Slashdot Mirror
PHP 5.1.0 Released
kv9 writes "A new release of PHP5 is available. This version includes over 400 bugfixes, performance improvements over the 5.0.x branch, new date handling code, new versions of PCRE/SQLite/PEAR and over 30 new core/extension functions. A number of security fixes are also present and users are recommended to upgrade."
MySQL support has been droped in favor of using simple flat text files. The performance increase from this has been HUGE and the feature set is the same.
> A number of security fixes are also present
I think we've finally found a replacement for the security disaster known as sendmail -- PHP.
My other car is first.
...and still no damn fucking namespaces.
Go PHP, ride on to the 20th century!
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
Rails still isn't a language, it's a framework.
(calling Ruby a "toy language" when comparing it to PHP is hillarous though, thanks for the laugh)
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
You don't have any classes named Date, do you? It's an extremely uncommon name. Good thing we have namespaces.
http://news.php.net/php.internals/20352
I was under the impression that when using a x.y.z -versioning scheme, bug fixes should be released with increments of z, new features with increments of y, unless they break compatibility, when x should be increased. But when has even PHP done some something in a standard way.
"(...)and over 30 new core/extension functions."
Ugh. Adding still to the inconsistent, namespace mess, PHP functions have? Worst. Decision. Ever.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
It's widely known that PHP is used by a lot of "developers" without much background in writing secure software. As such, the coding techniques used are often less than ideal, and have lead to numerous security problems in the past.
Are the PHP developers actively doing anything to help prevent those without much experience from writing code that can lead to a server being compromised? Not that they should restrict those few developers who do know what they're doing, but they should perhaps be taking a look at making it far more difficult to write dangerous code.
On the hardware front we have AMD and Intel adding support for non-executable stacks to their processors, for instance. GCC has StackGuard and StackShield. I think it's time for the PHP developers to step up to the place and try to limit the possible damage that can be done when using PHP incorrectly.
It's easy to continually blame the inexperienced PHP users for writing insecure code. But I do believe that it is up to the PHP developers to use their skills to help mitigate such problems.
Cyric Zndovzny at your service.
It's really vague to compare two languages' "power". The only definitive comparison you can make is whether they're both Turing-complete. In that case, Perl = C = INTERCAL = Unlambda.
Laws do not persuade just because they threaten. --Seneca
Zend refuses to add basic features such as a basic accelerator ( PHP scripts get recompiled on every request ). In fact, there was a rumor that Zend bought and killed http://sourceforge.net/projects/turck-mmcache/, the best accelerator out there because it competed with their commercial product.
I understand that money has to be made for development to continue, but that's no way to compete.
PHP server needs true session and application scope variables. File-based session variables it has right now means that any variable that's not serializable ( eg. file descriptor ) can not be saved in the session scope. This is a huge problem. It results in developers making countless round trips to their database to serialize data, and hence making PHP scripts more dependant on close/performant database in general. There was an mmap based solution being worked on, but haven't heard much about it lately.
Other web environments have had these features for years.
I'm guessing that that sought of restriction on the PHP server will continue until an alternative server is developed and begins to gain popularity.
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
I use to use PHP a lot day to day for several years (lamp), and found it kicked the ass of ASP for doing really fast web apps. Bigger web applications however, is where its mechanics started to erode - specically includes and the old module level variables issue.
.net and seems to be stuck between a scripting language and a fully fledged OO language.
PHP 5 brought more OO features but it's still loosely typed and not compiled, meaning its OO features pale in comparison to JSP and ASP.NET. Until these two features are added by default (yes I know there are compilers), I can't really see how people will want to make use of its OO features in a business scenario. It handles strings (atleast in 4) about 50x slower than
Nothing costs nothing
I'd like to take this oppurtunity to complain about __autoload in PHP5. It is one functionality which I find tremendously inconvenient when coding something like APC . File inclusions were never supposed to be that dynamic, it ends up with different compilations of the same file for different places it is included in (apparently some are still fighting).
Quidquid latine dictum sit, altum videtur
If you want cutting edge, then you'll most likely need to run your own server.
Serious hosting companies just can't risk running software that hasn't been widely tested. While there may be benefits from running the new versions of PHP, for instance, it could be a disaster if a security flaw leads to their servers being compromised. An incident like that could financially destroy a small- or medium-sized hosting company. At least the older versions of PHP have undergone more testing than the newer releases.
Cyric Zndovzny at your service.
Some of us are trying to help the situation by educating PHP developers. For my part, I try to write articles (and make them available for free), give talks at conferences and user groups, and answer questions on mailing lists and forums.
There's also the PHP Security Consortium, the Zend Framework (which will hopefully include most things on my wishlist as well as solve other problems), and a new input filter extension.
