]

Yes, one can kid-of-emulate namespaces using classes (AFAIK people have done it in fucking Javascript for years !).

But

• It's impractical, having to jump through hoops to get a module sanely stored in it's own namespace is stupid, annoying and time consuming
• It has many shortcomings and limitations
• And last, but not the least, it doesn't clean the global namespace from all the fucking crap that's landed in it since the birth of PHP

To sum it up, yes you can use the oh so shiny new PHP classes to create namespaces, but that's a hack, and a quite bad one.

Re:All of my friends and family use the new PHP

[spammyd]

but is it compatable with the 150 separate pages of php i have written that have dozens of queries hard coded

mod parent up!

[mgkimsal2]

+1 insightful

It's not always about writing code that's convenient for yourself, but is easy to read by others (or yourself 6 months later). By forcing the 'global' keyword, PHP helps keep the code readable. Granted, there's many other ways to make PHP unreadable and unmaintainable, but this isn't one of them.

You liking your jump to conclusions mat?

[Some+Random+Username]

You sir, should never make rediculous claims based on absolutely nothing. I should never program because I think the PHP developers shouldn't write a language designed to be easy and appeal to newbies, and then make functions incredibly easy to misuse? Get your fucking head checked. I do validate my input, and I don't use PHP. How well I can program has nothing to do with it. PHP should not make their language as easy to create exploits in as possible, for no reason, and refuse to improve the situation despite constant abuse from the hordes of inexperienced programmers that PHP caters to.

And there is another way around this, PHP's mail function should take a "from" argument, instead of forcing people who don't know what a header is to create the from header themselves.

Re:You liking your jump to conclusions mat?

[PhYrE2k2]

Read the other reply to my message and you'll see the other point of view.

The point is basically that it has nothing to do with newbies or experts doing the programming. The logic is that PHP is a scripting language. It's powerful, despite you saying that it's not. Anything you want to do, it will do it. From the same token, one of the first rules to programming is to never trust the user! Malicious intent or not, the user is always wrong. E-mail at one point didn't matter- nobody exploited it in the way they do databases and whatnot. These days Spam is the latest big-thing, and programmers are seeing that their sloppy coding is causing their mail servers to relay. *wow*

Note that php doesn't set from by default because many mailers will set it for you to a safe default- often the user account who is sending the mail. So having a from of the user sending mail is a bad default? It's a custom header and shouldn't need to be specified in many cases.

And accepting a from address still means that it needs to validate it. Why should mail() validate it for you? What about formats that include names and e-mail addresses? If you want this kind of functionality, try a phpmailer class or make one.

-M

Re:You liking your jump to conclusions mat?

[Fordiman]

doot doo doo doooooo!

Geez, make a wrapper for it if you don't like the way a function works.

Personally, I like that there's no "From" argument. It makes sending out automated website mail slightly simpler (without a from, it uses the webmaster entry from apache). Meanwhile, in most instances, you'll not be taking user input as a "from" field. That sort of behavior makes it very easy to perform exploits that can't be caught by user input validation (a happy little script that spams through your interface). You'd more likely have a pregenerated set of e-mail addresses.

You don't use PHP. Funny, then, how you seem to have a handle on its quirks.

As for making functions "incredibly easy to misuse", how about RTFM? Sorry, but I've got this thing about taking personal responsibility for being a shitty programmer. If you validate your input, than this is a nonissue. If you don't, then take responsibility for that (and never try to get hired anywhere).

As for "easy to create exploits", sorry, but it's a powerful language that's accessible to the newb programmer. If a newb doesn't know what a header is, chances are the newb shouldn't be trying to fuck with 'em... or, better yet, the newb SHOULD be reading the damned manual.

'Course, you seem to have a problem with giving a little power to a newb. There's a word for that, but I can't remember it.

One more thing - WTF?

[mgkimsal2]

Why, oh why, was the scoping done so utterly backwards?! I was cleaning up some code, moving it into a function, and suddenly it stopped working. I had realized the answer the first time I tweaked it, but summarily forgot the second time around. What was it? Why, naturally, I had forgotten to do 'global $foo' inside my function - how stupid could I be to think code inside a function wouldn't pick up the contents of the variable as declared outside it?

Why, oh why, are you creating a function and not actually mandating that anyone pass in functions? You're obviously changing the original code to *call* the new function - why not actually pass in what variables you need rather than rely on 'global'?

Why, oh why, can I not have something as basic as 'microtime()' in Perl, instead having to rely on Time::HiRes? Having so many external CPAN dependancies makes the code very system dependant - moving to a new server might mean that your code won't run because a particular CPAN module isn't installed. Not that you *can't* get it running, but it's a pain. PHP avoids a lot of that by having many useful functions 'built-in'.

Re:One more thing - WTF?

[dragonman97]

Why, oh why, are you creating a function and not actually mandating that anyone pass in functions? You're obviously changing the original code to *call* the new function - why not actually pass in what variables you need rather than rely on 'global'?

