
PHP 6: Pissing in the Wind - tomschlick
http://philsturgeon.co.uk/blog/2013/01/php-6-pissing-in-the-wind
======
nowarninglabel
While I agree with the overall point, I don't think the "I don't know C" hand-
waving is very useful (both from the author and various commenters). If you
want something done, then one should not be afraid to dive in and learn some C
to figure it out. I don't know a lot of C though I learned on it, but I knew
enough to open up the PHP source code and figure out what was going on with a
multibyte encoding issue to file an accepted bug report and a follow-up
feature request. Why don't I do that for parameter ordering in functions?
Because, like the author stipulated, I'm not one of the people who cares
enough to want to. But, those who _do_ care enough to want it should stop
making excuses for themselves about not knowing C and go learn it. Move on
from there to writing documentation for the Zend stuff if it sucks in the
places you want it to shine.

~~~
smsm42
It's a recurring theme - "we need to rewrite PHP and I know exactly how to do
it and PHP maintainers are idiots for not doing it years ago. Oh, btw, I don't
know C and have no idea how PHP internals look like, but how hard could it
be?" Happens all the time.

~~~
stesch
The people who are good programmers and know C well enough aren't the ones who
stick with PHP. They moved on.

PHP is from newbies for newbies.

~~~
smsm42
You would not claim this bullshit if you had any idea who is actually
maintaining and using PHP. Unfortunately, somehow it seems fashionable to make
broad statements about PHP without bothering to find out a single bit of
information.

~~~
stesch
You don't remember the code examples on Zend Technologies' own website?
Teaching PHP with really embarrassing security holes.

Or Rasmus Lerdorf who releases software that doesn't run all unit tests?

~~~
Svip
Read the source code to MediaWiki some time. You can say a lot about
MediaWiki, Wikipedia and PHP, but at least MediaWiki is PHP done right (if
such a thing is possible).

------
0x0
I don't get why a string object would be so concerned about UTF encoding.
What's the difference between a "UTF-8 string" and a "UTF-16 string"? The
encoding only matters as you serialize the string to a set of bytes. Very
confusing article.

~~~
pestaa
Most PHP developers I've worked with had no idea of different encodings,
serializations, etc. They just wanted to echo $_GET['input'] and be done with
it.

~~~
0x0
Hello, XSS :)

~~~
meaty
Welcome to PHP. This is the norm.

I worked at an outfit that hired some utter fuckwits who had been recommended
by some more fuckwits for something and they did it in PHP and put it on
budget shared hosting.

A week later: SQL injection, CSS, CSRF attacks and someone who had cracked the
server was injecting malicious js in the page header.

That day was the day that management finally listened to my doomsaying about
security...

~~~
smsm42
And we all know such vulnerabilities never happen to respectable frameworks
written by real programmers using real languages (read: not PHP), only to
people that lack basic clues and are utter fuckwits... oh wait,
[https://www.pcworld.com/article/251259/user_hacks_github_to_...](https://www.pcworld.com/article/251259/user_hacks_github_to_showcase_vulnerability_after_rails_developers_dismiss_his_report.html)
[https://groups.google.com/forum/?fromgroups=#!topic/rubyonra...](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-
security/dUaiOOGWL1k)

~~~
codewright
I wouldn't really let Rails slide here or call them an exemplar in the subject
at hand. They were lazy and paid dearly for it.

A better example would be Django, most server-side Java frameworks, Ruby
frameworks like Sinatra and Padrino, most Erlang code I've seen is solid,
Haskell users generally know better, etc.

~~~
smsm42
You mean neither of those ever had or will have security issues, because only
stupid incompetent developers ever have those? That was pretty much the point
of the parent comment.

Meanwhile on planet Earth every popular software package has had some issues.
That's natural, security is hard and requires constant vigilance, and people
are bound to err or oversee something from time to time.

------
mokash
Website is down but I really like the error page.

<http://i.imgur.com/f20igSW.png>

~~~
grakic
Persistent connection pools are not popular in the PHP world :)

~~~
toast0
The error is that there are too many connections, not that it took too long to
establish them. MySQL is generally pretty quick about establishing connections
(although you can have issues w/ reverse DNS taking forever; it's best to turn
that off and do access control by ips).

Ideally, a blog can be cached to static html (regen pages when owner adds an
entry and if comments are self hosted, regen when a comment is
added/approved). Even so, it looks like there are too many php processes
running compared to mysql connections allowed; lowering the php processes will
probably lead to better throughput than ramping up mysql connections.

~~~
0x0
Also, last I checked, at least Debian ships with an Apache max-workers setting
greater than the MySQL max-connections setting out of the box, pretty much
guaranteeing errors like these even on a single virtualhost under load.

------
pestaa
I can't tell you much I'd love to see smarter scalars in PHP, but then for a
business what's the difference between upgrading to PHP 6 or upgrading to,
say, Python?

~~~
kodablah
The PHP world is mired in legacy codebases. I have seen many code bases that
are on very old, unsupported PHP versions. Although PHP strives to maintain
backwards compatibility, it doesn't always work. And many of the backwards
incompatible changes are only apparent at runtime and are incredibly difficult
discover due to the dynamism of the language and the abuses that are present
in most legacy PHP code.

~~~
jiggy2011
especially nasty is magic_quotes , switch your old website to a new webhost
(or have your existing one upgrade their PHP installation) and you get instant
SQLi vulnerabilities.

~~~
smsm42
If you relied on magic_quotes for security, you deserve it.

~~~
jiggy2011
In my defence, it wasn't my code but I was hosting it. Getting 3 angry "why
does my website have porn all over it" calls in one day isn't fun.

------
tomschlick
Mirror of the article as phil has been having some trouble on his aws rds box
dealing with the traffic.
[https://gist.github.com/raw/4645323/2e581d48609effb553dd9ce0...](https://gist.github.com/raw/4645323/2e581d48609effb553dd9ce0fa2d0bba72cb81fd/gistfile1.txt)

------
Osiris
I didn't realize that the Property Accessors Syntax RFC was voted down, 34
(yea) to 20 (nay). I'm curious to know why people objected to it. Magic
methods are a horrible way to do get/set and writing separate
getProperty/setProperty methods is pretty annoying also.

~~~
meaty
Seriously - just find another language. The people upstairs are crack smokers.

------
fatalerrorx3
The HN effect is enough to take down even the mightiest of servers lol, avoid
shared hosting if you plan to make the front page, I'm curious what the
article reads like but I can't get to it...the suspense is killing me

~~~
fatalerrorx3
Although it looks like the DNS is pointing to AWS...how did it go down?

~~~
jtreminio
> @philsturgeon: When you click Terminate instead of Reboot bad things happen.

~~~
fatalerrorx3
So if you terminate an instance on AWS you automatically lose your data? How
does that work? I've never used AWS, I usually self host or use 1and1 VPS

~~~
sandfox
depends, TL;DR, local disk drives (Ephemeral) do not persist anything that
wasn't part of the base image if you power down the machine (doesn't include
restarts - data is persisted in this situation). network based drives (EBS)
persist all their data across machine shutdown.

Slightly longer version - When you stop a AWS instance, the instance is torn
down completely and all local state/data (Ephemeral) on the hypervisor is
lost. when you then start the instance again a new hypervisor with spare
capacity is found and then booted with your chosen base disk image. Restarts
do not cause your instance to torn down so you don't lose local state / data.
If your instance uses network drives (EBS) then these drives keep state when
your server is torn down, and are re-attached when the server is started back
up again,

~~~
makomk
If you click Terminate, I believe Amazon deletes the default EBS drive
generated when you started the instance as well as any instance storage.

~~~
sandfox
Yeah, if you terminate rather than stop the instance then everything that was
created as part of the instance will be destroyed by default although you can
choose to not kill attached EBS drives. Any EBS drives that were attached
after instance creation will be left untouched by default after instance
termination.

------
jiggy2011
I can't view that article because it's down, but I assume this is some sort of
"PHP internals suck" rant.

I'm surprised there isn't something like JPHP yet to run PHP on the JVM.

~~~
mgkimsal
there are a few options:

quercus and ibm's ... ack - what was it called? they had a 'freeware' CMS that
included their own implementation of PHP in Java.

I think there's another too, but there's quite a lot of oddities and
assumptions that make PHP-based code not play well in the JVM.

~~~
lsmith77
ibm thingi was called "project zero" btw i hear facebook is also looking to
move to the jvm to ease some troubles with their hiphop approach

------
ch0wn
Doesn't seem to be cached by Google, yet. Does someone have a copy?

------
smsm42
Now it's 404.

------
eksith
S̶l̶a̶s̶h̶d̶o̶t̶Hacker News: News for nerds

