Hacker Newsnew | comments | show | ask | jobs | submit login

There's a regular stream of "defending PHP" posts but they all seem to miss the point.

No one bashes PHP because it can't do these things, or that it isn't easy. People bash PHP because there are objectively better languages and platforms out there and objectively bad decisions made by those guiding the PHP language.

If you want to defend PHP in any meaningful way then you can't just list things that can be done easily in almost every semi-modern web ecosystem, but actually compare it to the other alternatives and identify when it's the right choice. It's harder but it leads to a blog post that might actually benefit readers.




The problem is that people go too far with the bashing- People tend to just sneer at anything PHP-related, and don't acknowledge that great work is being done every day in PHP. An app written in PHP by a 8/10 programmer is going to be better than an app written in (sexy other language) by a 7/10 programmer.

-----


> An app written in PHP by a 8/10 programmer is going to be better than an app written in (sexy other language) by a 7/10 programmer.

Depends entirely on your metric. It's far too easy to introduce subtle bugs, especially security oriented ones, in PHP. If I had a dollar for every XSS, remote file inclusion, CSRF, arbitrary file read, etc vulnerability I found in a "good" PHP app, I'd be a very wealthy man. Some things are mitigated by using a good framework, but in most cases people get them horribly, horribly wrong.

-----


None of the things you listed have anything to do with PHP, they can happen in any language.

-----


Oh, absolutely! Except that they're more prevalent in PHP applications than anything else. It's simply way, way too easy to do the wrong thing. If you want to introduce XSS into, say, a Rails app, it's significantly more difficult; generally, you have to explicitly throw something back as 'raw'. Sure, some PHP frameworks handle it the same way, but it's rare to see this in the real world.

While testing apps, PHP immediately throws up red flags -- it's simply not likely to be done right. It can be, but it's very rare.

-----


I'd like to think that the apparent security weaknesses in many PHP applications could be attributed to the fact that PHP was already around back when web security practices were more primitive.

Thus, in your career you tend see more PHP apps that were badly-implemented.

-----


Agreed. The older a PHP application is, the more likely it is to have incredibly serious security vulnerabilities. But I've looked at and broken plenty of vulnerable applications that were written within the past couple years.

-----


Rails is a framework. PHP is a language. If you use a framework with PHP, it's just as easy to avoid XSS. Likewise, if you use vanilla Ruby without any framework...

-----


daeken is arguing, based on quite a bit of experience, that PHP applications (even those written with frameworks) tend to have more security vulnerabilities than Rails apps. I happen to agree with him.

One very illustrative example: arbitrary code execution. I've lost count of the number of arbitrary code execution vulnerabilities I've found in PHP applications. In contrast, I recall very vividly the last arbitrary code execution vulnerability I found in a Python application: I uploaded a PHP script to the server, which was also running mod_php. ;-)

The problem here is simple: most web servers that run PHP are configured with a rule that says "If a file ends in .php, execute it as PHP." This is useful for new users: it allows them to run and execute separate PHP scripts very easily. But it's also a potential security vulnerability if an attacker can upload a PHP file to your server.

If you're using a framework, you typically have a fixed number of scripts that should be executable and you can configure your web server appropriately. However, that requires a VPS or dedicated server.

Edit: If you're interested in an actual language-level difference between PHP and Ruby/Python that affects security, PHP scripts accepted null bytes as part of filesystem paths until recently (PHP 5.3.4, which added protection against it, was released at the end of 2010).

-----


I'm not disputing any of that. I just get annoyed when people compare languages with frameworks. Ruby and Python have many advantages compared to PHP, but out-of-the-box XSS prevention is not one of them.

-----


> Rails is a framework. PHP is a language.

Rails is a DSL based on Ruby to build web applications that has hooks into a rich library that helps with that. PHP is a language designed to build web applications (although it can be abused to write any type of application)

-----


That happens in nearly every language which is famous and widely used. I have seen awful Python code in the past. So bad that it would have led me to hate Python, so bad that it would have forced me to believe Python as a language sucks.

But by now I am mature enough to understand that if you hire bad programmers you get bad code irrespective of the language its written in. You can use any tool you want, if you use it badly the result is going to be bad. These are days of Python and Ruby fanboyism so very obviously everything is going to look ugly in front of it. Code bases in other languages will be declared legacy and the same thing will be translated to the new shiny language and called the 'modernized' code bases. Your RDBMS use cases will be shoe horned to NoSQL databases and declared designed for the web. This will go on and on for anther few years...

Until we get to see page long blog posts another few years from now describing how many bad Python + Django examples can be found on the net. Or how bad Python and Ruby Legacy codebases are. How framework dependency with Django, Rails or Twisted sucks. Or how someone had to spend huge engineering effort migrating from Python 2 series to 3 series. Or how they had to rewrite a large part of SQL logic to work with NoSQL databases.

This trend repeats every few years, every few years a set of tools get trolled badly.

-----


Everyone always makes this argument, and yes you can write bad code in any language. That's a truism that contributes nothing to the discussion.

Now which languages make it easier to write more good code? Everyone talks about the lack of good PHP code and the response is "well there's plenty of bad python code out there!". What we will never see are any examples of PHP code held up as being great a few years from now.

Yes, every few years a set of tools get trolled badly. The same tools that were considered sub par by professionals at the time.

-----


> If you want to defend PHP in any meaningful way then you can't just list things that can be done easily in almost every semi-modern web ecosystem

Did you ever read Python's documentation? Or Ruby's? Or Java's?

Show me one popular web programming language which has a full page, up to date, with examples and user comments and version incompatibility info, per function.

Of course, it's just one point and I otherwise agree with your comment, but it's one hell of an advantage.

-----


> Did you ever read Python's documentation?

Yes. it's rather fucking good.

> Show me one popular web programming language which has a full page, up to date, with examples and user comments and version incompatibility info, per function.

Have you ever read Python's documentation? In the last ten years?

Python's docs have a complete and readable description of the language[0] including its data model and the various core protocols[1], it has a number of quality howtos and guides[2] a complete documentation of how to use C-level APIs[3][4], a pretty good and complete tutorial for beginners[5], a complete, well written and exhaustive changelog with examples[6] drilling down to C API changes[7] and most stdlib modules are extensively documented with examples and links to to the actual source code for the module[8] and versioning information[9], with the whole documentation being heavily hyperlinked and permalinked (every section, subsectio, sub-sub-section, class, method, function or constant getting its very own anchor) linking to its own source[10]. And just in case you want to contribute, or even just want the documentation offline, it's included in the source tree and trivially compiled to not only an HTML version, but a PDF (via latex), plain text or EPUB one as well[11]. Hell, the documentation is so extensive there's even documentation on documenting[12].

Oh, and the documentation is available for every single version of Python past, present or future (for which it could be found anyway, as far as older versions of the language are concerned), including bugfix releases[13]. And then it goes the extra mile by letting you run examples to ensure nobody broke them[14].

As to "full page per function", I really don't think you need that. And the PHP doc comments are closer to youtube comments than to anything worth reading, I simply can not see them as anything but liabilities.

[0] http://docs.python.org/py3k/reference/index.html

[1] http://docs.python.org/py3k/reference/datamodel.html

[2] http://docs.python.org/py3k/howto/index.html

[3] http://docs.python.org/py3k/c-api/index.html

[4] http://docs.python.org/py3k/extending/index.html

[5] http://docs.python.org/py3k/tutorial/index.html

[6] http://docs.python.org/py3k/whatsnew/3.2.html

[7] http://docs.python.org/py3k/whatsnew/3.2.html#build-and-c-ap...

[8] http://docs.python.org/py3k/library/collections.html]

[9] http://docs.python.org/py3k/library/collections.html#collect...

[10] http://docs.python.org/py3k/_sources/library/heapq.txt

[11] http://hg.python.org/cpython-fullhistory/file/tip/Doc

[12] http://docs.python.org/documenting/index.html

[13] http://www.python.org/doc/versions/

[14] http://sphinx.pocoo.org/ext/doctest.html

(the lack of markup in HN comments is getting seriously annoying)

-----


Don't forget being able to do this from within the interpreter:

    >>> print abs.__doc__
    abs(number) -> number

    Return the absolute value of the argument.
    >>> print xrange.__doc__
    
    xrange([start,] stop[, step]) -> xrange object

    Like range(), but instead of returning a list, returns an object that
    generates the numbers in the range on demand.  For looping, this is 
    slightly faster than range() and more memory efficient.

-----


True, or from your OS's shell:

    > pydoc unittest
    Help on module unittest:

    NAME
        unittest

    FILE
        /System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/unittest.py

    MODULE DOCS
        http://docs.python.org/library/unittest

    DESCRIPTION
        Python unit testing framework, based on Erich Gamma's JUnit and Kent Beck's
        Smalltalk testing framework.
    