As BP says, it's a start.
- IBM has spiffed up Cloudscape to be somewhat compatible to DB2, renamed it to Derby and is giving it away
- Oracle is giving away a mildly crippled version of its DB, I don't remember the exact circumstances
- ADABAS, also known as SAP DB, is now also FOSS
- Firebird, née Interbase, was freed years ago and is said to be working well and under active development. I don't know why so few people seem to like it.
- I believe I heard about SQL Server being "free" under some circumstances too, but I'm not sure.
So... many thanks to MySQL for being a forerunner in the "free DB" department, and more thanks to other, formerly proprietary-only vendors for making their products a little more accessible to the common man!When one person suffers from a delusion, it is called insanity. When many people suffer from a delusion it is called Rel
You can try http://www.powweb.com/ They usually keep on top of upgrades and have had php5.0 running for a while now.
If anybody is interested in what is coming up in PHP6 you can read an overview here. Looks like the main push of the next release is to stop people coding things wrong (by depending on register globals and magic quotes). Oh and the small thing about adding Unicode support. Unfortunately this will probably mean a slower adoption than PHP5 as it is likely to break popular scripts (such as forums, blogs etc) which will mean that Hosting Companies are unlikely to touch it till the script writers update their scripts.
Design and programming are two distinct disciplines. Some brilliant developers are good at both, but many people, myself included, get too much satisfaction from diving into coding to thoroughly think about what they are embarking on. The result is a program/system/language/whatever that starts with a clean small core but grows ever bigger and uglier as changes are bolted on. I tried PHP a couple years back and was disgusted by it. There's a reason why computer language design is a discipline of an academic subject, Computer Science: A wealth of knowledge has accumulated on how to do this kind of thing "right," and applying that knowledge will usually lead to a better end result.
Specifically, my beef with PHP summarizes down to: It makes simple things simple in a way that encourages sloppy coding. PHP is to the current would-be Web geek generation what BASIC was to teenage would-be hotshot coders in the late '80s: A way to achieve "gee whiz!" effects easily and cheaply. It's possible to write large, elegant programs in PHP, but that's not what usually happens.
When one person suffers from a delusion, it is called insanity. When many people suffer from a delusion it is called Rel
... still having no namespaces and lacking in full-blown OOP and all.
So what?
PHP is the web generations basic. No more. But no less either.
Given that loads of very usefull webapps out there are built in PHP
I'd say the criticisim is mostly inadequate whining. If PHP doesn't
cut it for your job, take something else. No big deal.
We suffer more in our imagination than in reality. - Seneca
Now that PHP is popular it is undergoing something of an identity crisis. Rasmus said it was an answer to "the web problem", a very simple answer. A "right to the point" approach, terse rather than elegant.
But as more "serious" developers pick it up, more "serious" features are requested.
The fact is, if you're flexible you can build whatever you need in PHP4. It may not always be the way you prefer to code, but you can do it.
PHP is what it is. And it won't appeal to everyone. Fortunately there are many other platforms for the unsatisfied. Take your pick.
If your primary gripe with PHP is that it isn't enough like Java, shut up and use Java. Same for - insert language here -
I am very interested to see the new framework being promised by Zend and IBM. (http://www.zend.com/php-collaboration/) Can they really deliver on their promises? If not, I do predict a mass exodus to ROR. PHP could wind up being relegated to individual scripts or 5 page websites.
The classical example of an "overdesigned" language is Java (I am lousy at separating the language from its APIs). What you get is some more "reuse" at the price of unnecessarily complicated framework. With languages like PHP you learn the right way by mistake (which is not necessarily suboptimal) and you should have the guts to break compatibility from time to time.
As for being disgusted by PHP -- usually you don't get disgusted by the language but by what people have written in it (or around it - talking about some PHP extensions). One can always find examples of an extremely ugly LISP function with LISP being one of the most beautiful languages ever.
But I'm heading towards a treacherous field - discussing programming language merits - wasn't it "the best tool for the appropriate job"? So, let's keep PHP for all these "gee whiz" tasks which apparently the society needs, otherwise go explain the x millions of PHP-sites...
At the end we will all grow software like plants :)
Mod the poor guy back up, PHP's mail() function is completely retarded. I have never seen a single PHP contact form that isn't exploitable to send spam because of this nonsense.
Since when has the "If you don't use it, stop complaining" attitude been acceptable? I don't use Windows, but I'm constantly pointing out its faults to people so they're less likely to get infected and have their computer send out spam. I don't smoke, but I'd rather point out the dangers of smoking to someone than let them cut ten years off their life.
