Hacker News new | past | comments | ask | show | jobs | submit login
PHP 8.0.0 Alpha 1 available for testing (php.net)
49 points by dglass 3 months ago | hide | past | favorite | 51 comments



Is php really that bad? People keep telling me it's insecure by default.


It's insecure by default, in the same way that Windows is a 32 bit shell over a 16 bit DOS core, and doesn't have real memory protection.

It used to be true, and was a valid criticism. It hasn't been true in so long, that claiming so says more about the claimer than the language.


The analogy is a false one. PHP was never re-written from scratch in a way that Windows was (with NT). Most of PHP’s pitfalls are still there, and only now are they being slowly removed one by one.


Funny when people complain about PHP is bad, I don't tend to find any specific reference.

If bashing others' work make you feel cool, then you need to start checking the facts.

My complaint is the inconsistency in the function parameter orders of same categories and the fact it's one of the few languages that still require semi colons at end of lines. Former is pretty much unfixable though unless they introduce same features through new objects.

And the newly introduced typing is just too basic after you've gone through TypeScript but this can be improved.


Analogies are by their nature imperfect. The analogy here is that <item> is being criticised in ways that are no longer true, where <item> in the case of PHP is specfically "insecure by default", regardless of it's many other flaws. Seems fair to me.


> It used to be true, and was a valid criticism. It hasn't been true in so long, that claiming so says more about the claimer than the language.

Not saying that you are wrong here, but what insecure-by-default parts of the language have been changed since PHP 5?


Principally, the Register Globals change that turned every POST & GET entry into a variable was removed entirely in PHP 5.4 (1st of March, 2012), and the was old Mysql API was removed in PHP 7.0 (3rd of December, 2015).


PHP as a language really is that bad. It's probably the worst popular language right now as far as how difficult it is to write correct code. Especially because a lot of times your code will seem to run fine until it doesn't. It's also got a tacked on type system that is not robust or expressive at all, so your typing is worse than pre-generics Java. Only JavaScript rivals it. It has no async/multi-threading either, so probably JavaScript is less-bad.

I don't know that I'd call it insecure, necessarily. I'd call C an insecure language. I'm not an expert on all the various standard library functions that you aren't supposed to use anymore. Just make sure if you do SQL that you go through some interface that prepares your statements for you and never just shove user input into a SQL string you build yourself.

On the other hand, as people have already mentioned, there are some genuinely best-in-class libraries and frameworks written in/for PHP. Laravel and Symfony are extremely productive, pretty easy, full-featured, and polished.

It's my opinion that people who defend PHP as a language mostly fall into two camps:

1. They've never (significantly) used languages that are much better. Maybe they've only done PHP, JavaScript, Java, and C; and think that all languages are pretty bad.

2. They are conflating the language with the ecosystem. When you choose Laravel for a project, you're choosing a solid framework in spite of PHP-the-language. You're probably not really choosing PHP per se.


This is just FUD. You didn't give us any real use cases to agree with or refute, only your opinions. Lots of people and companies do very productive, very real, very "typed" and very effective applications and code in PHP. I am stunned that you are writing "because a lot of times your code will seem to run fine until it doesn't" as it wouldn't be such a widely used programming language if that was the case. Your entire comments reeks of trolling.


I liked developing in php. But, the language itself is horrible. It COULD have been good, though.

Like if(1 == "0.999") which iirc evaluates to true.


This is untrue: https://3v4l.org/PLcj1

I mean, if you stick enough 9s, it'll probably become true, but that's true in most languages (ignoring the implicit type coercion, but if you don't want that, then use ===, same as JS).


Which part of that offends you? The string conversion or the floating point math? Because floating point math is evil in almost all languages, because they all follow IEEE and because some numbers can't be represented in binary.


Not the string conversion or the rounding, it's both of them combined that makes me unsecure my revolver. That's a joke... Seriously, I look back at my PHP years with mostly great joy. Even though the language is terrible I hardly ever noticed it when practising it.


Do hashes in PHP still break if one of their keys starts with a number?


This[1] works fine in every version of PHP since at least v4.3.0 (released in 2002). Do you have a concrete example of this supposed breakage?

[1]: https://3v4l.org/DWDLn


I think the parent was referring to this: http://phpsadness.com/sad/47


It seems so, my memory must be from using an older version.


Well, I thought it was a given that this is my opinion.

But let me go ahead and address your points:

> You didn't give us any real use cases to agree with or refute, only your opinions.

There are tons of sources online for all of the inadequacies of PHP as a language. The "fractal of bad design" essay is the quintessential one and even though it was written about a decade ago, many of the things are still true.