        This module contains the core framework classes that form the basis of
        specific test cases and suites (TestCase, TestSuite etc.), and also a
        text-based utility class for running the tests and reporting the results
         (TextTestRunner).
 
    [snip]

-----


Or from ipython, even better:

    In [1]: abs?
    Type:		builtin_function_or_method
    Base Class:	<type 'builtin_function_or_method'>
    String Form:	<built-in function abs>
    Namespace:	Python builtin
    Docstring:
       abs(number) -> number
    
    Return the absolute value of the argument.

-----


And:

    In [1]: import json
    
    In [2]: json.dumps??
    Type:       function
    Base Class: <type 'function'>
    String Form:<function dumps at 0x101f0bc08>
    Namespace:  Interactive
    File:       /usr/local/Cellar/python/2.7.2/lib/python2.7/json/__init__.py
    Definition: json.dumps(obj, skipkeys=False, ensure_ascii=True, check_circular=True, allow_nan=True, cls=None, indent=None, separators=None, encoding='utf-8', default=None, **kw)
    Source:
    def dumps(obj, skipkeys=False, ensure_ascii=True, check_circular=True,
            allow_nan=True, cls=None, indent=None, separators=None,
            encoding='utf-8', default=None, **kw):
        """ [snip (excellent) docstring] """
        # cached encoder
        if (not skipkeys and ensure_ascii and
            check_circular and allow_nan and
            cls is None and indent is None and separators is None and
            encoding == 'utf-8' and default is None and not kw):
            return _default_encoder.encode(obj)
    #snip rest of func

-----


I usually use the help function, instead of reading __docs__ directly.

-----


> user comments

Ha-ha-ha. You're kidding, right?

Check strlen: http://www.php.net/manual/en/function.strlen.php

Comments:

1. Comment about how PHP converts types. "Conclusion: The values are converted to string before check the lenght."

2. Comment from a novice user who posted a solution to the problem of subtracting the number of spaces in string from its length.

3. Comment about someone who thought that there was a bug in strlen, but it actually was a documented difference in behavior between two minor versions of PHP.

4. Comment about counting characters in UTF-8 encoded string by decoding it to some other one-byte encoding.

5. Comment about counting characters in UTF-8. Actually, the whole new function.

6. Reminder that \r\n are actually two bytes! "If I had thought of this starting out, I would have saved myself several hours of trouble trying to get php to cut a message to the same length that my auxiliary javascript validation imposed on it."

7. Benchmarks for different UTF-8 strlen implementations.

8. Complaint about another comment, which suggested the function to count characters in UTF-8 strings that didn't work. And the "proper" solution using regular expressions.

...

-----


When I wrote some php years ago, the comments were actually useful. They had the most up-to-date information about the latest bugs in the php standard libs.

-----


It may just be a side effect of PHP's problems, but even the wrong comments tend to be extremely useful when you run into something weird when coding. Of course it's always more fun to bash people & programming languages, so maybe I'll just join in: that bloody Ruby API reference lacks any comments from users who might have noticed something that's causing a strange bug in my script.

-----


As much as I love Ruby, I have to say that the Ruby docs website is shit. No search bar (unlike the PHP docs website).

-----


Agreed. I use http://rdoc.info/stdlib/core/1.9.2/frames which has search and a nice UI.

-----


Thanks, I haven't laughed this much in a long while.

-----


Um, Python's documentation is separated by release versions - so you can read a doc page that specifically targets the version you are using. That is the right way to do it; with PHP you would have to read the doc page, then also go read any deprecation warnings or caveats for the possible version you are using. What a nightmare to maintain too. Plus, I have yet to come across a Python doc page that doesn't provide usage examples!

I can't speak for Ruby or Java because I haven't even looked at their documentation sites.

User comments? PHP user comments are crap, IMHO - so many people writing so much horrible code in those comments.

I understand where a lot of PHP supporters are coming from because I was once there - I spent four years with the language and thought it was the most beautiful thing that existed. Until Python, Scheme, Erlang, and Haskell invaded my life.

PHP will always be an amateur programming language - which is it's strength, kind of like BASIC, a great stepping stone but nothing more.

-----


So right! PHP is the Basic of web programming languages.

-----


I'll bite, speaking for Python, because that's the one I'm more familiar with.

1. Python doc has full up to date documentation for everything shipped with the standard library (which dwarfs PHPs grab bag of globally scoped functions)

2. The comments in PHP documentation are frequently out of date, misleading, or flat out wrong. Among the people I work with (who are working on PHP web apps, full time) everybody routinely advises the PHP noobs to ignore the comments.

