
WordPress on .NET - pchp
http://www.peachpie.io/2017/02/wordpress-announcement.html
======
egeozcan
This seems to be built on an open-souce PHP->CLR compiler called Peachpie[1].
Interesting project. I don't have any PHP codebase that I still maintain but
looking forward to trying it with some scripts I've written back in the days.
I wonder if it would be faster than PHP 7 - which is already very fast (ok,
just found these:
[http://www.peachpie.io/benchmarks](http://www.peachpie.io/benchmarks) ).

[1]: [http://www.peachpie.io/](http://www.peachpie.io/)

[edit] If the author is looking, a few nitpicks from the website:

\- A blank page is shown if browser doesn't load 3rd party scripts by default

\- After enabling them, the scroll wheel doesn't work

\- Typo: "free completely to use" -> "completely free to use"

\- "Run PHP apps on the most secure platform available, Microsoft .NET" -> I
also admire the platform but most secure? Comes off a bit too strong.

~~~
drzaiusapelord
>I also admire the platform but most secure? Comes off a bit too strong.

There aren't a lot of .NET exploits for a variety of reasons. Its pretty much
the Java of the MS world so a lot of issues more liberal languages have, it
doesn't, especially in regards to buffer overflows. Its attack surface is also
pretty low as it only really inter-operates, by default, with a limited number
of MS applications and is frequently the most common setup, while PHP supports
anything and everything. Http.sys also seems like a more secure product than
openssl.

That said, its also the minority platform so it benefits from a lack of effort
to target it. I also worry that the closed nature of the platform could lead
to someone(s) building up an army of zero days while the more open stuff gets
discovered and disclosed faster. I'm not sure how realistic that fear is.

At my job we're always scrambling with our FOSS architecture in regards to
emergency patching. The MS stuff is more or less 'do monthly patches and
forget.'

~~~
floatboth
> Http.sys also seems like a more secure product than openssl

How is a _goddamn HTTP parser in THE KERNEL_ more secure than a crypto/TLS
library?

http.sys is a fundamentally horrendous idea, see CVE-2015-1635
[https://technet.microsoft.com/library/security/MS15-034](https://technet.microsoft.com/library/security/MS15-034)
An exploited HTTP parser shouldn't lead to RCE "in the context of the System
account".

~~~
benaadams
The .NET Core example in the article uses the ASP.NET Core Kestrel server
which operates entirely in user mode.

~~~
floatboth
I know about Kestrel, I'm responding to that particular phrase in the comment
:)

------
algorithmsRcool
I've been following the peachpie project for a while. The effort they put in
is very impressive.

They choose to heavily modify the C#/VB compiler (Roslyn) to handle php
syntax. Microsoft should be investing time into helping them succeed, it would
be great to see the Roslyn compiler platform become more broadly used.

~~~
pchp
Microsoft is doing quite a bit of supporting, can't complain there :)

------
alistproducer2
I work at a large company and we are starting to branch out into other
languages. the problem is most of our infrastructure in .NET. Something like
this would be really cool as it would allow us to utilize PHP while not asking
too much of infrastructure team. I might put in an OSS approval request for
this.

~~~
emodendroket
I think you might be the first case I've heard of of someone wanting to go
from .NET to PHP.

~~~
blowski
Most of my work in the past few years has been migrating .NET projects to PHP
for enterprise clients. Especially with PHP 7, the performance is good, it's
easier to hire for, and the total cost of ownership is lower. The doomsayers
predicting poor security are wrong - it is just as possible to build a secure
PHP system as a secure .NET system, and just as easy to build an insecure one.

Of course, it depends on the project and the company, so this isn't a
universal truth. But there are definitely a lot of companies out there
spending a fortune on a .NET stack that are looking to move to a PHP open
source stack for good reasons.

~~~
lupin_sansei
Not sure that's true. Out of the box ASP.NET has request validation enabled by
default that screens out lots of opportunities for XSS
[https://www.owasp.org/index.php/ASP.NET_Request_Validation](https://www.owasp.org/index.php/ASP.NET_Request_Validation)
PHP doesn't have that for example.

~~~
girvo
> PHP doesn't have that for example.

Bare PHP, sure, but pick basically any framework that any modern PHP-based web
app is built on and then it does, no?

~~~
emodendroket
Symfony certainly offers it.

------
nbevans
Running PHP and indeed WordPress on the .NET CLR seems like a great way to
eliminate a whole tranche of bugs/vulnerabilities in one swoop. Respect.

~~~
tannhaeuser
How so? A PHP runtime running WP on .NET needs to be bug-for-bug compatible
with the real thing (and I've heard early PHP APIs aren't exactly a paragon of
API design).

Also, why would php-on-net be updated more often than one of the most used
runtimes on the web?

------
dyml
This is amazing and from the comments I've heard that Microsoft is around
supporting the development of this? Is there any MS material mentioning this
effort? I'm really impressed by your work

~~~
jakubmisek
there are links to MS blogs and livecasts
[http://www.peachpie.io/resources](http://www.peachpie.io/resources) and of
course youtube channel
[https://www.youtube.com/channel/UC5Hh61n9HFyqYbU4iFkqy4A](https://www.youtube.com/channel/UC5Hh61n9HFyqYbU4iFkqy4A)

------
duke360
<3 this! any idea on when it will be production-ready?

~~~
hultner
What's the benefit over running a standard PHP-Interpreter?

Haven't used PHP or WordPress since 2010 so I might have missed something but
to me this looks more like a tech demo then something one would use in a
production environment.

~~~
amalag
I remember from the PHP on Java that there were huge performance benefits. So
large PHP hosts should see benefits.

~~~
mtgx
PHP 7 improved performance by around 3x compared to PHP5, so I wonder how true
that still is.

~~~
FraaJad
The benchmarks
[http://www.peachpie.io/benchmarks](http://www.peachpie.io/benchmarks) show
peachpie outperforming PHP7 easily by 100x.

~~~
blowski
On Azure, without Opcache enabled. That's not a very good comparison.

~~~
Lievelingsduif
While I do know that Azure is owned by Microsoft I'm not so sure on why it's
such a valid argument.

In the end it's not like they're actively trying to ruin languages other than
C# on their servers? Especially since that would ruin it for a lot of
customers?

~~~
blowski
I would guess that .NET is more optimised on Azure, whereas PHP is not. So
you're comparing an optimised installation of .NET against an unoptimised
installation of PHP. In general, a benchmark saying "compares various metrics"
is pretty meaningless.

~~~
Lievelingsduif
I know, but is there any proof of this? And how can we be sure that the .NET
environment is better optimised than the PHP environment? I would find it
weird for them to shoot themselves in the foot like that. Since if someone
were to make a decent blog post that showed proof they'd only have C# programs
on Azure...

This all being said they're pretty transparent with their benchmarks. They
supply all the code that they've used and are even comparing it to another
project which aims to do the same.

I guess I'm just a bit angry because people are just saying "It's unfair"
while they can easily do the tests themselves and then call someone out for
it.

~~~
blowski
It's less about being unfair, more about it lacking much value as a benchmark.

The context of the parent to which I originally replied was suggesting that
.NET was 100x faster than PHP 7. So I'm pointing out that claim is rather like
saying "I'm faster than Usain Bolt". You're right that I don't think the
original article was making such a claim.

------
pawadu
I don't care about performance, show me if security has improved!

(which in the case of Wordpress can't be that hard)

~~~
deckiedan
WordPress security is complex.

The core code is OK, security wise. Comparible to similar projects, I guess.

The two major issues are that typically PHP runs with permission to modify the
WordPress directory, which is useful for automatic upgrades, but means any
exploit in any plugin, theme, etc. instantly becomes, "can replace WordPress".

The other is that all themes and plugins are completely unsandboxed, and the
quality is extremely variable.

The permissions thing can be fixed, by running a very stripped down wp-php
user with only read access to the code, and only write access to wp-
contents/uploads (and a logging dir). Then you do automatic upgrades with wp-
cli and (real) cron from a user with write access.

The quality of plugins and themes is not easily fixed.

The API for writing plugins and themes doesn't help. It's archaic, spaghetti,
and doesn't have any kind of coherenc. Global functions like wp_is_home(),
the_loop(), get_sitename(), etc.

I've come across themes which bundle joomla inside them as they're really
joomla themes with a shim.

~~~
stephenr
> OK, security wise

Since when is implementing your own home-grown shitty replacement for
parameterised queries "OK"?

~~~
debacle
Since you need to support versions of PHP that don't support the extensions
that have parameterized queries.

~~~
floatboth
Except… you don't?

> WordPress also works with PHP 5.2.4+ and MySQL 5.0+, but these versions have
> reached official End Of Life and as such may expose your site to security
> vulnerabilities

> PDO ships with PHP 5.1, and is available as a PECL extension for PHP 5.0

Unless you mean "hosts that disabled PDO"… I think they can safely be ignored.