What I didn't elaborate on was that this code was being included. I was trying to gently coax the code into a sane place. It was a log function - originally, each file referenced the file pointer declared in the include file, and wrote to that location. I was transitioning the code to a function, log_action($foo), that would use that existing file pointer, and write to it. Once done, I moved the pointer and file name inside the function, and simply did include foo; log_action($foo);. Until I had edited all the files, I wanted the existing code to work, and there was simply no reason to pass the file name (always the same) as an attribute. Now, I believe I'm going to change the include to a 'require_once.' *This* is why you read the fine manual, and learn what the 'language' offers / how to use it.

The best part of all this? 2 SQL queries were being done to fetch the date and time. Those were replaced with simply date/time calls.

Re:One more thing - WTF?

fuck yeah! I mean, what sort of lame language doesn't include builtin functions to convert dates to the jewish calendar? I think it's time we rewrite linux in PHP. It should cut development time since PHP already has lots of builtin functions, so linus won't have to spend time rewriting them!

oops

[mgkimsal2]

Why, oh why, are you creating a function and not actually mandating that anyone pass in functions?

That should have read 'parameters' not 'functions'. Oops...

PECL for 5.1.0 is non-existant at this time...

[mnemotronic]

The Releases page doesn't show the PECL download. Nor does the downloads page. I hope this is just an oversight and will eventually be corrected.

Broke phpBB

[The+Barking+Dog]

I tried installing 5.1.0 this morning, and it broke phpBB (the latest version, whatever it is) - phpBB could not log me in. No errors or anything, just no login. I know they've had compatibility issues with PHP5 before, but never anything this drastic. I went back to 5.0.4 until someone gets it fixed.

Re:Broke phpBB

[masklinn]

Just drop PHPBB altogether for god's sake, that thing's even worse than PHP itself.

Re:Broke phpBB

elitism rules. join freebsd so you can feel leet bashing linux too.

Re:Broke phpBB

[The+Barking+Dog]

Yeah, I know, checking the release status like it's your pulse isn't all that fun, but I've been using it for years on a board with 700+ members and 145K+ messages, and switching would be a pain.

Re:Broke phpBB

[masklinn]

Not sure, most alternate board (of better overall quality) have import scripts (migration tools), since people often start using them after getting fed up with phpBB.

Check , it's a nifty lightweight forum (with a quite clean code) and it does have phpBB migration tools (the only thing the tools can't migrate are attachments cause Pun doesn't have attachments).

Re:Broke phpBB

[masklinn]

Gay, I really need to preview these posts.

Last paragraph was meant to be:

Check PunBB, it's a nifty lightweight forum (with a quite clean code) and it does have phpBB migration tools (the only thing the tools can't migrate are attachments cause Pun doesn't have attachments).

Premature Optimization?

[crucini]

I even went as far as rewriting the entire system with the most optimised PHP code possible...

Did you profile the system, before or after, to find out where the slowness was? If your code improvements made the system get faster, what made it get slower? Increasing traffic?

What makes you think that having transactions would improve performance? There are good reasons for wanting transactions, but performance is not one.

Re:Premature Optimization?

[BlueHands]

I know nothing off the grandparent's situation but I do know of a project where they were replication transactions in php because they couldn't do it mysql4. I assume that having the db take care of it is going to be faster then if the code is in php.....

Re:Premature Optimization?

[jZnat]

I did profile it, and the PHP optimisations helped increase performance quite a bit, but MySQL was still the bottleneck. And I only said "transactional databases" because every good database that can scale well is transactional as well. The transactions could've been used for the large amount of user data that would be written constantly. We also would have liked to use stored procedures to take care of a lot of the common tasks and whatnot.

PHP not getting better

[humankind]

Ever since they updated the Zend engine after 4.3.6 things have been going wrong. There are still bugs with variable references and memory management that appear in obscure scenarios that are hard to replicate but they're definitely there. I'm starting to lose hope in PHP as a stable platform in the wake of recent developments.

What bothers me most...

[jd]

...is that you're right. I like PHP as a scripting language - it is powerful, flexible and as an alternative to CGI scripting, is truly amazing. However, the lack of namespaces is a big problem, which they MIGHT address in version 6, but that's still only under discussion.

Java used to be regarded as a horrible language for the web, but ever since GCC included a Java compiler, it's actually beginning to be fast enough to be worth the hastle.

Now, a PHP front-end for GCC would be an interesting project, and could offer some serious competition to Zend. Which means it is likely to last all of three seconds before being found dead in an electronic alleyway. However, as it stands, the syntax is horribly inconsistent and not particularly generic. For example, I like the fact that PHP lets me use a crypto library, but why should I have to care if it is mcrypt, gcrypt or some other package out there?

In the same way that a database-neutral API now exists for SQL functions, there should be other implementation-neutral APIs for all of the other libraries. Forcing people to hard-code is a mortal sin and verily should thine hard-code-forcing-coders be delivered unto the rabbit at Aaaargh.

Who to emulate today? Perl? Java? C++?

[theolein]

I started off doing web coding in PHP 3 years ago, and was even pleasantly pleased when PHP 4 came out as it was a real, practical improvement over PHP3, especially as regards sessions and form data. Since then, I've learnt Java, ASP, Perl and Cold Fusion and started on Ruby. (and C/ObjC for native development)

Today, after not having done any PHP for about two years, I took a look at the PHP 5 documentation.

I was appalled.

Back when I started learning Perl, many of the apparent idiosyncrasies in PHP made sense such as the $syntax, multiple variable assignation, string concatenation and others. PHP had made a simpler version of Perl (automatic dereferencing, yay!). Then, when I was reading through the docs I noticed that PHP5 was doing its utter best to ape the functionality of Java (OO, exceptions, collections, interfaces, reflection, overloading, overriding etc) with the syntax of C++ (:: for static members, -> for virtual methods) but with the same loosely typed variables (Just ask yourself when looking at code you've never seen exactly what type does that unknown function return) and no namespaces (Perl, Java and C++ all have this in some form or another) and a huge array of functions that has no consistency whatsoever.

So, in essence, we have a language that is a mix of Perl, Java and C++ but with no real innovation of its own, unlike Python or Ruby, both of which are extremely consistent and remain true to themselves. Even lowly Javascript is far more consistent than PHP.

There is no way that I will code or design a large webapp in PHP. I had to debug a fairly complex one recently and it was a nightmare. I think I'll wait another few years and look what PHP6 turns out to be.

Don't reply if you can't bother to read

[Some+Random+Username]

"The point is basically that it has nothing to do with newbies or experts doing the programming."

It has everything to do with this. PHP's mail function is very easy to misuse. PHP actively targets newbies. This is a bad combination.

"It's powerful, despite you saying that it's not."

I said that when exactly? Oh right, you are just making up bullshit to make yourself feel better.

"From the same token, one of the first rules to programming is to never trust the user!"

Rules that 99% of PHP's userbase don't know.

"Note that php doesn't set from by default because many mailers will set it for you to a safe default- often the user account who is sending the mail. So having a from of the user sending mail is a bad default? It's a custom header and shouldn't need to be specified in many cases."

Good lord you are fucking stupid. I didn't say it should set a from by default, I said IT SHOULD HAVE A WAY TO SET IT. It currently does not, there is no from arg. Hence people who have no idea what is and is not safe in a mail header must create mail headers themselves. This is complely retarded.

"And accepting a from address still means that it needs to validate it. Why should mail() validate it for you"

Because that's its job. PHP's mail() function is creating headers for to:, cc:, etc. It is therefore mail()'s job to ensure that the headers it creates are valid. The whole point of it is to remove the job of valid header creation from the user. It should offer a from arg to do this for the from: header as well. If the mail() function isn't going to create valid headers for people, then it should be removed and people can just pipe directly to sendmail. At least then its very clear that users must create valid headers themselves.

"If you want this kind of functionality, try a phpmailer class or make one."

As I already said, I don't use PHP. I want PHP to stop making it as easy as possible for people who don't know much to fuck things up, thus putting spam-abusable contact forms on their websites, on our servers.

Good fucking lord, does PHP damage your brain?

[Some+Random+Username]

Why are all you PHP apologists so incredibly stupid? Not having a from argument does not make things easier at all, you can have optional arguments you know. So if you didn't specify a from arg, then it will use the (often undesirable) webserver user as its from.

I have a handle on this quirk because of getting spam complaints due to people putting exploitable PHP contact forms on webservers I admin. Duh? You have never heard of web hosting before?

"If a newb doesn't know what a header is, chances are the newb shouldn't be trying to fuck with 'em."

EXACTLY THE FUCKING POINT. PHP's mail function is creating the headers for to, and subject, so that users don't have to. It needs to be able to make a from header too. Its stupid for a high level language like PHP to require users to know the inner workings of mail headers. If you have to know what a valid mail header is and how to validate them, then you can just pipe directly to sendmail, so why is there even a mail() function at all?

And of course, this is the second problem. PHP's mail function is simply broken, plain and simple. It is NOT the web developers job to ensure the mail headers are valid, because they are not creating the headers. PHP's mail function is generating invalid mail headers (for the args it does support like subject), that's the PHP developers fault, not the fault of the people using PHP.

I don't think there is a problem with giving a little power to a newb, why do you insist on making irrational assumptions based on your warped prejudices? I think there is a problem with programmers writing broken, stupid code and then blaming other people for it. You claim to "have this thing" about taking personal responsability for being a shitty programmer, but yet insist on blaming the user for problems in PHPs code. If its PHP that is generating the header, then its PHP's job to ensure it is valid. And you cannot have \r\n in a valid mail header. This is the fault of the PHP developer who wrote mail(), and every PHP developer since who hasn't fixed it.