php good choice?

  • (4 Pages)
  • +
  • « First
  • 2
  • 3
  • 4

59 Replies - 22645 Views - Last Post: 20 June 2012 - 06:30 AM

#46 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4312
  • View blog
  • Posts: 7,467
  • Joined: 08-June 10

Re: php good choice?

Posted 18 June 2012 - 04:05 PM

mysql_escape_string vs mysql_real_escape_string

The confusion is having an API that has a thing, then another thing called real_thing.

And until 5.4, E_ALL didn't include E_STRICT, which you would believe something labeled as ALL would include everything.

It's good to have documentation like PHP provides, but it would be better to have it as well as consistency so you could reasonably infer about the API.

He actually explains much more further down. He goes into deep detail on why == is dangerous, and why the boilerplate he's complaining about is necessary. It's easy to leave the article after the first few paragraphs, because he's clearly argumentative. But when you get into the meat of it, he's compiled an incredible list of gotchas and odd behaviors that few people will know all of.
Was This Post Helpful? 1
  • +
  • -

#47 nick2price  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 561
  • View blog
  • Posts: 2,826
  • Joined: 23-November 07

Re: php good choice?

Posted 18 June 2012 - 05:12 PM

I'm not being funny, but why dont they just fix them? I mean php are talking about monthly updates, so why not spend their time sorting out all these issues.
Was This Post Helpful? 0
  • +
  • -

#48 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4312
  • View blog
  • Posts: 7,467
  • Joined: 08-June 10

Re: php good choice?

Posted 18 June 2012 - 05:46 PM

A lot of the issues are backwards compatibility issues. There's lots and lots of web apps out there running on PHP.
Was This Post Helpful? 0
  • +
  • -

#49 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2834
  • View blog
  • Posts: 9,740
  • Joined: 08-August 08

Re: php good choice?

Posted 18 June 2012 - 06:44 PM

View PostCurtis Rutland, on 18 June 2012 - 07:05 PM, said:

mysql_escape_string vs mysql_real_escape_string

The confusion is having an API that has a thing, then another thing called real_thing.

If we're going to pick nits I'd say this is more a MySQL issue than PHP, and it's fixed with prepared statements. I've never been a big fan of backwards compatibility since I think it slows down progress, but I can see leaving the old functions in place. For now.
Was This Post Helpful? 2
  • +
  • -

#50 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7294
  • View blog
  • Posts: 12,134
  • Joined: 19-March 11

Re: php good choice?

Posted 18 June 2012 - 07:05 PM

It's a PHP issue in that it's an issue with PHP. It's not a mySQL issue in that if you're using mySQL you'll never come across it unless and until you start deploying PHP.
At least, that's what I'm getting from reading the documentation.

As for backwards compatibility, that's a really interesting issue. Since there's so much PHP in the world, you'd have to leave PHP as it exists today in place, so what do you do? Do you try to write something that can decide which PHP you're using and handle both? Do you have two PHP engines, and require some sort of version declaration up front? Or do you freeze-dry PHP where it is and make a new language with all the best parts of PHP, applying the lessons learned?

I don't pretend to know the answer - I'm not a PHP developer - but from my exposure to the language working on my company's site I can see that the question is worth asking, and I'm pretty sure someone is going to answer it at some point.
Was This Post Helpful? 1
  • +
  • -

#51 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4312
  • View blog
  • Posts: 7,467
  • Joined: 08-June 10

Re: php good choice?

Posted 18 June 2012 - 08:46 PM

Jon, I think that question has already been answered by some...considering how many fairly new web frameworks there are. The problem is that none of them are going to explode like PHP did. Way back in the day, if you wanted server-driven dynamic web content, you used CGI or PHP. PHP was way easier to learn. I believe that's why, despite it's flaws, it has become the most prevalent server page language.
Was This Post Helpful? 0
  • +
  • -

#52 BenignDesign  Icon User is offline

  • holy shitin shishkebobs
  • member icon




Reputation: 5755
  • View blog
  • Posts: 10,078
  • Joined: 28-September 07

Re: php good choice?

Posted 19 June 2012 - 06:24 AM

I have said before that PHP has its flaws... there are many things that could stand a patch or a complete rework. And yes, after getting into the "meat" of the blog post, he has some valid complaints... but many of the issues he brings up are things that I have never encountered - in all my years of coding, I've never used many of the commands he mentions. It seems to me he's nitpicking about a collection of obscurities that are rarely used. Maybe I don't code anything involved enough... I don't know. But "==" has never been a problem for me.

And his complaint that explode doesn't work with a missing delimiter.... W.T.F. If you don't give it a delimiter, it doesn't know where to split the data. Has he ever imported a CSV file to a database? If there's an extra comma or a missed comma, it throws the whole fucking import out of whack. That's the whole point in delimited data - a hard and fast delimiting character so the program (regardless of what language it was written in) knows where to split said data. Why would you use explode on something without a delimiting character? EXPLAIN THIS TO ME!
Was This Post Helpful? 0
  • +
  • -

#53 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3636
  • View blog
  • Posts: 5,759
  • Joined: 08-June 10

Re: php good choice?

Posted 19 June 2012 - 02:57 PM

View PostBenignDesign, on 19 June 2012 - 01:24 PM, said:

Why would you use explode on something without a delimiting character? EXPLAIN THIS TO ME!

Probably because the dude that wrote that article "loooove[s] Python", and Python's string.split function just assumes you means "white spaces" if you forget to pass it a delimiter to work with. (Were you expecting a logical reason?)

dude that wrote that article said:

explode refuses to split with an empty/missing delimiter. Every other string split implementation anywhere does some useful default in this case

"Useful default" is a subjective term. One developer's: "useful default" is another developer's: "WTF? Why is it doing that?!".

Also, the author of that blog may want to investigate Java's String.split method. Or C's strtok function. Or Perl's split function. (And those are just of the top of my head...)


I don't get what on earth motivates a person like that to discover, and write huge articles about, all his perceived disadvantage of a language he clearly have no interest in using? He even, on a few occasions, mentions that the only people who are likely to agree with him, or even bother to read the whole thing through, are people who already agree with him. What the hell is the point then? Can it really just be a very verbose "PHP developers suck!" message? Surely he's not doing this to make himself look like a PHP expert, seeing as he clearly doesn't want to work in PHP...
Was This Post Helpful? 2
  • +
  • -

#54 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4312
  • View blog
  • Posts: 7,467
  • Joined: 08-June 10

Re: php good choice?

Posted 19 June 2012 - 03:54 PM

I imagine that a lot of that research was done when he was forced to work in PHP. Sometimes we have to do jobs we don't like to keep a roof over our heads.
Was This Post Helpful? 2
  • +
  • -

#55 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3636
  • View blog
  • Posts: 5,759
  • Joined: 08-June 10

Re: php good choice?

Posted 19 June 2012 - 04:52 PM

That's true enough I guess. I've never had that trouble though, seeing as PHP has pretty much been in constant demand for ages, and that is my language of choice. (That and Javascript.)

I can't see myself writing an article like that, though, if I were forced to work in, say, VB6 all day. I'd go home and do some fun PHP and Javascript project, not detail everything I dislike about VB6 in my blog.
Was This Post Helpful? 1
  • +
  • -

#56 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2834
  • View blog
  • Posts: 9,740
  • Joined: 08-August 08

Re: php good choice?

Posted 19 June 2012 - 05:39 PM

View Postjon.kiparsky, on 18 June 2012 - 10:05 PM, said:

It's a PHP issue in that it's an issue with PHP. It's not a mySQL issue in that if you're using mySQL you'll never come across it unless and until you start deploying PHP.

SELECT * FROM mytable WHERE some_field='somestring'

I could be wrong, but I don't see how it would be different from PHP if you're using another language and you pass a query like the above to the MySQL server. If 'somestring' is user supplied data that hasn't been scrubbed, there's nothing to keep the MySQL server from executing a properly prepared SQL injection attack. Those attacks don't attack PHP, they attack the MySQL server. Prepared statements are a way of protecting that server.