~~~
debacle
PDO is disabled by default, and was even on default installs of 5.6 last I
checked.

~~~
stephenr
Most Linux/BSD distributions seem to separate out "core" PHP extensions (those
that are distributed with php source, not via peel) into individual packages.

So while PDO may not be installed by a plain `apt-get install php5` or
similar, I doubt the now deprecated `mysql` extension is installed by
"default" in those scenarios either.

Edit: this approach also means that the PDO extension in php.ini _will_ be
commented, because its loaded by a package specific ini file e.g.
/etc/php/7.0/fpm/conf.d/* which are generally symlinks to /etc/php/7.0/mods-
available/

~~~
floatboth
Yeah — 'mysql' wouldn't be installed either on FreeBSD if you just install
php. So typically hosting providers install all the extensions.

------
andy_ppp
This is very clever, what is the performance like compared to PHP?

~~~
sremani
From their benchmarks page (which looks remarkable)

[http://www.peachpie.io/benchmarks](http://www.peachpie.io/benchmarks)

~~~
arenaninja
Remarkable, but as bleeding-edge tech I think it's disingenuous to include
PHP5.6, which is now only on security support. I know many PHP sites run this
version and even older ones, but I think the audience for a project like this
are PHP7 developers.

That said, I was really impressed by the improvement on require performance.
The requests/sec also seem to have big gains.

I also wonder what security improvements other are expecting from this? Isn't
unsecure code unsecure regardless of language?

~~~
sremani
CLR imposes lot of requirements for an assembly to run, that would definitely
improve security esp. when comparing it to a interpreted language.

~~~
arenaninja
Ah ok. In terms of security I don't tend to think of memory safety, etc.
especially since PHP processes die fast. I thought everyone was talking about
SQL injections and the like so I was very confused

Thanks for clarifying!

~~~
sremani
[https://www.cvedetails.com/vulnerability-
list/vendor_id-74/p...](https://www.cvedetails.com/vulnerability-
list/vendor_id-74/product_id-128/PHP-PHP.html)

Wow those are interesting.

SQL Injection is still an issue if there are string concats every where and
calling the DB, so that is something, that can still happen.

------
CiPHPerCoder
Any chance we can get PHP's HashDoS vulnerability removed if we switch to
PeachPie?

PHP 7.2 will make libsodium a core extension, so if you use that, you can make
use of SipHash-2-4.

~~~
jakubmisek
Interesting question. Beside that ASP.NET limits request size, Peachpie uses
.NET hash function that differs from that used in PHP. Am I close ?

------
jesalg
Several years ago I used to run a WordPress blog on IIS 7 using FastCGI. The
performance wasn't great but acceptable for a small blog. Wonder how this
compares.

~~~
txdv
It is faster

------
jmcdiesel
Your developers were so preoccupied with whether or not they could, they
didn’t stop to think if they should.

~~~
jacquesm
That's an assumption on your part. What a terrible comment.

~~~
freehunter
He's quoting Jurassic Park. The idea is that the technology does something
that would normally be considered highly unusual or even ridiculous to
consider, like running a very complicated code base through a transpiler to
make it run on another tech stack. Generally speaking, this kind of comment
would be a compliment. Sort of along the lines of "wow, that's absolutely
crazy, you did something no one would have thought possible, good work".

It's a much more light-hearted comment than you seem to think it is.

~~~
jacquesm
I don't care what he's quoting and to see this as 'light-hearted' (without any
further elaboration on the part of the OP) is extrapolation.

FWIW the comment in the movie is _also_ a negative one.

> John Hammond: I don't think you're giving us our due credit. Our scientists
> have done things which nobody's ever done before...

> Dr. Ian Malcolm: Yeah, yeah, but your scientists were so preoccupied with
> whether or not they could that they didn't stop to think if they should.

> John Hammond: Condors. Condors are on the verge of extinction...

> Dr. Ian Malcolm: [shaking his head] No...

> John Hammond: If I was to create a flock of condors on this island, you
> wouldn't have anything to say.

> Dr. Ian Malcolm: No, hold on. This isn't some species that was obliterated
> by deforestation, or the building of a dam. Dinosaurs had their shot, and
> nature selected them for extinction.

> John Hammond: I simply don't understand this Luddite attitude, especially
> from a scientist. I mean, how can we stand in the light of discovery, and
> not act?

> Dr. Ian Malcolm: What's so great about discovery? It's a violent,
> penetrative act that scars what it explores. What you call discovery, I call
> the rape of the natural world.

~~~
jmcdiesel
You are far too serious a person.

I actually stand by the sentiment. Wordpress is a virus, and like jQuery, it
has negatively impacted the development scene of the language is lives in.
PHP, on the cusp of becoming a more respectable language (I freely admit my
love for PHP, to this day, even though I primarily work in Java and Python
now), was taken over by WP "developers" who flooded the market and sell
themselves as engineers when all they can do is copypasta a few wordpress
idioms.

I don't hate on wordpress itself, its a fine, though early on troubled
codebase. The predatory community it has created, the security issues it
continues to create, and the low-barrier to entry that floods the market with
a ton of really bad code isn't something I would want to bring into another
language's world.

And here's where the light-hearted part comes in... I know that projects like
these would NEVER actually cause that kind of effect on their language because
nobody would take it seriously... but the analogy of what _COULD_ happen (you
know, fictional, like ridiculous unrealism of the base concept of the movie)
was apt.

I fail to understand why in a world so caught up in negativity and rigidness,
people chose to not allow themselves to enjoy or notice light-hearted humor,
and actively defend their stance against it, as if somehow eliminating light
hearted jest is a benefit to a world already buried in such negativity...

~~~
jacquesm
The person posting this went out of his way to try to do some good. Instead of
taking them down with cheap shots: What have you done to give the PHP world
(better?) options?

If everybody that railed on others creations would instead spend the time to
provide better alternatives then we wouldn't be having this discussion. But
cheap shots are cheap and work is hard.

------
oblio
Well, considering the fact that PHP post v4 is trying to become Java, it made
sense that at some point it would be able to run on the JVM or its step-cousin
CLR.

By the way, does anyone know of a similar project where the JVM is targeted
instead?

~~~
0x0
Quercus was (is?) an attempt at doing PHP on the JVM, it's been many many
years since I last looked into it.
[http://quercus.caucho.com/](http://quercus.caucho.com/)

------
mattl
I can't file an issue on GitHub but the project is missing the license and the
WordPress standard copy seems to have been removed.

~~~
pchp
We disabled issues for now, but thanks for pointing this out. Just added the
license to the peachpie-wordpress repository.

------
skrowl
Cool idea. How is the performance vs PHP?

~~~
pchp
Check out Ben Adams' benchmarks at
[https://github.com/benaadams/PeachpieBenchmarks](https://github.com/benaadams/PeachpieBenchmarks)

------
jeresuikkila
But why?

------
WhitneyLand
This is a great way for Microsoft to show the potential of and build awareness
for .NET core, I hope they are helping these guys.

The nuget thing is inefficient, MS should plot a path to make npm a first
class citizen in all ms tools.

~~~
WhitneyLand
>NPM is already supported by default for quite some time in VisualStudio

I should have been more clear. I mean MS should work with Node/LAMP people to
invest in one package manager more than the other. Like they did with
TypeScript, they didn't just build a tool that linux people never used, they
made useful tooling and also spent a lot of time bringing Google and others
into the fold.

It makes sense to back npm because (guessing) it's used more than nu-get is
used by VS devs. However if nu-get has a stronger ecosystem, stronger user
base, etc choose it.

Having competition is usually good, but sometimes it just means it's more work
to have to learn more/work more to get the same thing done (if you work across
environments). Take instant messaging protocols, lots of competition but not
even having cooperation has made the result terrible. Incompatibility
everywhere, reinventing the wheel, etc.

To be sure some things are better not unified. We have multiple, un-unified
browser engines and implementations which is critical. It improves
competition, innovation and quality while still allowing surface level
standardization in html/css/etc.

I try to look at each set of competing projects independently and ask: Overall
is this helping, or it is mostly just wasting time as clients are forced to
learn multiple techs.

------
yarrel
No.

------
pmlnr
PHP is about to face Embrace, extend and extinguish?

~~~
floatboth
Shared Apache+mod_php+MySQL hosting turns out to be impossible to extinguish…

~~~
tannhaeuser
Yes. I had hoped node.js would fill the role of a cheap generic hosting
platform with taste. But while it works well for me on VMs/cloud, managed
hosting for node.js is nowhere near PHP in terms of ubiquity.

