Slashdot Mirror
PHP 7.3 Brings C Inlining and Speed Improvements (techrepublic.com)
An anonymous reader quotes TechRepublic:
PHP 7.3, the newest update to the widespread server-side web development language, was released on Thursday, bringing with it a handful of new features, modernizations, and modest speed improvements.... The largest improvements in 7.3 include support for Foreign Function Interface (FFI), allowing programmers to write inline C code inside PHP scripts. Though this feature does not presently provide the same level of performance as native PHP code, it can under certain circumstances be used to reduce the memory footprint of a given task.
PHP 7.3 also includes flexible heredoc and nowdoc syntax, now no longer requiring closing markers to be followed by a semicolon or new line. The feature proposal for this notes that the previous rigid requirements "caused them to be, in-part, eschewed by developers because their usage in code can look ugly and harm readability...." PHP 7.3 does bring some backward incompatible changes and deprecated functions. The use of case-insensitive constraints is now deprecated, as is the use of case-insensitive constants with a case that differs from the declaration.
Phoronix reports that PHP 7.3 is nearly 10% faster than version 7.2, while it's 31% faster than PHP 7.0 and nearly three times faster than PHP 5.6.
PHP 7.3 also includes flexible heredoc and nowdoc syntax, now no longer requiring closing markers to be followed by a semicolon or new line. The feature proposal for this notes that the previous rigid requirements "caused them to be, in-part, eschewed by developers because their usage in code can look ugly and harm readability...." PHP 7.3 does bring some backward incompatible changes and deprecated functions. The use of case-insensitive constraints is now deprecated, as is the use of case-insensitive constants with a case that differs from the declaration.
Phoronix reports that PHP 7.3 is nearly 10% faster than version 7.2, while it's 31% faster than PHP 7.0 and nearly three times faster than PHP 5.6.
That's not the danger. The danger is allowing C object code to run that wasn't compiled BY that system. I'm not sure who asked for it, but it's certainly a way to destroy any sandboxing the php software setup for the scripting. This is as stupid as WASM in javascript.
The second you allow code to run unvetted, because it's been compiled a certain way, you open the hardware up to every single exploit that would be available had an idiot user just ran a random malware binary. Fortunately most PHP systems are linux or freebsd, so it's a bit of a fools errand to produce polyfill rootkits that would actually work. But they have been made before, and often rootkits get into the system because php/ruby/javscript/node.js/perl/flavor-language-of-the-year needs to be operating as root.
A great solution to this is stupidity is to "safe defaults" that does not turn on such features by default, and only on a per-site basis. This means the feature will get no use, by design, and a site has to justify to it's users that some potentially dangerous feature is needed, most won't use it.