And I agree with Atli. In fact, I think it's kind of lame to tear down a language. None are perfect, and odds are that in 50 years none of today's languages will be in wide use. Better to learn what you can from what you're using and be prepared to move on to the next, better (but still not perfect) technology.
Was This Post Helpful? 0
  • +
  • -

#57 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4312
  • View blog
  • Posts: 7,467
  • Joined: 08-June 10

Re: php good choice?

Posted 19 June 2012 - 05:51 PM

The problem isn't the vulnerability itself. The problem is having X and REAL_X. It's not a MySQL issue, the issue is the PHP API including confusing function names.

And I disagree vehemently that it's lame to tear down a language. Every language needs criticism, or nothing would ever get better. The fact is, that guy put together a list of dozens of gotchas and bugs including many things that the average developer would never even think about. Yes, his tone is dripping with contempt. But that doesn't make his actual criticisms any less valid in and of themselves. If you try not to read it as a personal attack, it's actually informative.
Was This Post Helpful? 1
  • +
  • -

#58 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3636
  • View blog
  • Posts: 5,759
  • Joined: 08-June 10

Re: php good choice?

Posted 19 June 2012 - 06:46 PM

Curtis Rutland said:

The problem isn't the vulnerability itself. The problem is having X and REAL_X. It's not a MySQL issue, the issue is the PHP API including confusing function names.

Actually, the old PHP MySQL extension pretty much just mimics the MySQL C API, which includes both the mysql_escape_string and mysql_real_escape_string functions. They each have their purpose, although I agree with you that the naming is a tad confusing. - The only fault there on PHP's side is that the extension mimics the C API to closely, without insulating the PHP developers from these types of minor details.

This has since been corrected with both the MySQLi extension and PDO. The PHP manual does, in fact, discourage the use of the old MySQL extension in favor of those. (And we aren't exactly shy about mentioning that to newbies around here :))
Was This Post Helpful? 1
  • +
  • -

#59 macosxnerd101  Icon User is offline

  • Self-Trained Economist
  • member icon




Reputation: 10185
  • View blog
  • Posts: 37,603
  • Joined: 27-December 08

Re: php good choice?

Posted 19 June 2012 - 06:48 PM

Quote

This has since been corrected with both the MySQLi extension and PDO. The PHP manual does, in fact, discourage the use of the old MySQL extension in favor of those. (And we aren't exactly shy about mentioning that to newbies around here :))

And it sounds like this problem will be tackled more aggressively in the next version of PHP by deprecating the old mysql_*() family of functions.
Was This Post Helpful? 0
  • +
  • -

#60 BenignDesign  Icon User is offline

  • holy shitin shishkebobs
  • member icon




Reputation: 5755
  • View blog
  • Posts: 10,078
  • Joined: 28-September 07

Re: php good choice?

Posted 20 June 2012 - 06:30 AM

View PostAtli, on 19 June 2012 - 07:52 PM, said:

I can't see myself writing an article like that, though, if I were forced to work in, say, VB6 all day. I'd go home and do some fun PHP and Javascript project, not detail everything I dislike about VB6 in my blog.


This. A million times this.

When I first started my current job, I was forced kicking and screaming to work with the existing ASP code/Dreamweaver layout garbage that makes me want to gouge my eyes out with painfully blunt objects. The last thing I wanted to do at the end of the day was go home, do research, and blog about the headache I'd dealt with for the preceding 8 hours.

In fact, I didn't even want to write PHP when I got home. I wanted to pour a stiff drink, kick back in a comfy chair, and drool on myself the rest of the night.

I hope I never find myself in a position where I have to work with ASP and/or Dreamweaver again... but you never know. So I bought a couple books on the subject and I always have DIC if I need a hand. But if ASP is your thing, so be it. I hope you understand my gibberish enough to help me out when I run into a problem. And if you ever need PHP assistance, I hope I can offer the same to you.

You're not a lesser being for using ASP. In fact, I see you more as a god who has mastered what I cannot. Well, I probably could, I just don't want to. I tip my hat to all those who use languages other than my own. And I tip my hat to those who have mastered the languages I use. May your knowledge take you far and help many... just don't be a dick about it.
Was This Post Helpful? 1
  • +
  • -

  • (4 Pages)
  • +
  • « First
  • 2
  • 3
  • 4