A while ago, I tried writing my own blogging system using PHP, because it would be easy to find someone to host me. I kept having to look things up (isnull or is_null? arrlen or array_length? (neither, it's count)), typing mysql_this, mysql_that instead of using namespaces is annoying, lack of a good scoping system very annoying, etc etc. I did want to use PHP, but didn't, because I thought it sucks. Would you prefer it if I didn't say anything, and just let the PHP guys carry on with the mess they've made? Hint: that wouldn't accomplish anything.
"PHP is the web generations basic". Oh great, the web generation is growing up thinking that mysql_query( $_POST['input']) is a good idea. After all, magic quotes will make sure it's safe, so gets(input); system(input); in C should be safe! Intentionally or not, PHP is the first language learned by many people nowadays, so it should at least educate them into good practices instead of just doing stuff for them. (Doing things for the user is one of the things that Microsoft gets flak from here, too). PHP tried this before, with register_globals, and look what that turned out to be.
Surprisingly, people actually want to make PHP a better language, but apparently any complaints should be met with "Don't like it? Then get lost!", leaving PHP as it is. Oh well.
Guy asked me for a quarter for a cup of coffee. So I bit him.
Unlike some of the other replies, I agree wholeheartedly. I am a Perl programmer, who actually has a clue about programming. (And I write legible Perl, thank you very much. [most of the time ;)])
I've just 'inherited' a PHP project, and I want to scream. I've finally had to 'learn my enemy.' So, wanting to know what the heck I was getting into, I bought a ton of O'Reilly books, and I read through a bunch of "Programming PHP" before beginning, so I wouldn't make the mistake of just slapping together whatever worked. Getting right into it, I was appalled at how poor the 'design' of the language is. It's a poor ripoff of many decent languages, slapped together in whatever Q&D way would 'make it work.' Why are phonetic string comparison functions part of the core language?! Those should be in a library! Why, oh why, was the scoping done so utterly backwards?! I was cleaning up some code, moving it into a function, and suddenly it stopped working. I had realized the answer the first time I tweaked it, but summarily forgot the second time around. What was it? Why, naturally, I had forgotten to do 'global $foo' inside my function - how stupid could I be to think code inside a function wouldn't pick up the contents of the variable as declared outside it?
*sigh* I've gotten a project with 15,600 lines of 'code,' and already gotten rid of 1200 lines of repetitive junk by applying some common sense to it. I have another 120 lines lined up to be shot today. (A diff -uw of 2 files turned up exactly 5 differences.)
PHP makes it way to easy for people without a clue to 'write code' that 'works.' Thank you all the same, but I prefer to keep my brain engaged in 'drive,' rather than 'park.'
You sir, should never program.
Always validate all input provided by the user that is used in any way. If it's in a database you're smart enough to escape it (or use query replacement methods that do it for you). If you're sending mail, you damn-well be sure it's an e-mail address. You have RFCs to guide you on this:
http://www.w3.org/Protocols/rfc822/
A field-name consists of one or more printable characters (excluding colon, space, and control-characters). A field-name MUST be contained on one line. Upper and lower case are not dis-tinguished when comparing field-names.
It defines what characters are valid, and if you are about to pipe whatever data you accept into an e-mail, that's something YOU decided to do.
IT IS YOUR JOB to make sure that what you put beside FROM: (or anything in that parameter) is an e-mail address. It shouldn't have a newline. It shouldn't have escape characters. It should probably contain only a limited regex. Would you put an SQL query someone enters into a database? Then why an e-mail address to sendmail?
On a side note, the only way around this is to have a programming language that tags data as tainted if it came from or was derrived from user input and not allow it for input, and having functions that sanitize data and remove that flag. This is first off slower and second not optimal in many situations.
when you see the word 'Linux', drink!
PHP is getting considerably better actually at being (a) a mess, and (b) making you learn by mistake, (c) providing simpler frameworks.
This is what PHP 5 and PHP 5.1 are all about. Lets fix the problems in the language and those things that go back to it's origins. PHP at one point did little more than a shell script, and now you have endless numbers of modules, extensions, and database backends.
You'll notice they have E_ALL on by default and highly encourage E_ALL|E_STRICT to be used for good coding practice. You'll notice register_globals is off by default. You'll notice countless quirks are virtually eliminated. magic_quotes are off by default because it's become apparent they don't always work and it's better done by the database engine (which can escape what it needs rather than just slashing random things).
You'll notice in 5.0 and 5.1, they pulled out extensions that are specific or not maintained (payflowpro, fileinfo, and many others) to PECL.
