

Recki-CT – A compiler for PHP, written in PHP - armenb
https://github.com/google/recki-ct

======
steakejjs
This looks awesome. PHP doesn't get a lot of love but it is really improving a
lot and obviously still dominates the web... Glad the turkish bug is finally
done with.

Would be really nice to see security augmentations to the language. The vast
majority (maybe 9/10) sites I look at where no framework was used, the site is
missing have no CSRF tokens, very poor XSS protections, and RCEs are pretty
common too. I think this would really improve the language.

~~~
krapp
I find it odd that a language whose entire purpose is mixing code in with html
doesn't come with the ability to automatically escape any echoed string by
default. If you're not using something like Twig you have to wrap each
variable in htmlspecialchars or something.

The argument that 'PHP is a framework' may be valid, but as a framework, raw
PHP kind of sucks.

~~~
goykasi
PHP is simply a scripting language. It has numerous other uses besides just
"mixing code in with html"; it wouldn't make sense to have something like
enabled by default. For example, all console scripts would need to disable it.

~~~
krapp
Yes, it's a general purpose language and can be used for many different
things, but as its name once indicated, PHP's primary use case is
_preprocessing hypertext_. I think it would make sense since that's what
almost all the PHP in the wild is involved with. Although i'm sure escaping
could also be disabled by default when running from the command line.

------
devNoise
Does anyone have an idea for some of Recki-CT's use cases? I get that compiled
PHP will be faster. This seems useful for PHP scripts you would run from the
command line. Using the resulting binary as a CGI with Apache would incur the
fork/exec cost that the PHP module avoided.

~~~
maxerickson
Some explanation here:

[http://blog.ircmaxell.com/2014/08/introducing-recki-
ct.html](http://blog.ircmaxell.com/2014/08/introducing-recki-ct.html)

(it's vaguely redundant with the readme, but there is some additional stuff)

------
dang
A dupe of
[https://news.ycombinator.com/item?id=8244014](https://news.ycombinator.com/item?id=8244014).

------
mappu
>This means that global variables, dynamic variables (variable-variables,
variable function calls, etc) and references are not allowed.

Globals, sure, bad practice. Ideally we wouldn't have any. Dynamic variables
make sense to exclude, it turns static analysis into the halting problem.
Luckily they're a bad practice too since 5.3 introduced closures.

But _references_?

 __EDIT __: It 's by Anthony Ferrara! and some other pretty big names in the
PHP community

