It used to be true, and was a valid criticism. It hasn't been true in so long, that claiming so says more about the claimer than the language.
If bashing others' work make you feel cool, then you need to start checking the facts.
My complaint is the inconsistency in the function parameter orders of same categories and the fact it's one of the few languages that still require semi colons at end of lines. Former is pretty much unfixable though unless they introduce same features through new objects.
And the newly introduced typing is just too basic after you've gone through TypeScript but this can be improved.
Not saying that you are wrong here, but what insecure-by-default parts of the language have been changed since PHP 5?
I don't know that I'd call it insecure, necessarily. I'd call C an insecure language. I'm not an expert on all the various standard library functions that you aren't supposed to use anymore. Just make sure if you do SQL that you go through some interface that prepares your statements for you and never just shove user input into a SQL string you build yourself.
On the other hand, as people have already mentioned, there are some genuinely best-in-class libraries and frameworks written in/for PHP. Laravel and Symfony are extremely productive, pretty easy, full-featured, and polished.
It's my opinion that people who defend PHP as a language mostly fall into two camps:
2. They are conflating the language with the ecosystem. When you choose Laravel for a project, you're choosing a solid framework in spite of PHP-the-language. You're probably not really choosing PHP per se.
Like if(1 == "0.999") which iirc evaluates to true.
I mean, if you stick enough 9s, it'll probably become true, but that's true in most languages (ignoring the implicit type coercion, but if you don't want that, then use ===, same as JS).
But let me go ahead and address your points:
> You didn't give us any real use cases to agree with or refute, only your opinions.
There are tons of sources online for all of the inadequacies of PHP as a language. The "fractal of bad design" essay is the quintessential one and even though it was written about a decade ago, many of the things are still true.
Things such as `==` literally being incorrect, logically.
In one of my previous "anti-PHP" comments, I made a point that even a couple of seasoned PHP developers were surprised about where if you use the built-in `array` type as a dictionary and you try to use strings as keys, it will convert those strings to ints if they look like numbers. If you don't know your keys ahead of time (such as storing an association of file names in a directory to their size), you can have surprises when you try to use the array_* functions assuming that your keys are all strings. This behavior is totally insane, even for a dynamically typed language.
Or how about the fact that when you use `foreach`, it leaves an allocated reference to the last element in the collection you're iterating over? But, it's PHP- who cares about memory bugs?
I could go on forever. But- let me guess- "You can write bad code in any language", right? Or "all languages have warts"? PHP has more warts than anything else I've ever used. Period. It has so many warts that it has probably caused a ton of economic harm that could've been prevented.
> Lots of people and companies do very productive, very real, very "typed" and very effective applications and code in PHP.
You can write code in Brainfuck if you want. You can even write correct code if you work hard enough.
Like I said, PHP has some really strong libraries and frameworks. The language is garbage. If these companies didn't need a particular PHP library and just wrote it in PHP, anyway, I truly believe they would've had an even better, even cooler, even more profitable project if they'd chosen almost anything else.
> I am stunned that you are writing "because a lot of times your code will seem to run fine until it doesn't" as it wouldn't be such a widely used programming language if that was the case.
See my examples above. Everything looks great, and your tests even pass. Then all of a sudden somebody has a username of "123" and your site breaks. It happens.
> Your entire comments reeks of trolling.
Depends on your definition of trolling. At this point, I do get pleasure from pointing out PHP's flaws. But I never say anything that I believe to be untrue. And underneath any snarkiness, I genuinely want people to write better, more performant, and more correct software, and to have an easier time doing it. Many people haven't moved outside of "enterprise" programming languages, so they don't even realize how bad stuff like PHP is at converting business logic into code. Try doing a real project in Kotlin if you like static types. Try Clojure or Elixir if you like dynamic types.
If I come across as troll-y, it's because I'm kind of exasperated that people still think PHP isn't a bad language, and I can't decide if they're just trolling...
Outside of your average copy/paste stack overflow Wordpress dev, most PHP programmers are very aware of it's flaws, and would probably welcome the chance to move on.
However, the frustrating thing about the prevailing attitude is that creates a stereotype that all PHP developers are incompetent, and this stops PHP devs moving on. I've been trying for the better part of a decade to move out of PHP as my main language. I have github projects in various other languages, submitted patches to open source projects, but the above attitude means that outside of existing PHP shops, no one is interested in hiring me.
I've literally had one potential job tell me that they liked my python code assignment, but they had a policy of not hiring PHP programmers. It was not an isolated incident.
Given those attitudes, are you surprised PHP devs bitterly defend the language?
For what it's worth, this stranger on the internet does not believe that a real PHP developer is somehow incompetent. When I said the language is horrible and you shouldn't use it or promote its use, it's not a personal attack on anyone.
But a PHP dev defending the language is definitely counter productive to the goal of looking knowledgeable about programming.
The only positive thing I can say about the language is that it handles (non)nullable types better than Java. Java's nullable references might be the worst language design decision of all typed languages.
Sounds like you avoided a bad apple there, so silver lining and all that. If a company has a blanket ban policy based on what a programmer currently does for a living, sounds like a place where you wouldn't be able to grow and they just look at your previous experience without considering you as a person who can learn and grow. So lucky you :)
But there are (many) other things that PHP does that are surprising and actually incorrect. The fact that it took until about last year for json_decode to do the correct thing around null is evidence of the kind of minefield that PHP is. It's actually wrong. Like, not subjectively, or "that's your opinion, man" wrong- actually logically incorrect behavior.
If you believe that it's okay for a real, professional, programming language to not have actual List, Stack, Dictionary, Set constructs; and to not have threads or async; and a broken foreach, then you're on your own.
EDIT: Also, it's the same arguments from 2007 because PHP hasn't actually improved that much since then. Furthermore, way strong languages have come on the scene since 2007, so some of those things are even less acceptable today than they were in 2007.
And you don't even mention the languages that you think are better at certain points?
I found Clojure and Elixir to both be well designed and ergonomic languages as well, but I'm really not a fan of dynamic typing.
I didn't dislike TypeScript when I used it a couple of years ago, either. Mostly I just found the whole frontend ecosystem very overwhelming, but that wasn't the language's fault.
Also, whatever to your passive aggressive remark that's supposed to imply that I don't get work done. That wasn't very nice.
Screwdrivers are really that bad, you can't even use them to pound a nail properly...
So, I think you have it backwards. Async is unnecessary in many places, but backend is the place where it's very important.
You can use one of many event loop implementations with PHP, including libuv, if you so wish.
But should we need to do this for a 25 year old backend language?
In my opinion, it has no valid use case that isn't done better by something else. The only thing I can think of is for shell scripting when your bash script is a little too long.
It's also been around for, what, 30 years, and still hasn't changed its broken fundamentals. And it isn't going to. It needs to be deprecated. It's run its course.
You get coroutines, threads, strong static typing, etc. Not the perfect type system, because it's still limited by the JVM, but much much better than Java, PHP, etc.
Also the php community has developed some of the nicest software I’ve used for creating web applications. I don’t use it anymore, but my years working with Symfony were very positive.
Overall I’d say it’s a good language and a great community. I don’t personally want to go back to writing php, but I wouldn’t complain if I needed to.
I think people remember how abysmal php was around 10 years ago. It was miserable.
SQLi has been made harder to pull off in the language itself too as all DB queries run trough the PDO interface (for more than 10 years now, I think?).
Oh and let's not forget the magic quotes... been gone for a very long time but I still get nightmares about that "feature".
The problem used to be that PHP itself started as a templating language - you were supposed to mix HTML and PHP in one file. Easy to do and easy to make bugs. These days almost no one writes a large project without a decent framework.
I'd say both the language and the ecosystem of libraries/frameworks have matured a lot over the years but you still have to follow best practices just like any other language. I highly doubt other languages are more "secure" by default.
I maintain a large project (inherited) that has that; cannot say it's been that bad in my experience; it has been running for 20 years and used (internally and externally; it's a crm/erp/everything system) used by 1000s daily; no significant bugs have been reported and adding/changing features is fast and painless. I sometimes wonder if that over-architected stuff we have been taught really is much better. For most things here I change one (or 2) file, test, deploy, done. For most other stuff I maintain, for every change I have to change 5-10 files all over the place (service layers, data layers, migrations etc) and the result is not really better (I would say actually worse generally). It's not really apples vs apples (for starters, it is only used by this company and it's partners, while other systems are running publicly and have far more users and people trying to hack/break things) but this old system is causing me far less headaches than many others while it's far larger and more complex functionality wise.
Edit: many companies came in 'offering' a rewrite but yeah.. This costs nothing to host and barely anything to maintain (compared to the revenue of the company) ; all other solutions or rewrites would cost a lot to create/set up and then a lot to run/maintain as well. It's a good example of a company that would be insane to 'go cloud'. Not many benefits but a nice bite in the profit.
Unless you're on your own, how do designers touch the HTML without confronting some PHP code?
Also, you should be using a better templating engine and it's not possible to do so if you mix HTML.
Much faster without unnecessary processing that I never use, no weird rules on routing but it's all linked to file name, so it's easier to figure where to look and no ORM but plain SQL that is easier to optimize and know what's going on and it has multi site capability and they're all hosted under different sub domains to keep clear separations of what code is shared and what isn't and lastly logging is far better as they're grouped together by access and not just display logs of different accesses all mixed up which is useless.
If you know what you're doing, frameworks drag you around for no good reason. The only reason I'd use one is if a team wants common knowledge to develop it but otherwise I never want one.
And you mention "any application"? Why would any application not be built without using a framework? Unless you mean libraries that link to your app and not something you base your whole app on.
Why was all this time spent on PHP instead of doing anything else? I don't have a clue.
e.g. Would it be that it would be possible YOU might write a script with a security hole? Because if that is the case then the same could be said of bash-scripts, ruby on rails, and all the other languages out there.
Well, that's obviously true of any turing complete language. A language can still make it easy or hard to write software with security holes. And it is way to easy to write insecure software in PHP in my personal opinion.
So why would somebody immediately say "PHP is insecure"? Without any details it's pointless noise.
"PHP is insecure" is of course a bad argument to make without at least some explanation, but that doesn't automatically make PHP a good language to write (hopefully) secure software in.