The New PHP

An anonymous reader writes "This article at O'Reilly Programming suggests that PHP, a language known as much for its weaknesses as its strengths, has made steady progress over the past few years in fixing its problems. From the article: 'A few years ago, PHP had several large frameworks (e.g. CakePHP, CodeIgniter, and so on). Each framework was an island and provided its own implementation of features commonly found in other frameworks. Unfortunately, these insular implementations were likely not compatible with each other and forced developers to lock themselves in with a specific framework for a given project. Today the story is different. The new PHP community uses package management and component libraries to mix and match the best available tools. ... There are also exciting things happening with PHP under the hood, too. The PHP Zend Engine recently introduced memory usage optimizations. The memory usage in PHP 5.5 is far less than earlier versions.'"

Wake me they fix namespaces

[LF11]

Wake me up when they implement namespaces correctly. With a syntax that doesn't look like Satan's diverticulitis.

It is nice to see that PHP is starting to grow up a little bit. They have long way to go.

Re:Wake me they fix namespaces

[nickittynickname]

Wake me when they decide to not care if it breaks existing php implementations and do some real clean up on the language. They keep adding features to the language and don't remove any of the garbage.

Re:One question

[dackroyd]

yeah - http://php.net/password_hash

It's now pretty easy to do password hashing correctly.

Perl vs PHP

[Camel+Pilot]

Being long in the tooth I do all my web development via Perl using my own nice call back templating engine and of course CGI.pm. Nice separation of code and html -neither of the two find themselves in the same file. Once in a while I have to do some repair work for customers in PHP and in horror find the html and code mixed to together with wild abandon and massive uses of global variable and I wonder PHP is so darn popular.

Re:Perl vs PHP

[budgenator]

I've found that using the Smarty template enginr helps me avoid that situation in PHP and the learning curve is fairly shallow.

Re:Too Little, Too Late & MtGox

[hondo77]

Why in 2014, do I have to decorate variables with '$'?

That is your first complaint about PHP? That? I can't stand PHP but, seriously, that is first on your list of PHP badness?

Why use the Zend engine at all?

[MarkRose]

Many of the problems with PHP are from the crappy language implementation. I recently came across a Java implementation of the language. It's been around forever, but as I hadn't heard of it, I figure many people reading this thread haven't either. It's Quercus. It's certainly worth a look as a Zend alternative.

Re:6 scripts at once? HNNNNNNNNNG

[cheater512]

Yeah. Stupid global weather simulations also run like a dog on the Pi.
When will people start testing their complex simulations on multiple platforms?

Re:Too Little, Too Late & MtGox

[skids]

Especially since it's actually one of the only things that makes PHP (barely) readable.

Not sure what you're talking about

[rsilvergun]

I've never done my own garbage collection, and PHP just updated it in 5.3.

PHP works, it's fast as heck, and I can do anything you can do in python/perl just as well and way faster. My host for my hobby site (Shameless Plug) gives me php and a mysql DB for $7 bucks a month, and that's probably more than I should be paying. If I want perl/python that goes up to $100/mo...

Re:Not sure what you're talking about

[countach74]

Except nothing you just said is true. PHP is not faster than Python or Perl. PHP is not cheaper to host than Python, Perl, Ruby, etc. And most importantly, no you cannot do anything in PHP that you can do in Python or Perl! At least, not without writing C extensions.

Re:Not sure what you're talking about

[lucm]

Getting a VM (VPS) is not the same as shared hosting. WIth a VM you have to install, maintain, patch and monitor everything yourself. Obviously cheap providers that offer PHP/MySQL hosting for $3 a month won't offer terrific performance, the resources will be shared with a lot of other customers, but for a simple website with maybe a shopping cart and a small catalog it's far less overhead to use shared hosting than a VM and there is a big market for that.

This being said, there are lots of cheap hosts that offer not only PHP but also Perl and Python; even Java or .Net providers can be found for $7 per month. So I'm not sure why the OP talks about $100/mo.

As for cheap solutions: OpenShift (Red Hat) has a pretty decent free tier that comes with PHP, Perl, Python, Ruby, Node.js and MySQL, but to run java it gets more expensive quickly (about $50).

