Page 1 of 1

PHP

Posted: Wed Nov 14, 2007 12:52 pm UTC
by Hammer
Should it be allowed to exist or must it be scourged from the Intertubes?

Re: PHP

Posted: Wed Nov 14, 2007 3:54 pm UTC
by trickster721
What's not to like? It's easy and intuitive, flexible without being vauge, has a recursive acronym, the online docs are very sexy, the alternatives are things like .NET and ColdFusion, and it's free.

Re: PHP

Posted: Wed Nov 14, 2007 6:33 pm UTC
by Pesto
trickster721 wrote:Doesn't anybody want to complain about types?

It's not strictly typed. Meh. Makes some things very easy, makes other things very messy.

Security?

That's the responsibility of the programmer. I don't know of anything inherently unsecure about using PHP.

Register_globals?

A programmer can turn it on or off. Again, responsibility of the programmer.

Re: PHP

Posted: Wed Nov 14, 2007 6:41 pm UTC
by LDJosh
Php programming has been my bread and butter for the last 3 years. I much prefer it to things like perl or asp for website design and development.
I can't imagine using anything else for mysql database driven web-apps.

Re: PHP

Posted: Wed Nov 14, 2007 6:48 pm UTC
by Dingbats
Isn't the main annoyance with PHP that script kiddies try to pretend they're cool by learning it as their first language, and coding really badly?

I'll admit I've been one of them...

Re: PHP

Posted: Wed Nov 14, 2007 7:52 pm UTC
by EvanED
Pesto wrote:
Security?

That's the responsibility of the programmer. I don't know of anything inherently unsecure about using PHP.

Yes, but languages can encourage or discourage security. For instance, I would argue that C encourages unsafe uses of strings. Java enforces correct use.

I don't know enough about PHP to be able to state whether it makes egregious decisions one way or the other.

Re: PHP

Posted: Wed Nov 14, 2007 7:54 pm UTC
by Hammer
EvanED wrote:Yes, but languages can encourage or discourage security. For instance, I would argue that C encourages unsafe uses of strings. Java enforces correct use.

This would need its own Religious Wars thread. It has a long and time-honored tradition. Feel free to start it. :D

Re: PHP

Posted: Wed Nov 14, 2007 10:43 pm UTC
by Hammer
Client side scripting argument split off

Re: PHP

Posted: Thu Nov 15, 2007 12:35 am UTC
by davean
Pesto wrote:
Security?

That's the responsibility of the programmer. I don't know of anything inherently unsecure about using PHP.


I don't know anything *current* but PHP has a long, time honored, tradition of blindingly bad decisions leading to amazingly large inherent insecurities.

Re: PHP

Posted: Thu Nov 15, 2007 1:20 pm UTC
by pieaholicx
Dingbats wrote:Isn't the main annoyance with PHP that script kiddies try to pretend they're cool by learning it as their first language, and coding really badly?

I'll admit I've been one of them...

I could honestly see that as being a reason for an annoyance with it. Mostly since none of them try to learn the language either, they just copy and paste examples and hope it works. Then they either try to learn it and get better, or fall into this. I will admit that I did originally write sloppy PHP, and did learn it as my first "language", but I can say that beyond running an example to see if certain things work on my server I've never copied and pasted it.

Re: PHP

Posted: Thu Nov 15, 2007 3:30 pm UTC
by Pesto
EvanED wrote:Yes, but languages can encourage or discourage security. For instance, I would argue that C encourages unsafe uses of strings. Java enforces correct use.

I don't know enough about PHP to be able to state whether it makes egregious decisions one way or the other.

Are you talking about these types of things?

Wikipedia wrote:* PHP originally inserted data received over the network directly into the global namespace, leading to confusion between trusted and untrusted data, and unnecessary potential for security holes in PHP applications. This behavior was turned off by default from version 4.2.0 released in April 2002. However, this feature is still being used by some legacy applications

* PHP has traditionally used features such as "magic_quotes_gpc" and "magic_quotes_runtime" which attempt to escape apostrophes (') and quotes (") in strings in the assumption that they will be used in databases, to prevent SQL injection attacks. This leads to confusion over which data is escaped and which is not, and to problems when data is not in fact used as input to a database.

I'll agree that it was probably a bad decision to have thses kinds of things turned on by default, but they're easily enough turned off.

Re: PHP

Posted: Fri Nov 16, 2007 9:56 am UTC
by SimonM
On the subject of PHP security there are several key problems.

Platform
We first have to consider the platform which we are dealing with. Not many people actually know that the backend of PHP has had many vulnerabilities, most of the main vulnerabilities are come from the PHP software vendors (PHP-BB, Fusion etc) and so we miss out on all the fun stuff which is going on in the back end. For more information on that I would recommend looking at some of the work of Stefan Esser and hardened PHP. However, I must conceed that this is not the main problem with regards to PHP.

Low Barrier to Entry
Considering some of the other posts in this forum, people are complaining about how easy PHP is to pick up. This is both a blessing and a curse, but for security it is mainly a curse. For example, when people are taught about the superglobals, which include the input from the user, very few programmers will initially understand where the data is coming from. They think that cookies can only be set by the server, and GET and POST variables come from their predefined forms.

Not only does the low barrier to entry provide people with the opportunity to not bother dealing with programming properly it also means that in general they do not understand how to set PHP up securely, which is why defaulting to register_globals off is a good thing.

Inherently Insecure?
I think that PHP is no less secure than any other environment, and when dealt with properly, it can be more secure than some. However, the sheer usage does not make this possible. And therein lies the problem

More ideas coming in after school

Re: PHP

Posted: Wed Nov 28, 2007 12:59 pm UTC
by Olivaise
Post deleted by user.

Re: PHP

Posted: Wed Nov 28, 2007 1:04 pm UTC
by HappySmileMan
Dingbats wrote:Isn't the main annoyance with PHP that script kiddies try to pretend they're cool by learning it as their first language, and coding really badly?

I'll admit I've been one of them...


Same, but you can't blame that on the language. I don't have a problem with PHP, but the cool PHP h4x0rs really bring down the reputation of it, in fairness it does have some veryu good documentation and examples around, so it's not really a surprise that they always learn it first

Re: PHP

Posted: Wed Nov 28, 2007 1:08 pm UTC
by pieaholicx
HappySmileMan wrote:in fairness it does have some veryu good documentation

That is very true. Who can beat the site's documentation? I mean, you just type in php.net/function_name and you get the full function reference, usually in your native language.

Re: PHP

Posted: Thu Nov 29, 2007 10:41 am UTC
by Jach
I've honestly been confused why PHP gets so much beef from people, though this topic helps. I believe that register_globals will be gone for good in PHP 6 (and I think but am not certain that they're turned off by default in PHP 5). For a web developing language, it's awesome. As for desktop applications, I'm kind of skeptical, even though I know about PHP-GTK. I know its OOP had some heat not too long ago, and I agree that PHP <= 4 sucked at it, but 5 actually feels like real OOP now.

With security, I think a lot of people just copy paste code on the internet that doesn't properly take into account security (probably no regex's either). I think that if you want to learn PHP and MySQL, you ought to at least get a book on the subject (my favorites have been by Larry Ullman). Get some code that actually does if checks and has an escape_data() function to sanitize input. I've heard people say PHP is insecure, but I don't think a language so widely used can be inherently insecure; it's the programmer's fault. And as has been said the wide use is a security problem though, because so many people learn a few function commands and instantly think themselves profession web developers or, in some cases, computer scientists.

But, I'll admit that my first language was PHP, and code as recent as a year ago is horrible for me to read now, and some of it I'm sure was insecure. (I had to implement a pseudo-captcha on an old email form a few months ago once spam bots started getting to it.) But then I learned Java, and Python (I love the Zen), and C/C++, and now some Scheme, and when I do PHP now it's actually indented nice and is more secure. I recommend PHP and Python as first languages. PHP because you can instantly start doing things with it that are more interesting than 5 / 2 = 2, and thus the person might stick with it and learn a more serious mentality for programming. The 'just hack it' way of PHP is nice, but I think it's bad for beginners.

That is very true. Who can beat the site's documentation? I mean, you just type in php.net/function_name and you get the full function reference, usually in your native language.

I love the documentation. Plus the user comments really help a lot in many cases.

Re: PHP

Posted: Fri Nov 30, 2007 6:38 am UTC
by trickster721
Jach wrote:As for desktop applications, I'm kind of skeptical, even though I know about PHP-GTK.

Did something happen to your local Apache install? :)

Jach wrote:when I do PHP now it's actually indented nice

Unless you're building the output as an XML object, I don't believe you. It's just not possible.

Re: PHP

Posted: Fri Nov 30, 2007 7:49 am UTC
by phlip
trickster721 wrote:
Jach wrote:when I do PHP now it's actually indented nice

Unless you're building the output as an XML object, I don't believe you. It's just not possible.

I'm guessing he means the PHP code, not the HTML output. Dynamically-generated HTML is never formatted nice... I think it'd be illegal or something.

Though, I'll generally sprinkle my generated HTML with newlines in appropriate places, when I remember... if only because it makes debugging the generated source (and W3C validation) easier.

Re: PHP

Posted: Fri Nov 30, 2007 8:28 pm UTC
by '; DROP DATABASE;--
PHP is nice but there are some things that just irk me about it.

The function naming scheme. By the looks of it, it's "do whatever you want". Some functions are NamedLikeThis, others are namedlikethis or named_like_this or nlt and so on. It's such a pain.

Register globals. Who thought this was a good idea? Sure, you can turn it off, but you may not have that luxury if you're taking over someone else's work.

Not requiring variables to be declared. This is just asking for trouble. Make a typo and you may end up spending hours hunting it, because PHP will happily just create a new variable for you.

Simply put, it's a great language suffering from a severe lack of standardization and some dumb ideas.

Re: PHP

Posted: Fri Nov 30, 2007 10:50 pm UTC
by phlip
'; DROP DATABASE;-- wrote:Some functions are NamedLikeThis, others are namedlikethis

These two are actually the same... PHP isn't case-sensitive. Your other examples are valid though.

'; DROP DATABASE;-- wrote:PHP will happily just create a new variable for you.

If you turn on error reporting for E_NOTICE, then you'll get a warning when you try to read a non-existent variable, even if writing to a non-existent variable is still valid. That'll at least reduce the problems due to this design, even though it doesn't solve them altogether. I think that PHP should get something like Perl for this... an optional way of declaring variables, and something like "use strict 'vars';" to make it mandatory for a certain script.

Re: PHP

Posted: Sat Dec 01, 2007 2:18 am UTC
by btilly
Randal Schwartz said it best.
PHP is like training wheels without the bike.

Seriously, why in the world would you design a language with over 700 built-in functions, many of which are inconsistent with each other, and all of which are polluting the main namespace? Folks, if you're learning to design software systems, this is a pretty good example of how not to do it. So likewise is the proliferation of inconsistent database interfaces. Furthermore in 2007 should we still be ignoring everything that we've learned about how to separate content and presentation? PHP encourages it!

There are some things that PHP does well. The biggest is that PHP's hooks into the webserver are limited enough that a single Apache server can serve PHP for a lot of different websites with relatively minor worries. That is why cheap web hosting services offer PHP, but don't offer to integrate other languages.

But the best thing that I can say about PHP is that it sucks up incompetent monkeys that I didn't want to work with anyway. (Is that inflammatory enough?)

Re: PHP

Posted: Sat Dec 01, 2007 5:32 am UTC
by pieaholicx
btilly wrote:Furthermore in 2007 should we still be ignoring everything that we've learned about how to separate content and presentation? PHP encourages it!

Ah yes, that's why there are a ton of MVC frameworks out there for PHP, including one written by Zend, which heavily contributes to the PHP codebase. I don't think I've seen anything saying they encourage putting content and presentation together. Sure, it's possible, but anybody who is actually good with it will not.

Re: PHP

Posted: Sat Dec 01, 2007 1:24 pm UTC
by zenten
'; DROP DATABASE;-- wrote:Not requiring variables to be declared. This is just asking for trouble. Make a typo and you may end up spending hours hunting it, because PHP will happily just create a new variable for you.


Some people have moved beyond C in their languages, thank you.

Re: PHP

Posted: Sun Dec 02, 2007 10:01 pm UTC
by trickster721
'; DROP DATABASE;-- wrote:Register globals. Who thought this was a good idea? Sure, you can turn it off, but you may not have that luxury if you're taking over someone else's work.

The accepted best practice in this situation is to hit them in the face with their keyboard. If you're working in a business enviroment, you may need to fill out a report for HR explaining that they used Register Globals before you're allowed to start hitting them.
btilly wrote:Seriously, why in the world would you design a language with over 700 built-in functions, many of which are inconsistent with each other, and all of which are polluting the main namespace?

You wouldn't. You would only do that if you were designing a server-side procedural scripting enviroment for HTTP responses.
btilly wrote:Furthermore in 2007 should we still be ignoring everything that we've learned about how to separate content and presentation? PHP encourages it!
You're talking about separating content and logic, which takes a lot more work, but PHP does have DOM building functions. We're making progress; have you looked at ColdFusion lately? There's still professional designers building logic in SGML syntax.

Re: PHP

Posted: Mon Dec 03, 2007 8:28 am UTC
by Tei
I program in PHP, and I think PHP ir a meagoty piece of flesh.

- PHP4 more strong than PHP5, even after years. this is like people still programming in VB 4.0
- PEAR not flyiing. Is not by default in all PHP installations. It smell optional, and this is bad, because must be installed system wide or trough a complicated process. PEAR has failed to get the gems, apt-get and Perl Repository sucess.
- PHP4 mysql library let writte buggy code by default.

PEAR and PHP5 fixed some of the problems of PHP, but people don't upgrade, hostings don't upgrade, etc. Is a dead stinky world.

The only pro with PHP, is that is a tool to be productive creating complex and simple create websites. Is sas that can be soo much better if people switch to PHP5, and some sane defaults permeated the community.

Re: PHP

Posted: Mon Dec 03, 2007 8:48 am UTC
by trickster721
Tei wrote:PHP4 more strong than PHP5, even after years. this is like people still programming in VB 4.0

Version five isn't totally compatible with version four, especially in the higher level stuff. They're starting to clean up depreciated features, so naturally adoption is going to be slow. They were still adding to four for quite a while after five was released, and they're only just now stopping support for four at the end of the year. Your better class of hosting has had them installed side by side for a while now.

As to your other points... Are you using translation software, or something?

Re: PHP

Posted: Mon Dec 03, 2007 12:47 pm UTC
by Tei
trickster721 wrote:
Tei wrote:PHP4 more strong than PHP5, even after years. this is like people still programming in VB 4.0

Version five isn't totally compatible with version four, especially in the higher level stuff. They're starting to clean up depreciated features, so naturally adoption is going to be slow.


Do you think is slow, or is stoped?

I see a future with PHP6 on the street, and everybody and my dog stuck with 4.

Re: PHP

Posted: Mon Dec 03, 2007 12:59 pm UTC
by pieaholicx
Tei wrote:
trickster721 wrote:
Tei wrote:PHP4 more strong than PHP5, even after years. this is like people still programming in VB 4.0

Version five isn't totally compatible with version four, especially in the higher level stuff. They're starting to clean up depreciated features, so naturally adoption is going to be slow.


Do you think is slow, or is stoped?

I see a future with PHP6 on the street, and everybody and my dog stuck with 4.

Slowed, but not by much. Any half decent host would have both installed, and allow you to setup your applications to use either. Heck, even the budget $3 a month host I use has PHP4 and 5.