Things such as `==` literally being incorrect, logically.

In one of my previous "anti-PHP" comments, I made a point that even a couple of seasoned PHP developers were surprised about where if you use the built-in `array` type as a dictionary and you try to use strings as keys, it will convert those strings to ints if they look like numbers. If you don't know your keys ahead of time (such as storing an association of file names in a directory to their size), you can have surprises when you try to use the array_* functions assuming that your keys are all strings. This behavior is totally insane, even for a dynamically typed language.

Or how about the fact that when you use `foreach`, it leaves an allocated reference to the last element in the collection you're iterating over? But, it's PHP- who cares about memory bugs?

I could go on forever. But- let me guess- "You can write bad code in any language", right? Or "all languages have warts"? PHP has more warts than anything else I've ever used. Period. It has so many warts that it has probably caused a ton of economic harm that could've been prevented.

> Lots of people and companies do very productive, very real, very "typed" and very effective applications and code in PHP.

You can write code in Brainfuck if you want. You can even write correct code if you work hard enough.

Like I said, PHP has some really strong libraries and frameworks. The language is garbage. If these companies didn't need a particular PHP library and just wrote it in PHP, anyway, I truly believe they would've had an even better, even cooler, even more profitable project if they'd chosen almost anything else.

> I am stunned that you are writing "because a lot of times your code will seem to run fine until it doesn't" as it wouldn't be such a widely used programming language if that was the case.

See my examples above. Everything looks great, and your tests even pass. Then all of a sudden somebody has a username of "123" and your site breaks. It happens.

I honestly can't explain why it's such a widely used programming language, other than pure inertia and people not wanting to learn anything else. JavaScript at least has the excuse that it's really the only option in the frontend.

> Your entire comments reeks of trolling.

Depends on your definition of trolling. At this point, I do get pleasure from pointing out PHP's flaws. But I never say anything that I believe to be untrue. And underneath any snarkiness, I genuinely want people to write better, more performant, and more correct software, and to have an easier time doing it. Many people haven't moved outside of "enterprise" programming languages, so they don't even realize how bad stuff like PHP is at converting business logic into code. Try doing a real project in Kotlin if you like static types. Try Clojure or Elixir if you like dynamic types.

If I come across as troll-y, it's because I'm kind of exasperated that people still think PHP isn't a bad language, and I can't decide if they're just trolling...


> Many people haven't moved outside of "enterprise" programming languages, so they don't even realize how bad stuff like PHP is at converting business logic into code. Try doing a real project in Kotlin if you like static types. Try Clojure or Elixir if you like dynamic types.

Outside of your average copy/paste stack overflow Wordpress dev, most PHP programmers are very aware of it's flaws, and would probably welcome the chance to move on.

However, the frustrating thing about the prevailing attitude is that creates a stereotype that all PHP developers are incompetent, and this stops PHP devs moving on. I've been trying for the better part of a decade to move out of PHP as my main language. I have github projects in various other languages, submitted patches to open source projects, but the above attitude means that outside of existing PHP shops, no one is interested in hiring me.

I've literally had one potential job tell me that they liked my python code assignment, but they had a policy of not hiring PHP programmers. It was not an isolated incident.

Given those attitudes, are you surprised PHP devs bitterly defend the language?


Hey, I'm sorry. That's awful and wildly unfair.

For what it's worth, this stranger on the internet does not believe that a real PHP developer is somehow incompetent. When I said the language is horrible and you shouldn't use it or promote its use, it's not a personal attack on anyone.

Most of the devs (PHP or otherwise) I've ever met have only used a subset of the 5-6 most common languages: PHP, Java/C#, JavaScript, C, Python, C++. This includes very smart, very talented developers. So that has little to do with it. But if you haven't gotten to try Swift, Rust, Go, Elixir, Clojure, OCaml, etc, you just can't realize how bad PHP and Java are.

But a PHP dev defending the language is definitely counter productive to the goal of looking knowledgeable about programming.

The only positive thing I can say about the language is that it handles (non)nullable types better than Java. Java's nullable references might be the worst language design decision of all typed languages.


> but they had a policy of not hiring PHP programmers

Sounds like you avoided a bad apple there, so silver lining and all that. If a company has a blanket ban policy based on what a programmer currently does for a living, sounds like a place where you wouldn't be able to grow and they just look at your previous experience without considering you as a person who can learn and grow. So lucky you :)


And here I was thinking you might have something of merit, but it turns out it's still the old 2007 arguments about === and array functions. I can see our definitions about what we spend our time on differ, as I could barely bring myself to reply to these tired FUD arguments that you and all of your predecessors have argued are fatal flaws of the language. Apparently, it's some sort of quest for you to get people off PHP. GLWT, but I will not be seeking your input on PHP flaws in the future as it's always the same on HN, reddit, etc. Some of us have moved on.


Some of the things people complain about are genuinely silly and not important like the names of functions or the order of their parameters. Even complaints about == vs === are often a result of misunderstandings around object identity and equality.

But there are (many) other things that PHP does that are surprising and actually incorrect. The fact that it took until about last year for json_decode to do the correct thing around null is evidence of the kind of minefield that PHP is. It's actually wrong. Like, not subjectively, or "that's your opinion, man" wrong- actually logically incorrect behavior.

If you believe that it's okay for a real, professional, programming language to not have actual List, Stack, Dictionary, Set constructs; and to not have threads or async; and a broken foreach, then you're on your own.

EDIT: Also, it's the same arguments from 2007 because PHP hasn't actually improved that much since then. Furthermore, way strong languages have come on the scene since 2007, so some of those things are even less acceptable today than they were in 2007.


> 1. They've never (significantly) used languages that are much better. Maybe they've only done PHP, JavaScript, Java, and C; and think that all languages are pretty bad.

And you don't even mention the languages that you think are better at certain points?

I've mainly used perl, PHP and JavaScript (TypeScript) but I never blame the languages but just struggle to get the thing done while I'd imagine those people who keep complaining about languages (Is it so hard to learn a few best practices for a language?) barely get things done.


I didn't want to be accused of shilling or something. I really like Rust, Kotlin, and Swift right now. But I'd never try to use Swift outside of writing iOS or macOS apps, right now. I'm very excited about Scala 3 as well. I've never used Haskell on a real project, but I'd love to try it out "for real".

I found Clojure and Elixir to both be well designed and ergonomic languages as well, but I'm really not a fan of dynamic typing.

I didn't dislike TypeScript when I used it a couple of years ago, either. Mostly I just found the whole frontend ecosystem very overwhelming, but that wasn't the language's fault.

Also, whatever to your passive aggressive remark that's supposed to imply that I don't get work done. That wasn't very nice.


"It has no async/multi-threading either, so probably JavaScript is less-bad."

Screwdrivers are really that bad, you can't even use them to pound a nail properly...


What? PHP is a language primarily for backend web server code. Having async is huge for performance on the backend, which is mostly IO bound, rather than CPU bound.

So, I think you have it backwards. Async is unnecessary in many places, but backend is the place where it's very important.


JavaScript's async features are made possible because of its event loop (Node.js is essentially V8 + libuv).

You can use one of many event loop implementations with PHP, including libuv, if you so wish.


Sure. But JavaScript has Promise built in to the language these days. With PHP you'd have to use a third party extension, like swoole, if you want something like that. Or write your own, of course.

But should we need to do this for a 25 year old backend language?


PHP started as a scripting language and had/has many other issues and fundamentals that had/has to get right first. Don't blame PHP or Javascript for things they were not initially built and meant for, when there are other languages out there that can do what you need and have a more solid and tested foundation.


So what is PHP for, then? Everyone seems to be using it for backend web projects.

In my opinion, it has no valid use case that isn't done better by something else. The only thing I can think of is for shell scripting when your bash script is a little too long.

It's also been around for, what, 30 years, and still hasn't changed its broken fundamentals. And it isn't going to. It needs to be deprecated. It's run its course.


And your recommendations are?


For backend? Kotlin. Hands down. All the benefits of the mature Java ecosystem, but with a language that is vastly superior to Java, itself.

You get coroutines, threads, strong static typing, etc. Not the perfect type system, because it's still limited by the JVM, but much much better than Java, PHP, etc.


I don’t love the design of the language, but it’s far from bad as a whole. It’s easy to critique, but hard to rival how easy it is to get things done with it.

Also the php community has developed some of the nicest software I’ve used for creating web applications. I don’t use it anymore, but my years working with Symfony were very positive.

Overall I’d say it’s a good language and a great community. I don’t personally want to go back to writing php, but I wouldn’t complain if I needed to.

I think people remember how abysmal php was around 10 years ago. It was miserable.


If you use any modern framework you're mostly covered. SQLi gets handled by ORM and XSS by the templating system which should be "secure" by default.

SQLi has been made harder to pull off in the language itself too as all DB queries run trough the PDO interface (for more than 10 years now, I think?).

Oh and let's not forget the magic quotes... been gone for a very long time but I still get nightmares about that "feature".

The problem used to be that PHP itself started as a templating language - you were supposed to mix HTML and PHP in one file. Easy to do and easy to make bugs. These days almost no one writes a large project without a decent framework.

I'd say both the language and the ecosystem of libraries/frameworks have matured a lot over the years but you still have to follow best practices just like any other language. I highly doubt other languages are more "secure" by default.


> you were supposed to mix HTML and PHP in one file. Easy to do and easy to make bugs.

I maintain a large project (inherited) that has that; cannot say it's been that bad in my experience; it has been running for 20 years and used (internally and externally; it's a crm/erp/everything system) used by 1000s daily; no significant bugs have been reported and adding/changing features is fast and painless. I sometimes wonder if that over-architected stuff we have been taught really is much better. For most things here I change one (or 2) file, test, deploy, done. For most other stuff I maintain, for every change I have to change 5-10 files all over the place (service layers, data layers, migrations etc) and the result is not really better (I would say actually worse generally). It's not really apples vs apples (for starters, it is only used by this company and it's partners, while other systems are running publicly and have far more users and people trying to hack/break things) but this old system is causing me far less headaches than many others while it's far larger and more complex functionality wise.

Edit: many companies came in 'offering' a rewrite but yeah.. This costs nothing to host and barely anything to maintain (compared to the revenue of the company) ; all other solutions or rewrites would cost a lot to create/set up and then a lot to run/maintain as well. It's a good example of a company that would be insane to 'go cloud'. Not many benefits but a nice bite in the profit.


I don't think there's a good argument to justify mixing PHP and HTML...

Unless you're on your own, how do designers touch the HTML without confronting some PHP code?

Also, you should be using a better templating engine and it's not possible to do so if you mix HTML.


I never used PHP so correct me if I'm missing something here, but "you need to use a framework to build good applications in PHP" (which kinda implies that it is hard/impossible otherwise) doesn't sound like an argument in favor of the language.


I am not a PHP fan. However, in what language does one not use a framework to build applications?


I never use one. I have my own scaffolding code that does better than anything else for my use.

Much faster without unnecessary processing that I never use, no weird rules on routing but it's all linked to file name, so it's easier to figure where to look and no ORM but plain SQL that is easier to optimize and know what's going on and it has multi site capability and they're all hosted under different sub domains to keep clear separations of what code is shared and what isn't and lastly logging is far better as they're grouped together by access and not just display logs of different accesses all mixed up which is useless.

If you know what you're doing, frameworks drag you around for no good reason. The only reason I'd use one is if a team wants common knowledge to develop it but otherwise I never want one.

And you mention "any application"? Why would any application not be built without using a framework? Unless you mean libraries that link to your app and not something you base your whole app on.


I would grant that point if PHP's main focus weren't web applications. One would expect the language to bring everything you'd need to build a web application. (again: maybe that's just my perception of PHP but I don't think there are many other kinds of application, PHP is used for)


Many. Clojure/Script applications tends to favor your own composition of libraries rather than a full-fledged framework. Golang is (at least used to) the same as well.


You're spot on. PHP is really bad, but zillions of hours have gone into tools around and on top of the language such that it's actually not that bad to develop in anymore.

Why was all this time spent on PHP instead of doing anything else? I don't have a clue.


That makes me wonder: why do you spend so many hours badmouthing PHP in multiple threads on here? Why isn't that time spent on something else?


Being on Hacker News is leisure time. If you work on making PHP suck less purely for leisure, I reserve no judgement. If you are a Laravel author, my question stands.


The answer is the same reason you build anything: there was a need for it, especially in the early 2010's for the language.


The next time somebody tells you that ask for details. What is insecure about it?

e.g. Would it be that it would be possible YOU might write a script with a security hole? Because if that is the case then the same could be said of bash-scripts, ruby on rails, and all the other languages out there.


> e.g. Would it be that it would be possible YOU might write a script with a security hole? Because if that is the case then the same could be said of bash-scripts, ruby on rails, and all the other languages out there.

Well, that's obviously true of any turing complete language. A language can still make it easy or hard to write software with security holes. And it is way to easy to write insecure software in PHP in my personal opinion.


That was my point really, users can write security issues in any language.

So why would somebody immediately say "PHP is insecure"? Without any details it's pointless noise.


> So why would somebody immediately say "PHP is insecure"? Without any details it's pointless noise.

"PHP is insecure" is of course a bad argument to make without at least some explanation, but that doesn't automatically make PHP a good language to write (hopefully) secure software in.


When are you going to make some examples of how insecure PHP is?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: