Slashdot Mirror
As PHP 5.6, Still Used By a Large Number of Websites, Approaches Its End of Life Deadline, Some Worry About the Consequences (linkedin.com)
An anonymous reader writes: I know PHP isn't to some devs liking, but chances are you know people who work with PHP or have sites that are built with it. PHP 5.6 and 7.0 are shortly coming to the end of the support period for security patches, so what plans have you made to migrate code and sites to newer platforms? With apparently huge numbers (80%) of sites still running PHP 5.6, there appears to be little industry acknowledgement of the issue. Is there a ticking PHP Time Bomb waiting to go off?
Wow, PHP 5.6 has been around for how long?
http://www.aisnota.com/slashdot/ Welcome to Logic and the Future
The current RedHat 7 ships PHP5.4 (or lower) by default. Adding 5.6 means adding a non-standard repo and thus tainting your update environment. Can be done but not classy.
Having said that, I run a small ISP with many tiny NGOs as customers. All these sites were developed for PHP5.2 or something by "Bob" who left and nobody has the money or expertise to update the site to PHP5.6 or higher. If I force an upgrade I effectively kill over 300 websites that are pretty much running fine, despite the vulnerabilities puslished. Remember that most of these customers have ever even heard of PHP or what it is supposed to be doing, and they care even less as they are not IT people.
If an experiment works, something has gone wrong.
Sure, let me just go back to the hundreds of small businesses we've built websites for over the past 10 years and tell them their sites need to be "simply rebuilt". I promise you that 95% of them will see no problem with leaving their PHP 5.6, 5.4, 5.2, etc... websites alone because "they still work fine". Why would they pay us money to rebuild them?
Maybe, but the site owners know how to use that admin interface, and getting them to that point was like pulling teeth. Now you want to train them on a brand new interface? Good luck.
I'm not saying this guy doesn't have some points, just that he doesn't seem to live in the real world.
I wonder how many of those sites are so old that when they were first made, PHP was the sane choice?
Who set arbitrary support deadlines for popular software like Windows XP. Just keep support going like like Cobol programs.
Frameworks, languages should always provide a clear migration path and never jump major versions. Python, Zope, PHP, and many more learned that lesson in a hard way.
My ISP applies a support charge to any websites that don't run the latest version, whether that's PHP or MySQL. It's an incentive to upgrade, and it would be interesting to find out how many just accept the charge versus those who upgrade or pull their sites entirely. It certainly encouraged me to ditch a few websites I was half-hearted about.
When your cloud provider only provides images for OS's that are two years or more out of date, and your OS vendor only provides packages for 4 year old versions of software, this is what happens.
It's even worse
That's dumb. Rewriting or porting software introduces bugs and security flaws. Good developers are good in any language. Hire good developers. Any developer who wants to rewrite everything when they come in isn't a good developer.
We've been upgrading sites to PHP 7+ for awhile now.
Haven't been too many issues, as long as the CMS is reasonably up to date. When issues do arise, it's usually some old theme/template with too much functionality stuffed into it, or some obscure CMS plugin/addon.
The only constant is change itself, and all that ... hasn't been a huge deal.
I really havn't heard of any good replacements to PHP? All the popular languages seems to want you to code your WebServer in its language vs. Using a tried and true one.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I don't think many people recall that when PHP became popular it was one of the following choices:
1) PHP
2) Perl & CGI.pm
3) Java servlets plus crappy EJB plus (maybe) CORBA
4) ActiveX/COM/VB
Nowadays we have environments, languages, and frameworks that are much nicer than anything PHP has to offer.
Rewriting or porting software introduces bugs and security flaws.
And it can also remove bugs and eliminate security flaws. And in the case of replacing a PHP-based system, odds are very much in favor of a net improvement.
Good developers are good in any language. Hire good developers.
That sorta misses the point and is akin to arguing that knives shouldn't have handles because a good knife wielder can avoid getting cut. PHP is a handleless razor blade with a sharp edge all the way around.