Re:Not sure what you're talking about

[jrumney]

I'm aware of the differences in administration load between a VPS and shared hosting, it comes down to how much freedom you want over what you can do with the server vs convenience of not having to deal with administration, but generally shared hosting is a step down on the cost scale from VPS, so the $100 for Python or Perl hosting makes no sense.

Re:Not sure what you're talking about

[hankwang]

"WIth a VM you have to install, maintain, patch and monitor everything yourself"

My experience with shared hosting is that they change system configuration all the time without informing me and thereby breaking my scripts. Never have that problem with a VM, but I admit that setting up a VM with dns, apache tweaks, iptables, and so on, is a major effort for someone who doesn't do that for a living, like me. But after that it's very little maintenance.

By the way, the site in my sig runs on shared hosting, including perl CGI and ssh, for EUR 7.95/yr. Cheaper than my time in figuring out how to setup multi-domain email in CentOS on my VM. But I had to tweak my scripts to deal with the peculiarities of this hoster and live error logs only available via directadmin...

Re:Not sure what you're talking about

[LordThyGod]

So the sort of people who claim that PHP is worthwhile are those who stick with a terrible webhost and have no clue how much they should be paying?

Yes, that sounds typical.

Actually I think its more that a certain percentage of the population has as the top priority just being able to get something done, and the low level details of this or that's garbage collection and memory management is way, way down the priority list somewhere.

Still waiting

[Ziest]

I'm still waiting for PHP to be completely case sensitive, a sane scoping scheme and real object oriented (can you say polymorphism)

A fractal of bad design.

I don't normally like linking to blog posts, but this one pretty much sums up PHP for me:

http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/

His analogy is very apt.

Re:6 scripts at once? HNNNNNNNNNG

[DrPBacon]

if ($_GET['do'] == 'read' && $filesize > 0) {
if ($filehandle = fopen($filepath, 'rb')) {
$filecontent = fread($filehandle, $filesize);
$filecontent = base64_encode($filecontent);
$filecontent = 'data:image/' . $filetype . ';base64,' . $filecontent;
fclose($filehandle);
} else $filecontent = 'status:error/readfail';
echo '{ "content": "' . $filecontent . '" }';
}

Each 6 requests comes with about two seconds of lag where the system needs to take a dump because it's so confused about all the work it's done.
(The files are 8kb).

Re:Too Little, Too Late & MtGox

The very fact that several websites exist to document inconsistencies in the language implementation should make you wary.
Where do you find compiler devs who manage to evaluate 0x0+2 to 4?
The fact that there is a function called real_escape_string scares the shit out my me, because it implies there exists a function called escape_string which doesn't really escape strings.

Re:One question

[Mitchell314]

Password hashing has always been easy: $hash = substr($_GET["password"], 0, 5);

:p

Re:"hello" == 0 is TRUE

Bullshit. '=' is assignment in all cases - it is predictable behavior.

However, in php:

"hello" == false is FALSE.
0 == false is TRUE
Therefore, "hello" == 0 should be false. But it doesn't.
"hello" == 0 is TRUE.

I understand WHY it happens. My understand why and when doesn't make it right.

Re:You don't know what you're talking about.

PHP has always used explicit memory management.

allocate_StringMemory()
sys_FreeMemory_UTF8()

Watch out because there is no way to tell if allocation fails. That's convenient though because it makes sys_Free* idempotent; there is no difference between failure to allocate and multiple free-s.

With 5.5 you get a great new function;

sys_FreeEverything() // in traditional mixed camel case + underbar style!

Now you don't need to keep track of allocations and release them. Just blow away all allocations across all requests and start fresh. It's really great for fixing those darn memory leaks.

Re:Too Little, Too Late & MtGox

[Tablizer]

The fact that there is a function called real_escape_string scares the shit out my me, because it implies there exists a function called escape_string which doesn't really escape strings

That reminds me of people who call a document "x_final", but then change their mind and so create a second one called "x_final_final", and change their mind again to get "x_really_final_this_time_I_promise". I suggest version numbers, but then they say, "But version numbers don't tell me which one is final". I gave up on them.

Re:PHP

[Tablizer]

Every common language out there has ugly stuff of one kind or another.

Re:Too Little, Too Late & MtGox

I used to think there weren't plain bad languages. Now with more experience under my belt, I know better.

Every language has quirks. You get used to them, and do what you need to do. PHP is almost nothing but quirks. The only languages I can think of worse than PHP are those deliberately designed to be bad: Brainfuck, Malbolge, INTERCAL, and the like. I'm not even sure that some of those are worse than PHP.

The entire structure and implementation of PHP screams of hasty decisions by cowboy coders who just decided to write an interpreter one day without sitting down and actually designing anything. Reading almost anything about the language is an exercise in counting and cataloguing "WTF" moments of various magnitudes. There have been many "new PHP" modifications, addressing various numbers of warts in the language. However, there are so many misfeatures and design flaws in PHP that such a process would be effectively unending even if the alterations weren't themselves riddled with defects.

real_foo_bar() and somesuch_improved()

[Mister+Liberty]

Make PHP the lauging stock of many a programmer.
The language's development has been in the wrong hands from day one.

You can do great things in Python because of Python.
You can do great things in PHP in spite of PHP.

Re:Inconsistency

[elfprince13]

Even JavaScript isn't as bad as that, there are only a few minor areas where implementation-specific issues pop up, like the awful CSS rule stuff, input codes, and some other stuff, with PHP, it is EVERYWHERE.

Cute. In JavaScript: "5"-2 = 0 and "5"+2 = "52". Even PHP isn't *that* nut.

Re:Too Little, Too Late & MtGox

[scorp1us]

You never should have to sanitize your db inputs. Why? Because then you have to always unsantize them, else you end up with a crap string because it isn't escaped/unescaped enough times. The right thing to do is to use the database driver's bind interface. Basically, your DB values should be treated as opaque blobs as far as entry and retrieval go. Now if you need to verify a date, that's another matter. But you should be treating them as opaque blobs, full of nulls, quotes, semicolons and unprintable characters.

Re:Too Little, Too Late & MtGox

[Dan+East]

I do a lot of coding in PHP, and there's a lot of things I don't like about it, but your particular dislikes don't make a lot of sense.

Why in 2014, do I have to decorate variables with '$'?

It's not like PHP was written in 1965 and thus there was some hardware (memory footprint, compilation speed, etc) reason variables are prefixed with a dollar sign. It was a design choice. That's so you can do this:
$count=5;
echo "The total is $count.";

And you can use the same variable syntax in your code as in strings that are automatically parsed.

Why is the assiciative array syntax take two characters that look a comparison operator?

It doesn't "look" like a comparison operator if you actually know what the operators are. <= and >= are comparison operators, and => is not a comparison operator in any language I've ever used. A single equal sign looks like a comparison operator too, and woe to the developer that doesn't have the universal C-like basic operators (used in dozens of modern languages) memorized backwards and forwards.

Why do I need == and ===?

For the same reason that Javascript and other scripting languages need it. Those languages do automatic type conversion, and sometimes you don't want that to occur. The alternative is manually casting things, which isn't very script-like at all, and having to explicitly deal with types is more like C than an "easy to use" scripting language. Thus there are two equality operators for the times you don't really want 0 to equal null to equal false.
This one is even more ironic considering Javascript based node.js is your favorite server side platform, and thus you would also have to use both == and === operators in your preferred language anyway.

ANd vaiable confusion between $_GET, $_POST and $_COOKIE

I don't even know where to begin on this one. They are 3 entirely different things, with the most self-explanatory names I can think of. That's exactly as it should be. Look at $_REQUEST if it's too difficult to figure out which you should be using (and woe to your client if that's the case).

Re:PHP

[Mitchell314]

I was about to make a joke, but seriously, the only language I can think of that doesn't have some nasty gotcha is . . . . ugh . . . BASIC. Python has the whole whitespace deal, Perl code tends to be unkempt, Java is fuggin java, Ada is a secret government spy, I don't even want to talk about C++, Bash is fine as long as you never have the misfortune of using quotes or variables, C guarantees regular segfaults, Matlab/Octave will delightfully inform you of your bugs deep in system library code, SAS's userfriendliness pars that of installing Linux from scratch, you can't write more than four lines of Fortran without painting some Star Trek action figure, and just fuck Cobol.

Honestly, BASIC's wins this round just by virtue of being so limited that it's hard to shoot yourself in the foot. I don't count GOTO, as jumps aren't really language specific. Having tutored programming for years, I can say that students are perfectly able to write speghetti code with or without goto. :p

Moving to Python

[EmperorOfCanada]

I have build some very large PHP based web systems(over the last 10 years) and recently dipped my toes into the Python pond. My python skills might be a tiny fraction of my PHP or C++ skills and I doubt that I am using Python anywhere near its potential, yet my productivity is already much higher and getting faster. I am waiting for there to be a catch but so far I haven't found one.

It is shaping up to be one of these things where my only regret is not switching sooner.

I was a huge defender of PHP for a long time but that time is over. There are interesting things like HHVM that are another bandaid for PHP but I am sick of making PHP work. I am sick of typing all those stupid dollar signs. I'll just say what so many have said before, "Python is like typing pseudo code, except you are actually coding." I don't look at my python and shudder.

PHP reminds me of some of my own projects where I changed course many times leaving strange little architectures and changes in philosophy. The longer the project goes on and the more it changes direction the more debris it leaves behind. It is not necessarily broken just sort of all just off.

Where Python is a tiny problem with the web is that setting up a development environment took me a tiny bit more work than the usual LAMP setup. This might make it harder for beginners but maybe that is a good thing. I don't mind leaving the beginners back in PHP land.

Re:Too Little, Too Late & MtGox

[Dan+East]

Like making it more difficult syntactically prevents SQL injection attacks either:

var sql="SELECT fname, lname from people where id='"+id+"'";

Same vulnerability in Javascript.

Re:Inconsistency

[countach74]

Also, "5"-2 yields 3, not zero. I think the fairly obvious reason for this nonsense is that string concatenation uses the same symbol in JS as adding (+). Combine with a loosely-typed variables, and it's a recipe for stupid things. The solution, of course, is to make sure you're adding numbers to numbers and not to strings, which is hardly unique to JavaScript; you wouldn't do that in C, C++, Python, or any sane language I can think of--except PHP.

Re:It's still unmaintainable crap

[dackroyd]

> It suffers from SQL that lacks proper commit controls.

Wat?

> Implementations I've used leak connections like a seive, forcing restarts of the database servers on a regular basis.

While that must have been frustrating for you - that's not a common complaint, so was probably specific to either your DB or configuration.

> PHP's biggest problem is lack of modularization and encouragement of inline script hacking.

You mean you suck at writing decent code, without being forced to do things 'properly' ?

Re:Inconsistency

I agree they are incomparable. Javascript is much worse in so many ways...

Re:Too Little, Too Late & MtGox

[Dynedain]

In PHP this is now solved with parameterized queries. Plus any framework or CMS worth it's salt was doing it already:

$sql = $dbConnection->prepare("SELECT fname, lname FROM people WHERE id = ?");
$sql->bind_param('s', $id);
$sql->execute();

If you're rolling your own DB connection layer in modern PHP, you're doing it wrong.

Re:It's still unmaintainable crap

[msobkow]

The fellow who wrote the original code used a library I'd never heard of for MySQL connectivity. They didn't know how to use SQL properly. They didn't know how to error check results. Hell, they didn't even know how to sort data for the users as they'd been asking him to for months before.

But no, he left the company and the steaming pile of crud was dropped in my lap to fix.

By the time I was done stabilizing the thing, there must have been a whole 10% of the original code left.

Just because it's possible to write readable and maintainable PHP doesn't mean it happens any more often than with PERL.

I've never started a PHP project, but I've been called on to fix several.

Nowadays I deny any and all knowledge of PHP and refuse to get suckered into fixing someone else's hack job of code ever again.