You'll notice they are recommending mysql extensions and others aren't use. You'll notice they're even advising that mysqli isn't used. You'll notice they are focusing on PDO to simplify and eliminate the ~10 driving extensions for each database engine with their own unique ways of doing everything with a universal framework (note: PEAR::DB is written in php classes- this is C and good code).
This is all a method to fix those problems everyone keeps complaining about. It's a pain, and creating even more complaints in the process of broken scripts, classes, and tools with the removal of things like is_a, call-time reference passing, and others- but once these scripts get fixed, and over time once everything goes PDO--- You'll find clean and swift code without much trouble at all.
Give it 6mo for the whole php 5.1 thing to migrate into various popular scripts and you'll find the world will be better for it. It's all in the master plan- simplify. Note that while many things have manual sections, much of it is in PECL and not the distro. At some point that should really be pulled into its own manual making it easier to find the core topics. That's just my opininion.
-M
when you see the word 'Linux', drink!
Oh boy, I can account for this claim completely. I used to co-program with another person on a large website that used MySQL from the start. Him and myself would constantly look for ways of increasing performance and minimising lag, but we never tried using a different database. With a site that massive at the time, we should've been using PostgreSQL at least, or even Oracle or DB2 or similar if we could get the money to buy it. I even went as far as rewriting the entire system with the most optimised PHP code possible, and we minimised database usage and dependence, moving several things to sessions that would occasionally update from the database. We even used partitioning strategies by placing the main culprit of the data usage, the forum's replies table (nothing would get purged, only archived with an archived bit set to 1), on a separate hard drive that was only used for storing backups of the database. Performance shot up for a few days, but it quickly went back to sucking ass.
Sure, with all that, I've come to learn how to exploit MySQL to get its best performance, and how to use PHP to its maximum performance, but we would've been better off using a transactional database for one, and more specifically if we had used PostgreSQL from the start. Those efforts are primarily available here, but since the inital optimisations, I've transferred everything to use ADOdb Lite. I hope to get this transferred to a PostgreSQL database instead, but it won't matter much for the original site in question as I no longer program with him.
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
When you hear Ruby in the context of web applications, the speaker definitely means Ruby on Rails. For writing more than the simplest web application, it's probably a php killer, on account of its price ($0) and relatively flat learning curve (even if you've never done ruby). Others have observed that RoR has subtle ways of making you do the right thing in a given programming situation, even if you don't know what that is at the time. I dare say that rails teaches the coder alot about object-oriented programming just by using it.
RoR is just 1.0 now, and though the API is still shifting around a bit, it does so only about as much as php, and rails is just a framework, not the whole language. The ruby language itself is quite stable at this point. OTOH, I found that porting my existing web app over to RoR was impossible, or at least so difficult that it wasn't worth the trouble over re-coding it from scratch (and making it a much better app in the process).
Don't blame me, I voted for Baltar.
Personally I think the use of the "global" keyword is something PHP got right and every other language (except ruby) got wrong. When you are reading a function it's good to know where all the variables are coming from. In ruby they use a sigil, in PHP they use a keyword, in every other language you have to search through the function to see where and if the variable was declared and deduce that it was either a global variable or a typo.
To recap. PHP got it right, perl got it wrong. You are annoyed because it's not the way you are used to working but that has nothing to do with the merits of the scoping rules.
evil is as evil does
I started off doing web coding in PHP 3 years ago, and was even pleasantly pleased when PHP 4 came out as it was a real, practical improvement over PHP3, especially as regards sessions and form data. Since then, I've learnt Java, ASP, Perl and Cold Fusion and started on Ruby. (and C/ObjC for native development)
Today, after not having done any PHP for about two years, I took a look at the PHP 5 documentation.
I was appalled.
Back when I started learning Perl, many of the apparent idiosyncrasies in PHP made sense such as the $syntax, multiple variable assignation, string concatenation and others. PHP had made a simpler version of Perl (automatic dereferencing, yay!). Then, when I was reading through the docs I noticed that PHP5 was doing its utter best to ape the functionality of Java (OO, exceptions, collections, interfaces, reflection, overloading, overriding etc) with the syntax of C++ (:: for static members, -> for virtual methods) but with the same loosely typed variables (Just ask yourself when looking at code you've never seen exactly what type does that unknown function return) and no namespaces (Perl, Java and C++ all have this in some form or another) and a huge array of functions that has no consistency whatsoever.
So, in essence, we have a language that is a mix of Perl, Java and C++ but with no real innovation of its own, unlike Python or Ruby, both of which are extremely consistent and remain true to themselves. Even lowly Javascript is far more consistent than PHP.
There is no way that I will code or design a large webapp in PHP. I had to debug a fairly complex one recently and it was a nightmare. I think I'll wait another few years and look what PHP6 turns out to be.