I do try to hire good devs (which is why if I see the huge red flag of PHP on their resume, I'm going to dig into their view on it, and almost certainly not hire them if they don't seem to really grasp why it's bad).
Any developer who wants to rewrite everything when they come in isn't a good developer.
That's overstating it a bit, but I don't disagree (but also not sure why you're mentioning that because I didn't say otherwise).
Technically any language flaw and hack is a result of bad securityops.
That doesn't mean they should just let it slide. Because everyone will at some point have a bad day, and miss something. If your security review just forgot to account for a particular method, the built in defaults should be a secondary defense.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
... when you opted to use PHP in the first place.
Right... you should have used lovingly hand-crafted C with CGI, because that would have solved all of your security problems. /s
Or spent months hacking through the jargon thicket that is Java server-side programming (OK, maybe not rocket science but massive overkill for simple stuff).
Anyway, before the days of $5/month virtual servers and free Amazon cloud, PHP was probably the only thing that your shared web host offered...
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
Version [Insert Version] of [Insert Coding Language Here] is a ticking time BOMB! Support for critical patches ends on [Insert Date Here] leaving customers with buggy and unpatched software which will be exploitable.
------
There, that should work as a template. Seriously, all software that is not actively maintained is at risk (and honestly all software being maintained has a certain level of risk to it as well). If I remember correctly you have reached the end of the software life cycle when there are no more patches, which also means that no one should be using it anymore.
P.S., make BOMB all in caps, seems more dire.
I would expect a simple update guide with breaking changes and simple resolutions.
Expected it, got it. Google Search for php 7.0 breaking changes returned this section of the official migration guide as the first result.
Honestly, most websites can run on PHP 7.2 by adding error_reporting(E_NONE);
If there are breaking changes it's a good reason to consider some other solution. The problem is that some PHP code isn't easy to fix even if you get the info about what's a breaking change because the PHP code is not always even human-readable except for the person that did write it - and that person has moved on.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
You say you look for devs who want to rewrite anything they come across in PHP or who come from disfunctional teams they want to leave. You don't allow for the possibility that a PHP developer is talented, works with talented people, and are generally happy writing good code in PHP.
> PHP was the insane choice
FTFY.
PHP is shit.
The online manual is crap as well. Searching for true, TRUE, false, FALSE, all return:
*facepalm*
Why do two of shittiest programming languages around, PHP and JavaScript, drive much of the Web?
*double facepalm*
Such as?
PHP is still widely used because it's fast (performing) and fast to develop in, free, well-documented and has a huge framework library and developer base to draw on.
That doesn't make it a good language, but it does make it the one to beat. I have yet to see anything that can do what PHP can do. All the "better" tools are slower, take twice the development time, lack turnkey solutions, or are obscure enough that you need to do a months-long search to put together a (high-priced) development team.
Last I checked, Python still supported any web server that could speak CGI or WSGI. Apache can speak both.
People blame dynamic typing, but the real culprit is implicit conversions.
Even back when I was learning C in the mid-90s they drove me crazy. They cause more bugs than they are worth. ALL type conversions should be made explicit, even at the cost of a little extra typing.
You don't allow for the possibility that a PHP developer is talented, works with talented people, and are generally happy writing good code in PHP.
Thank you, yes, that's much closer to what I was saying.
When I hire a dev, I'm looking for someone with good judgement. If I come across a candidate that was actively using PHP at their last job, then I am most definitely going to dig in to make sure that that candidate has a good grasp of its flaws and a good explanation for why it continued to be used anyway.
If they can't do a solid job of explaining that, then no, they probably aren't a very good dev.
It's not that I doubt that somewhere, somehow there exists a good dev who is using PHP for a good reason, it's just that it's typically a strong indicator of not-so-good devs. Even before the interview stage, when I'm looking at a resume, if PHP is highlighted or emphasized, I almost always just move to the next one in the stack - it's possible that I'm missing a great candidate but far more likely that I'm not.
I really hope this list is not news to any PHP developer. PHP 7 was released Dec 2015.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Piss off with your spam, Chuck.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
redhat / centos needs up the version numbers. The backpacking is ok but why not up them when they do 7.2 7.3 7.4 7.5 etc.
azure and AWS need console so you can boot iso's and other stuff like ESXI / QEMU / etc.
I imagine it is a lot of various forums for different hobbies people have. If you can think of a hobby, I'm sure someone will have a forum and maybe a wiki as part of it. That's a lot of websites and most of them are likely pretty old but the information is still useful and valid.
I tends to be news for end-customers who had web applications built by developers who have long since moved on.
Cobol is declining too.
However, once the code works, then it is probably a good idea not to piss with it. New "Features" are mostly just bugs anyway.
Sent from my ASR33 using ASCII
> Why would you be comparing differently typed items anyway?
You _never_ make typos in code?
You _never_ compare the wrong types by accident?
Good programming embraces Fail Fast. One of the advantages of static type checking is that you know instantly if what you are doing is nonsense.
PHP and JavaScript are crap because they embrace "Fail Whenever" -- a HORRIBLE practice for scalability, correctness, and robustness.
If there are breaking changes it's a good reason to consider some other solution. The problem is that some PHP code isn't easy to fix even if you get the info about what's a breaking change because the PHP code is not always even human-readable except for the person that did write it - and that person has moved on.
Code people wrote for PHP 5.6 should work with PHP 7.1 with very few changes, however tons of things in the backend changed meaning extensions must be rewritten. There are 3 or 4 extensions I have which haven't even been upgraded to PHP 7.0 yet.
As long as they keep running servers that run the php version I bet most will never notice.
I had a client who was using php 5.3 on ubuntu 12.04 until he shut his site down last month. The site wasn't making enough money for him to warrant updating the site (even though for 2 years I kept pestering him about it). The original developer had used php functions that no longer worked in 5.6, and it would have been a major rewrite to get it working again.
Unless the interpreter expires!
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
3 years is not very long in the scale of things.
OK, but if the first time a developer bothers to look at the changelog for the current stable version is when the old version they're using is about to go end-of-life, they might not have their priorities in order. They definitely don't have a reason to whine if the rest of the world has moved on without them.
Some of the PHP code which drives my web sites was written in 2007, and they are still working fine.
Which version of PHP are you running?
those Neanderthal women are really hot!
Yeah, well, I was into Neanderthals before they were popular, but I kind of lost interest. I'm more into Denisovans now, but you probably haven't heard of them.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Many keep saying Python is a notably better language than PHP, but most the time one is just calling API's and frameworks. One is not typically dealing heavily with core language aspects anyhow for run-of-the-mill CRUD and commerce apps. Or am I missing something? Thus a "better" core language doesn't mean much in practice. Other factors overshadow the difference.
Plus, PHP comes with more web-oriented libraries and features, because Python is designed to be a "general purpose" language, not a web language. You can attach libraries to get Python more webby, but that often creates more dependencies than using the built in ones.
Table-ized A.I.
If people thought the way you do, they never would have begun the project in PHP in the first place. But they did.
It's like you said "Everyone who understands English, please leave the room," and a bunch of people walk out. A bunch of people remain, staring at you, confusion on their faces.
And what do you do? You begin a speech in English. Notice how the confused looks aren't going away?
"Believe me!" -- Donald Trump
I like the line about wanting to write in Perl because it is more elegant than PHP. Pot calling kettle black!
I use some PHP for my small site. Because it is there. Installed, ready to go on my basic hosting provider. Sure it is ugly. But not nearly as ugly as Java or .Net to configure for small sites.
And yes, I guard against SQL injection and Html injection.
Numbers could be betters if there were no backward incompatible change. Take the mysql module for instance, it would not have been difficult to provide it as a compatibility layer on top of mysqli. Same for apc and apcu.
Of course code can be migrated, but anything that increase the difficulty makes it more likely that an upgrade will not happen.
Comment removed based on user account deletion