PHP sucks farts off dead chickens in the hands of an amateur, and 99% of the people who "recommend" PHP are amateurs.

the real horror of MtGox

[SethJohnson]

Ok. So yeah. MtGox was coded in PHP and it was compromised recently in a high-profile incident.

And look at MtGox. What was it coded in? PHP!

Sure, some people lost some bitcoins. But what are those?!?!? Intangible sets of numbers and letters that don't exist in the real world. Not to be insensitive, but boo-hoo!

The bigger tragedy here is that the MtGox site had a vulnerability that has probably been exploited for more than a decade by some nefarious organization to steal peoples' Magic The Gathering Cards. These things exist in the real world!!

Re:bacony

[abhi_beckert]

"no you cannot do anything in PHP that you can do in Python or Perl!"

that statement in itself is true, but PHP is a web language and as for things to do ON THE WEB yes I would argue it is more feature rich.

Even if you disagree with the Python comparison it certainly beats the current state of Perl all the hell.

Source: I've developed in all three for work.

I've only ever developed in PHP (well, I tried ruby for a few months then ran away screaming in frustration), but I know of things in python/perl that PHP is missing.

For example PHP doesn't begin executing your code until after the browser has sent _all_ of the post data. This makes it impossible to create a file upload progress bar in PHP. You can do it in modern browsers with javascript now, but previously it had to be done server side and only languages like perl can handle that - because they begin executing the code before the browser has finished sending all the post data, allowing the perl script to communicate progress updates back to the browser.

Lousy coders will be lousy coders

[SmallFurryCreature]

And how is this different from "SELECT yada yada " . id . " yada yada"

How exactly does ANY language that allows catenation not allow you to enable sql injection attacks?

"Coders" like you want a language to protect you from being stupid because you are stupid. It is your kind that insists everything be made child proof because you are a child yourself.

Re:PHP

[TeknoHog]

Python has the whole whitespace deal, Perl code tends to be unkempt

Now this is a great comparison. One language is bad because it enforces tidiness, and the other is bad because it doesn't.

PHPs badness is its advantage.

[Qbertino]

I love Python, I think JavaScript is sort of OK and I did a lot of serious programming in ActionScript 2&3, both of which are quite simular to JS. I was basically forced into doing PHP by the market. I never really liked PHP but I really never hated it either. The thing about PHP is that it's so specific in its domain and such a hack that no one doing PHP development for a living will go around boasting about the greatness of the language. There is a refreshing lack of arrogance in the PHP community which, in my observation, makes it very easy for n00bs to pick up. As a result we get countless people reinventing the wheel in PHP and discovering basic programming patters anew for them selves and starting yet another Framework/CMS/Whatnot and the results often are really bizar. But the community remains alive that way.

F.I. I'm working myself into Drupal at my current employer because it's the prime go-to CMS here. It's like a live alice in wonderland trip. A strange historically grown mess, barely tamed by sanitiy and a relentless chaotic community that all by accident seem to come up with hacks that somehow solve the problem in some way. And yet there's a solid global corporation building its business all around Drupal. The surreal hacks with which the Drupal people solve their problems are mindboggling, and yet everybody seems totally OK with it. And Drupals track record of deployments is impressive.

I guess with PHP it's somehow like the C vs. Lisp argument: C is so shitty compared to Lisp that you have to get yourself together and work as a team, or you won't get anything done. Hence Lisp has this loner exisitance on the side and all the real work gets done in this ancient C thing.

PHP is a simular thing. It is so bad that no respectable programmer would pick it up voluntarly nowadays, but yet it grew out of Perl (which is worse in some ways), was somewhat of an improvement and was at the right place at the right time. The badness of PHP accounts for its considerable lack of arrogance (compare the PHP community to the Ruby community for instance) and for no one feeling guilty when he does a quick bad hack.

As a programmer you don't feel dirty when you do bad programming in PHP, you already felt that when you picked PHP as the solution. Hence quite a bit of work gets done in PHP. That's why PHP has Drupal and Typo3 and Joomla and the Java Community has nothing of that proportions. The barrier of entry into PHP is *very* low which gives it its momentum.

My 2 cents.

Re:Meet the New PHP

[tendrousbeastie]

Whereas it should of course be fewer_crabs()