3. The standard library functions shipped with most languages don't require a full page with multiple examples to explain how they work.

Don't get me wrong, the documentation for PHP is excellent, but it's a small win for a language that has so many real --language level-- issues.

-----


Python's got excellent documentation, both official and third party.

-----


Python itself does, but the third party modules (which do most of the heavy lifting) generally don't. See: Twisted.

-----


Perl is a good example where most third-party modules have good documentation. Or at least a SYNOPSIS you can poke, some DESCRIPTION of what the module does, and a few hundred lines of code in the t/ directory that test all the features of the modules.

The one thing I miss in Python is the inability to click "view source" in my web browser to see how a core Python library is implemented. PHP also has this problem. (Code is the best documentation. Learn to read it.)

-----


If you're talking about the search.cpan.org links to source, I'm right there with you.

The only thing I wish they had was a way to pipe it through a highlighter like perltidy with html out. That'd probably just lead to holy wars on formatting/colours though.

-----


MetaCPAN (http://metacpan.org) has a pretty source view.

For eg. https://metacpan.org/source/DRAEGTUN/Builder-0.05/lib/Builde...

-----


Awesome. search aliases duly updated.

-----


Twisted has semi-decent documentation, see

http://twistedmatrix.com/documents/current/api/twisted.html

http://twistedmatrix.com/documents/current/core/howto/index....

http://twistedmatrix.com/trac/wiki/Documentation

It's not as comprehensive and shiny as the core Python docs, but along with the tutorials and examples, it's actually pretty decent.

-----


There's high variation in quality amongst third-party modules, but the "modern" python community takes documentation quite seriously, there's even a complete site dedicated to nothing but hosting compiled documentation[0]. Projects like Django, Flask, SQLAlchemy or Flask have rather good documentation sets.

[0] http://rtfd.org

-----


Third party documentation doesn't count in this discussion.

-----


It does when one of the big criticisms of PHP is that it rolls everything into core that'd normally be third-party.

-----


Considering how PHP doesn't have anything like Twisted (and this is just one example out of many) ; no, it doesn't count.

Also, I never used a popular Python library for which I haven't found good resources.

My favorite Python library, called NLTK, which has no equivalent in PHP or Ruby or any other platform for that matter, comes with a freaking book that's available for free.

-----


Oh! Well, I must've missed that train (haven't done py for a few years). A couple of years ago, you had to get your info from a mix of a tutorial and a library reference, and most functions were documented with 3-4 sentences max and no examples.

Hmm, that said, that's still exactly what I find on the official Python site (e.g. http://docs.python.org/library/stdtypes.html#string-methods - PHP beats this by lightyears with a single page with examples and comments per function). Which 3rd party thing should I be looking for? (genuinely interested btw - the docs is one thing i dislike about python, and maybe unrightfully so, apparently)

-----


> e.g. http://docs.python.org/library/stdtypes.html#string-methods - PHP beats this by lightyears with a single page with examples and comments per function

1. Please explain why you need more explanation of these very basic functions

2. PHP's doc comments are unadulterated garbage

3. When things are worth documenting, they are: http://docs.python.org/py3k/library/collections.html

4. if you truly think string methods are insufficiently documented, it is very easy to contribute to the documentation.

-----


Frankly, no. Just no.

The REASON PHP needs a page per function is the sheer number of poorly handled edge cases, version incompatibilities, and gotchas.

-----


Maybe you're looking more for a tutorial, and not a reference? I've always found the online Python docs excellent, and provided me with exactly the information I need.

-----


Everyone is mentioning Python, but also check C# and .NET Fx and ASP.NET MVC.

For example: http://msdn.microsoft.com/en-us/library/w4hkze5k.aspx

or

http://msdn.microsoft.com/en-us/library/system.object.member...

You get the syntax (including VB, C++, and F# where availalbe), remarks, examples, version information, platforms, comments, and related content.

-----


MSDN is crap. It is just complete for completeness sake. You get the syntax, remarks, examples, version information, platforms, comments, and related content, but you still can't find what you are looking for.

-----


What used to drive me especially nuts about MSDN documentation (when I used to write C#) is that they seem to change the URL scheme every year or so, just so that every reference to anything breaks every single time you try to look at it.

I mean, just look at that first URL!

-----


User comments in PHP doc pages IMO is a whole lot of noise. Not that I am saying there isn't a place for something like that but the official doc is just not the place.

-----


User comments don't belong in documentation.

-----


As far as I know, PHP is the only major programming language that considers itself a "web programming language."

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: