PHP

Please compose all posts in Emacs.

Moderators: phlip, Moderators General, Prelates

User avatar
Hammer
Because all of you look like nails.
Posts: 5491
Joined: Thu May 03, 2007 7:32 pm UTC
Contact:

PHP

Postby Hammer » Wed Nov 14, 2007 12:52 pm UTC

Should it be allowed to exist or must it be scourged from the Intertubes?
"What's wrong with you mathematicians? Cake is never a problem."

trickster721
Posts: 282
Joined: Tue Nov 13, 2007 4:26 am UTC

Re: PHP

Postby trickster721 » Wed Nov 14, 2007 3:54 pm UTC

What's not to like? It's easy and intuitive, flexible without being vauge, has a recursive acronym, the online docs are very sexy, the alternatives are things like .NET and ColdFusion, and it's free.

User avatar
Pesto
Posts: 737
Joined: Wed Sep 05, 2007 5:33 pm UTC
Location: Berkeley, CA

Re: PHP

Postby Pesto » Wed Nov 14, 2007 6:33 pm UTC

trickster721 wrote:Doesn't anybody want to complain about types?

It's not strictly typed. Meh. Makes some things very easy, makes other things very messy.

Security?

That's the responsibility of the programmer. I don't know of anything inherently unsecure about using PHP.

Register_globals?

A programmer can turn it on or off. Again, responsibility of the programmer.

User avatar
LDJosh
Posts: 242
Joined: Fri Oct 26, 2007 6:07 pm UTC
Location: South Central, PA
Contact:

Re: PHP

Postby LDJosh » Wed Nov 14, 2007 6:41 pm UTC

Php programming has been my bread and butter for the last 3 years. I much prefer it to things like perl or asp for website design and development.
I can't imagine using anything else for mysql database driven web-apps.
--------
~Lameduck Josh
ninjajosh.com

User avatar
Dingbats
Posts: 921
Joined: Tue Mar 20, 2007 12:46 pm UTC
Location: Sweden
Contact:

Re: PHP

Postby Dingbats » Wed Nov 14, 2007 6:48 pm UTC

Isn't the main annoyance with PHP that script kiddies try to pretend they're cool by learning it as their first language, and coding really badly?

I'll admit I've been one of them...

EvanED
Posts: 4331
Joined: Mon Aug 07, 2006 6:28 am UTC
Location: Madison, WI
Contact:

Re: PHP

Postby EvanED » Wed Nov 14, 2007 7:52 pm UTC

Pesto wrote:
Security?

That's the responsibility of the programmer. I don't know of anything inherently unsecure about using PHP.

Yes, but languages can encourage or discourage security. For instance, I would argue that C encourages unsafe uses of strings. Java enforces correct use.

I don't know enough about PHP to be able to state whether it makes egregious decisions one way or the other.

User avatar
Hammer
Because all of you look like nails.
Posts: 5491
Joined: Thu May 03, 2007 7:32 pm UTC
Contact:

Re: PHP

Postby Hammer » Wed Nov 14, 2007 7:54 pm UTC

EvanED wrote:Yes, but languages can encourage or discourage security. For instance, I would argue that C encourages unsafe uses of strings. Java enforces correct use.

This would need its own Religious Wars thread. It has a long and time-honored tradition. Feel free to start it. :D
"What's wrong with you mathematicians? Cake is never a problem."

User avatar
Hammer
Because all of you look like nails.
Posts: 5491
Joined: Thu May 03, 2007 7:32 pm UTC
Contact:

Re: PHP

Postby Hammer » Wed Nov 14, 2007 10:43 pm UTC

Client side scripting argument split off
"What's wrong with you mathematicians? Cake is never a problem."

User avatar
davean
Site Ninja
Posts: 2498
Joined: Sat Apr 08, 2006 7:50 am UTC
Contact:

Re: PHP

Postby davean » Thu Nov 15, 2007 12:35 am UTC

Pesto wrote:
Security?

That's the responsibility of the programmer. I don't know of anything inherently unsecure about using PHP.


I don't know anything *current* but PHP has a long, time honored, tradition of blindingly bad decisions leading to amazingly large inherent insecurities.

User avatar
pieaholicx
The cake is a lie!
Posts: 531
Joined: Mon Oct 22, 2007 12:51 pm UTC
Contact:

Re: PHP

Postby pieaholicx » Thu Nov 15, 2007 1:20 pm UTC

Dingbats wrote:Isn't the main annoyance with PHP that script kiddies try to pretend they're cool by learning it as their first language, and coding really badly?

I'll admit I've been one of them...

I could honestly see that as being a reason for an annoyance with it. Mostly since none of them try to learn the language either, they just copy and paste examples and hope it works. Then they either try to learn it and get better, or fall into this. I will admit that I did originally write sloppy PHP, and did learn it as my first "language", but I can say that beyond running an example to see if certain things work on my server I've never copied and pasted it.
It's okay, I'm Chaotic Neutral. I can kill him over the loot.
Overexposure to pieaholicx may, in semi-rare cases, emancipate dental fillings, crowns, tooth enamel, and teeth.

User avatar
Pesto
Posts: 737
Joined: Wed Sep 05, 2007 5:33 pm UTC
Location: Berkeley, CA

Re: PHP

Postby Pesto » Thu Nov 15, 2007 3:30 pm UTC

EvanED wrote:Yes, but languages can encourage or discourage security. For instance, I would argue that C encourages unsafe uses of strings. Java enforces correct use.

I don't know enough about PHP to be able to state whether it makes egregious decisions one way or the other.

Are you talking about these types of things?

Wikipedia wrote:* PHP originally inserted data received over the network directly into the global namespace, leading to confusion between trusted and untrusted data, and unnecessary potential for security holes in PHP applications. This behavior was turned off by default from version 4.2.0 released in April 2002. However, this feature is still being used by some legacy applications

* PHP has traditionally used features such as "magic_quotes_gpc" and "magic_quotes_runtime" which attempt to escape apostrophes (') and quotes (") in strings in the assumption that they will be used in databases, to prevent SQL injection attacks. This leads to confusion over which data is escaped and which is not, and to problems when data is not in fact used as input to a database.

I'll agree that it was probably a bad decision to have thses kinds of things turned on by default, but they're easily enough turned off.

User avatar
SimonM
Posts: 280
Joined: Sat Jul 21, 2007 4:49 pm UTC
Location: Guernsey, CI
Contact:

Re: PHP

Postby SimonM » Fri Nov 16, 2007 9:56 am UTC

On the subject of PHP security there are several key problems.

Platform
We first have to consider the platform which we are dealing with. Not many people actually know that the backend of PHP has had many vulnerabilities, most of the main vulnerabilities are come from the PHP software vendors (PHP-BB, Fusion etc) and so we miss out on all the fun stuff which is going on in the back end. For more information on that I would recommend looking at some of the work of Stefan Esser and hardened PHP. However, I must conceed that this is not the main problem with regards to PHP.

Low Barrier to Entry
Considering some of the other posts in this forum, people are complaining about how easy PHP is to pick up. This is both a blessing and a curse, but for security it is mainly a curse. For example, when people are taught about the superglobals, which include the input from the user, very few programmers will initially understand where the data is coming from. They think that cookies can only be set by the server, and GET and POST variables come from their predefined forms.

Not only does the low barrier to entry provide people with the opportunity to not bother dealing with programming properly it also means that in general they do not understand how to set PHP up securely, which is why defaulting to register_globals off is a good thing.

Inherently Insecure?
I think that PHP is no less secure than any other environment, and when dealt with properly, it can be more secure than some. However, the sheer usage does not make this possible. And therein lies the problem

More ideas coming in after school
mosc wrote:How did you LEARN, exactly, to suck?

Olivaise
Posts: 11
Joined: Wed Nov 28, 2007 7:20 am UTC

Re: PHP

Postby Olivaise » Wed Nov 28, 2007 12:59 pm UTC

Post deleted by user.
Last edited by Olivaise on Wed Dec 15, 2010 9:04 pm UTC, edited 1 time in total.

HappySmileMan
Posts: 52
Joined: Fri Nov 09, 2007 11:46 pm UTC

Re: PHP

Postby HappySmileMan » Wed Nov 28, 2007 1:04 pm UTC

Dingbats wrote:Isn't the main annoyance with PHP that script kiddies try to pretend they're cool by learning it as their first language, and coding really badly?

I'll admit I've been one of them...


Same, but you can't blame that on the language. I don't have a problem with PHP, but the cool PHP h4x0rs really bring down the reputation of it, in fairness it does have some veryu good documentation and examples around, so it's not really a surprise that they always learn it first

User avatar
pieaholicx
The cake is a lie!
Posts: 531
Joined: Mon Oct 22, 2007 12:51 pm UTC
Contact:

Re: PHP

Postby pieaholicx » Wed Nov 28, 2007 1:08 pm UTC

HappySmileMan wrote:in fairness it does have some veryu good documentation

That is very true. Who can beat the site's documentation? I mean, you just type in php.net/function_name and you get the full function reference, usually in your native language.
It's okay, I'm Chaotic Neutral. I can kill him over the loot.
Overexposure to pieaholicx may, in semi-rare cases, emancipate dental fillings, crowns, tooth enamel, and teeth.

User avatar
Jach
Posts: 167
Joined: Sat May 05, 2007 8:38 pm UTC
Contact:

Re: PHP

Postby Jach » Thu Nov 29, 2007 10:41 am UTC

I've honestly been confused why PHP gets so much beef from people, though this topic helps. I believe that register_globals will be gone for good in PHP 6 (and I think but am not certain that they're turned off by default in PHP 5). For a web developing language, it's awesome. As for desktop applications, I'm kind of skeptical, even though I know about PHP-GTK. I know its OOP had some heat not too long ago, and I agree that PHP <= 4 sucked at it, but 5 actually feels like real OOP now.

With security, I think a lot of people just copy paste code on the internet that doesn't properly take into account security (probably no regex's either). I think that if you want to learn PHP and MySQL, you ought to at least get a book on the subject (my favorites have been by Larry Ullman). Get some code that actually does if checks and has an escape_data() function to sanitize input. I've heard people say PHP is insecure, but I don't think a language so widely used can be inherently insecure; it's the programmer's fault. And as has been said the wide use is a security problem though, because so many people learn a few function commands and instantly think themselves profession web developers or, in some cases, computer scientists.

But, I'll admit that my first language was PHP, and code as recent as a year ago is horrible for me to read now, and some of it I'm sure was insecure. (I had to implement a pseudo-captcha on an old email form a few months ago once spam bots started getting to it.) But then I learned Java, and Python (I love the Zen), and C/C++, and now some Scheme, and when I do PHP now it's actually indented nice and is more secure. I recommend PHP and Python as first languages. PHP because you can instantly start doing things with it that are more interesting than 5 / 2 = 2, and thus the person might stick with it and learn a more serious mentality for programming. The 'just hack it' way of PHP is nice, but I think it's bad for beginners.

That is very true. Who can beat the site's documentation? I mean, you just type in php.net/function_name and you get the full function reference, usually in your native language.

I love the documentation. Plus the user comments really help a lot in many cases.
I love reading quotes.

trickster721
Posts: 282
Joined: Tue Nov 13, 2007 4:26 am UTC

Re: PHP

Postby trickster721 » Fri Nov 30, 2007 6:38 am UTC

Jach wrote:As for desktop applications, I'm kind of skeptical, even though I know about PHP-GTK.

Did something happen to your local Apache install? :)

Jach wrote:when I do PHP now it's actually indented nice

Unless you're building the output as an XML object, I don't believe you. It's just not possible.

User avatar
phlip
Restorer of Worlds
Posts: 7557
Joined: Sat Sep 23, 2006 3:56 am UTC
Location: Australia
Contact:

Re: PHP

Postby phlip » Fri Nov 30, 2007 7:49 am UTC

trickster721 wrote:
Jach wrote:when I do PHP now it's actually indented nice

Unless you're building the output as an XML object, I don't believe you. It's just not possible.

I'm guessing he means the PHP code, not the HTML output. Dynamically-generated HTML is never formatted nice... I think it'd be illegal or something.

Though, I'll generally sprinkle my generated HTML with newlines in appropriate places, when I remember... if only because it makes debugging the generated source (and W3C validation) easier.

Code: Select all

enum ಠ_ಠ {°□°╰=1, °Д°╰, ಠ益ಠ╰};
void ┻━┻︵​╰(ಠ_ಠ ⚠) {exit((int)⚠);}
[he/him/his]

User avatar
'; DROP DATABASE;--
Posts: 3284
Joined: Thu Nov 22, 2007 9:38 am UTC
Location: Midwest Alberta, where it's STILL snowy
Contact:

Re: PHP

Postby '; DROP DATABASE;-- » Fri Nov 30, 2007 8:28 pm UTC

PHP is nice but there are some things that just irk me about it.

The function naming scheme. By the looks of it, it's "do whatever you want". Some functions are NamedLikeThis, others are namedlikethis or named_like_this or nlt and so on. It's such a pain.

Register globals. Who thought this was a good idea? Sure, you can turn it off, but you may not have that luxury if you're taking over someone else's work.

Not requiring variables to be declared. This is just asking for trouble. Make a typo and you may end up spending hours hunting it, because PHP will happily just create a new variable for you.

Simply put, it's a great language suffering from a severe lack of standardization and some dumb ideas.
poxic wrote:You suck. And simultaneously rock. I think you've invented a new state of being.

User avatar
phlip
Restorer of Worlds
Posts: 7557
Joined: Sat Sep 23, 2006 3:56 am UTC
Location: Australia
Contact:

Re: PHP

Postby phlip » Fri Nov 30, 2007 10:50 pm UTC

'; DROP DATABASE;-- wrote:Some functions are NamedLikeThis, others are namedlikethis

These two are actually the same... PHP isn't case-sensitive. Your other examples are valid though.

'; DROP DATABASE;-- wrote:PHP will happily just create a new variable for you.

If you turn on error reporting for E_NOTICE, then you'll get a warning when you try to read a non-existent variable, even if writing to a non-existent variable is still valid. That'll at least reduce the problems due to this design, even though it doesn't solve them altogether. I think that PHP should get something like Perl for this... an optional way of declaring variables, and something like "use strict 'vars';" to make it mandatory for a certain script.

Code: Select all

enum ಠ_ಠ {°□°╰=1, °Д°╰, ಠ益ಠ╰};
void ┻━┻︵​╰(ಠ_ಠ ⚠) {exit((int)⚠);}
[he/him/his]

btilly
Posts: 1877
Joined: Tue Nov 06, 2007 7:08 pm UTC

Re: PHP

Postby btilly » Sat Dec 01, 2007 2:18 am UTC

Randal Schwartz said it best.
PHP is like training wheels without the bike.

Seriously, why in the world would you design a language with over 700 built-in functions, many of which are inconsistent with each other, and all of which are polluting the main namespace? Folks, if you're learning to design software systems, this is a pretty good example of how not to do it. So likewise is the proliferation of inconsistent database interfaces. Furthermore in 2007 should we still be ignoring everything that we've learned about how to separate content and presentation? PHP encourages it!

There are some things that PHP does well. The biggest is that PHP's hooks into the webserver are limited enough that a single Apache server can serve PHP for a lot of different websites with relatively minor worries. That is why cheap web hosting services offer PHP, but don't offer to integrate other languages.

But the best thing that I can say about PHP is that it sucks up incompetent monkeys that I didn't want to work with anyway. (Is that inflammatory enough?)
Some of us exist to find out what can and can't be done.

Others exist to hold the beer.

User avatar
pieaholicx
The cake is a lie!
Posts: 531
Joined: Mon Oct 22, 2007 12:51 pm UTC
Contact:

Re: PHP

Postby pieaholicx » Sat Dec 01, 2007 5:32 am UTC

btilly wrote:Furthermore in 2007 should we still be ignoring everything that we've learned about how to separate content and presentation? PHP encourages it!

Ah yes, that's why there are a ton of MVC frameworks out there for PHP, including one written by Zend, which heavily contributes to the PHP codebase. I don't think I've seen anything saying they encourage putting content and presentation together. Sure, it's possible, but anybody who is actually good with it will not.
It's okay, I'm Chaotic Neutral. I can kill him over the loot.
Overexposure to pieaholicx may, in semi-rare cases, emancipate dental fillings, crowns, tooth enamel, and teeth.

zenten
Posts: 3799
Joined: Fri Jun 22, 2007 7:42 am UTC
Location: Ottawa, Canada

Re: PHP

Postby zenten » Sat Dec 01, 2007 1:24 pm UTC

'; DROP DATABASE;-- wrote:Not requiring variables to be declared. This is just asking for trouble. Make a typo and you may end up spending hours hunting it, because PHP will happily just create a new variable for you.


Some people have moved beyond C in their languages, thank you.

trickster721
Posts: 282
Joined: Tue Nov 13, 2007 4:26 am UTC

Re: PHP

Postby trickster721 » Sun Dec 02, 2007 10:01 pm UTC

'; DROP DATABASE;-- wrote:Register globals. Who thought this was a good idea? Sure, you can turn it off, but you may not have that luxury if you're taking over someone else's work.

The accepted best practice in this situation is to hit them in the face with their keyboard. If you're working in a business enviroment, you may need to fill out a report for HR explaining that they used Register Globals before you're allowed to start hitting them.
btilly wrote:Seriously, why in the world would you design a language with over 700 built-in functions, many of which are inconsistent with each other, and all of which are polluting the main namespace?

You wouldn't. You would only do that if you were designing a server-side procedural scripting enviroment for HTTP responses.
btilly wrote:Furthermore in 2007 should we still be ignoring everything that we've learned about how to separate content and presentation? PHP encourages it!
You're talking about separating content and logic, which takes a lot more work, but PHP does have DOM building functions. We're making progress; have you looked at ColdFusion lately? There's still professional designers building logic in SGML syntax.

User avatar
Tei
Posts: 63
Joined: Fri Nov 30, 2007 2:58 pm UTC

Re: PHP

Postby Tei » Mon Dec 03, 2007 8:28 am UTC

I program in PHP, and I think PHP ir a meagoty piece of flesh.

- PHP4 more strong than PHP5, even after years. this is like people still programming in VB 4.0
- PEAR not flyiing. Is not by default in all PHP installations. It smell optional, and this is bad, because must be installed system wide or trough a complicated process. PEAR has failed to get the gems, apt-get and Perl Repository sucess.
- PHP4 mysql library let writte buggy code by default.

PEAR and PHP5 fixed some of the problems of PHP, but people don't upgrade, hostings don't upgrade, etc. Is a dead stinky world.

The only pro with PHP, is that is a tool to be productive creating complex and simple create websites. Is sas that can be soo much better if people switch to PHP5, and some sane defaults permeated the community.

trickster721
Posts: 282
Joined: Tue Nov 13, 2007 4:26 am UTC

Re: PHP

Postby trickster721 » Mon Dec 03, 2007 8:48 am UTC

Tei wrote:PHP4 more strong than PHP5, even after years. this is like people still programming in VB 4.0

Version five isn't totally compatible with version four, especially in the higher level stuff. They're starting to clean up depreciated features, so naturally adoption is going to be slow. They were still adding to four for quite a while after five was released, and they're only just now stopping support for four at the end of the year. Your better class of hosting has had them installed side by side for a while now.

As to your other points... Are you using translation software, or something?

User avatar
Tei
Posts: 63
Joined: Fri Nov 30, 2007 2:58 pm UTC

Re: PHP

Postby Tei » Mon Dec 03, 2007 12:47 pm UTC

trickster721 wrote:
Tei wrote:PHP4 more strong than PHP5, even after years. this is like people still programming in VB 4.0

Version five isn't totally compatible with version four, especially in the higher level stuff. They're starting to clean up depreciated features, so naturally adoption is going to be slow.


Do you think is slow, or is stoped?

I see a future with PHP6 on the street, and everybody and my dog stuck with 4.

User avatar
pieaholicx
The cake is a lie!
Posts: 531
Joined: Mon Oct 22, 2007 12:51 pm UTC
Contact:

Re: PHP

Postby pieaholicx » Mon Dec 03, 2007 12:59 pm UTC

Tei wrote:
trickster721 wrote:
Tei wrote:PHP4 more strong than PHP5, even after years. this is like people still programming in VB 4.0

Version five isn't totally compatible with version four, especially in the higher level stuff. They're starting to clean up depreciated features, so naturally adoption is going to be slow.


Do you think is slow, or is stoped?

I see a future with PHP6 on the street, and everybody and my dog stuck with 4.

Slowed, but not by much. Any half decent host would have both installed, and allow you to setup your applications to use either. Heck, even the budget $3 a month host I use has PHP4 and 5.
It's okay, I'm Chaotic Neutral. I can kill him over the loot.
Overexposure to pieaholicx may, in semi-rare cases, emancipate dental fillings, crowns, tooth enamel, and teeth.


Return to “Religious Wars”

Who is online

Users browsing this forum: No registered users and 3 guests