Why is PHP Hated by so many Developers?

  • (2 Pages)
  • +
  • 1
  • 2

15 Replies - 9248 Views - Last Post: 04 March 2015 - 08:01 PM

#1 Dogstopper  Icon User is offline

  • The Ninjaducky
  • member icon

Reputation: 2965
  • View blog
  • Posts: 11,222
  • Joined: 15-July 08

Why is PHP Hated by so many Developers?

Posted 30 July 2013 - 05:45 AM

Hey all,

I saw the following response to a question on Quora the other day and was curious about what you all also think are the merits and pitfalls of PHP:
http://www.quora.com.../Anders-Kaseorg

If anybody can contest the arguments made, I'd love to hear it. I have used a lot of PHP in my days, but I certainly try to use a framework such as ROR or Django.

Thoughts?

Is This A Good Question/Topic? 0
  • +

Replies To: Why is PHP Hated by so many Developers?

#2 Dormilich  Icon User is online

  • 痛覚残留
  • member icon

Reputation: 4123
  • View blog
  • Posts: 13,011
  • Joined: 08-June 10

Re: Why is PHP Hated by so many Developers?

Posted 30 July 2013 - 05:51 AM

Iíll just reference our discussion thread to that topic: http://www.dreaminco...-bad-about-php/
Was This Post Helpful? 0
  • +
  • -

#3 Dogstopper  Icon User is offline

  • The Ninjaducky
  • member icon

Reputation: 2965
  • View blog
  • Posts: 11,222
  • Joined: 15-July 08

Re: Why is PHP Hated by so many Developers?

Posted 30 July 2013 - 05:52 AM

Cool. Totally didn't notice we had a thread on that already.
Was This Post Helpful? 0
  • +
  • -

#4 Dormilich  Icon User is online

  • 痛覚残留
  • member icon

Reputation: 4123
  • View blog
  • Posts: 13,011
  • Joined: 08-June 10

Re: Why is PHP Hated by so many Developers?

Posted 30 July 2013 - 05:55 AM

I think we have one more: http://www.dreaminco...bad-reputation/


but honestly, as if PHP were the only language you can screw up.
Was This Post Helpful? 0
  • +
  • -

#5 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6245
  • View blog
  • Posts: 24,013
  • Joined: 23-August 08

Re: Why is PHP Hated by so many Developers?

Posted 30 July 2013 - 05:56 AM

Quote

PHP encourages an insecure programming style by design.


Any programming language with a database API (that I've ever seen) can be abused in this way.

Quote

The language is a minefield of hidden security problems.


Again, improperly using any language results in the same behavior.

Quote

The documentation is full of harmful advice.


True in some cases.

Quote

PHP references are brain-damagingly wrong


No more wrong than passing by pointer in C or by reference in C++.

Just more bullshit from an anti-PHP wanker.
Was This Post Helpful? 1
  • +
  • -

#6 murume  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 50
  • Joined: 21-June 11

Re: Why is PHP Hated by so many Developers?

Posted 30 July 2013 - 06:23 AM

Maybe I'm not yet qualified to comment about these things but I think PHP is a great language.The great number of developers using it to build amazing things serves to prove that. Someone somewhere said it has too many functions. I don't see that as a CON because that's one of the first things that impressed me about PHP
I must say though that the dollar sign is a pain for me
Was This Post Helpful? 1
  • +
  • -

#7 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4238
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Why is PHP Hated by so many Developers?

Posted 30 July 2013 - 10:01 AM

Looks like just another PHP troll post. People sure love hating on PHP.

I'll play, though.

Troll said:

1. [...] Its very syntax encourages you to splice unescaped values directly into database queries and HTML output without thinking twice, leading to SQL injection and cross-site scripting vulnerabilities.

Right. Providing easy ways to build strings is clearly meant to encourage SQL Injection and XSS. PHP - of course - is the only language "guilty" of that...

(Try heading over to the .NET or Java forums, and look for any post dealing with SQL. More often than not you'll find that newbies in those languages use the same exact SQL Injection ridden string concat syntax that we tend to deal with from PHP newbies.)

Troll said:

2. The language is a minefield of hidden security problems.

Granted, changing the behaviour of the function when dealing with arrays wasn't the greatest move, but the main failing here is on the developer, not PHP. You don't just pass raw user input into a function that is specifically built to deal with strings, and expect the underlying code to deal with the consequences when it's not. It's sloppy, and you only have yourself to blame if it starts giving you unexpected results.

Troll said:

3. The documentation is full of harmful advice.

Sometimes true, but hardly as often as he seems to want his readers to think it is. The example he mentioned, while probably true at the time, has since been fixed. - Tends to happen when people point out flaws in open-source code/docs.

Troll said:

4. [...] I know from personal experience that PHP references will damage your brain

...

Troll said:

(* The PHP documentation, starting two months ago, finally discourages new use of the original mysql extension in favor of the newer mysqli and PDO_MySQL extensions, which provide slightly better solutions to the SQL injection problem, if youíre lucky enough to have a PHP installation that has them enabled and a code base that uses them.)

First, prepared statements don't provide "slightly better" solutions to SQL injection, they completely remove them as a threat.

And second, you'd have to be very very unlucky not to have either mysqli or PDO enabled on your host. I don't think I've ever seen a PHP 5 host without MySQLi support, and PDO has been enabled by default since 5.1. No professional host would dare to have either of them disabled.
Was This Post Helpful? 0
  • +
  • -

#8 Dormilich  Icon User is online

  • 痛覚残留
  • member icon

Reputation: 4123
  • View blog
  • Posts: 13,011
  • Joined: 08-June 10

Re: Why is PHP Hated by so many Developers?

Posted 30 July 2013 - 10:13 AM

View PostAtli, on 30 July 2013 - 07:01 PM, said:

No professional host would dare to have either of them disabled.

I know one.
Was This Post Helpful? 0
  • +
  • -

#9 AdaHacker  Icon User is offline

  • Resident Curmudgeon

Reputation: 463
  • View blog
  • Posts: 820
  • Joined: 17-June 08

Re: Why is PHP Hated by so many Developers?

Posted 30 July 2013 - 12:35 PM

View PostAtli, on 30 July 2013 - 01:01 PM, said:

Granted, changing the behaviour of the function when dealing with arrays wasn't the greatest move, but the main failing here is on the developer, not PHP.

Sorry, but I have to disagree with you there. To me, this is all on the PHP core team - they made a careless decision on API design and documentation and it broke someone else's code.

Granted, the original code is a little weird (I certainly wouldn't write an equality check like that), but that doesn't let them off the hook - it worked in previous versions and was "to spec" according to the official manual. (The docs say that strcmp() will always return an integer - they make no mention of NULL at all.) I don't think it's fair or reasonable to blame the original author for trusting the documentation to be correct and complete.

Quote

You don't just pass raw user input into a function that is specifically built to deal with strings, and expect the underlying code to deal with the consequences when it's not. It's sloppy, and you only have yourself to blame if it starts giving you unexpected results.

I think that's a little disingenuous. This is PHP, not C, so as a matter of fact you do expect the underlying code to deal with type differences. The interpreter has historically gone out of its way to "do the right thing" no matter what garbage you pass to a function. You certainly don't expect "all bets are off" style undefined behavior just because you didn't pass the exact data type that's in the docs. If strcmp() bombed out when you gave it an integer, then maybe you could make that case. But in fact, it casts scalar types to string and then evaluate them according to the documented rules. Absent documentation to the contrary, I'd expect the same to be true of arrays and objects, but it's not - they cause a NULL return. So not only is it undocumented, but counter-intuitive as well.
Was This Post Helpful? 0
  • +
  • -

#10 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4238
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Why is PHP Hated by so many Developers?

Posted 30 July 2013 - 03:33 PM

View PostDormilich, on 30 July 2013 - 05:13 PM, said:

View PostAtli, on 30 July 2013 - 07:01 PM, said:

No professional host would dare to have either of them disabled.

I know one.

OK. Perhaps "professional" was the wrong word there. It doesn't really imply quality. That's more the word I was aiming for.

View PostAdaHacker, on 30 July 2013 - 07:35 PM, said:

Sorry, but I have to disagree with you there. To me, this is all on the PHP core team - they made a careless decision on API design and documentation and it broke someone else's code.

I see what you mean, and perhaps I am being a little to harsh on the type strictness there. Array to String conversions have never really been supported though. PHP never triggers actual errors when doing so implicitly, but all you will get out of such a conversion is the word "Array". The array value will never be converted this way.

That said, the decision on the design change wasn't really careless. It was a planned change, and despite that author's claim that it wasn't mentioned in the PHP 5.3 migration notes, it actually was. (Albeit not specific to that function.) It really should have been mentioned in the strcmp docs as well though, there I'll agree with you.

From the Backward Incompatible Changes:

Quote

The newer internal parameter parsing API has been applied across all the extensions bundled with PHP 5.3.x. This parameter parsing API causes functions to return NULL when passed incompatible parameters. There are some exceptions to this rule, such as the get_class() function, which will continue to return FALSE on error.

For most functions this works out great, but unfortunately for strcmp there is no way to give a false return value that doesn't implicitly convert to 0. Giving a negative or positive value - as was it's prior behaviour - is incorrect behaviour, as an array will of course have no equality value compared to a string. It was just comparing the "Array" string the array would convert to. The new behaviour - I'd argue - is correct, it's only incompatible with the previous behaviour as far as values that can't be converted directly to strings goes.

The only problem here, as far as I see, is that the strcmp function documentation isn't accurately describing the possibility of a NULL being returned.
Was This Post Helpful? 0
  • +
  • -

#11 Dogstopper  Icon User is offline

  • The Ninjaducky
  • member icon

Reputation: 2965
  • View blog
  • Posts: 11,222
  • Joined: 15-July 08

Re: Why is PHP Hated by so many Developers?

Posted 30 July 2013 - 04:18 PM

It did sound a bit harsh to me. I mean, like you said, other languages have the same flaws. What I think he was trying to make a point about was PHP vs. something like Ruby On Rails or Django. I remember finding the docs to be some of my least favorite of the languages I've used, but I've also found it to be extremely powerful, so I guess there are a lot of tradeoffs there.
Was This Post Helpful? 0
  • +
  • -

#12 VolcomMky  Icon User is offline

  • D.I.C Regular

Reputation: 74
  • View blog
  • Posts: 315
  • Joined: 13-May 09

Re: Why is PHP Hated by so many Developers?

Posted 31 July 2013 - 09:19 AM

Quote

The documentation is full of harmful advice.


Honestly, how often does documentation prove 100% accurate and/or helpful ?

From my experience with API's from multiple languages, the documentation is kind of like a car manual for a 2000 Ford when you find it in the glove box of a 2005.

Some stuff works, some stuff is available, others will have you pulling out the door panels for something that doesn't exist - but not everything is word for word or even close to being 100% accurate.

GoDaddy, Millennium Harms, Google, Facebook, and more..
Yea, they have majority correct, but sometimes not.
Some say you can submit XML requests with multiple ID's but only accept 1 ID but only in the multiple ID format

Trolls, puh
Was This Post Helpful? 0
  • +
  • -

#13 AdaHacker  Icon User is offline

  • Resident Curmudgeon

Reputation: 463
  • View blog
  • Posts: 820
  • Joined: 17-June 08

Re: Why is PHP Hated by so many Developers?

Posted 31 July 2013 - 12:28 PM

View PostAtli, on 30 July 2013 - 06:33 PM, said:

That said, the decision on the design change wasn't really careless. It was a planned change, and despite that author's claim that it wasn't mentioned in the PHP 5.3 migration notes, it actually was. (Albeit not specific to that function.)

Oh, I know it was planned, but I still think it was careless. That point in the migration guide doesn't mention any of the affected functions and doesn't actually define what an "incompatible parameter" is. They should have at least listed the affected functions and updated their documentation accordingly. All they did there was say, "Oh, we've made a blanket change that affects potentially everything in a half-specified way." To me, that's just irresponsible.

View PostAtli, on 30 July 2013 - 06:33 PM, said:

The new behaviour - I'd argue - is correct, it's only incompatible with the previous behaviour as far as values that can't be converted directly to strings goes.

To me, the new vs. old behavior is irrelevant - it's the fact that the behavior changed at all that's a problem. The only thing worse than a badly designed API is an unstable API. And this is not beta-quality stuff - strcmp() has been around for a decade. A responsible maintainer doesn't lightly make breaking changes to something that old, particularly when you have a userbase as large as PHP does.

Of course, I'm not saying that it's never valid to make such changes. If they'd made that change in a major release (e.g. PHP 6) and had announced and documented it appropriately, that would be fine. My complaint is that they just snuck it into a minor version increment and only bothered with a three-sentence blurb in the release notes. And it's not like strcmp() just fell through the cracks. The same change affected number_format() as well as call_user_func_array(), to give a couple examples, and wasn't documented in either case. To me, that makes it seem like they either didn't consider the consequences of the change or they just don't care.
Was This Post Helpful? 0
  • +
  • -

#14 graverivas  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 3
  • Joined: 16-August 13

Re: Why is PHP Hated by so many Developers?

Posted 16 August 2013 - 02:18 AM

You shouldn't hate PHP in that sense, you should hate the developers who code in PHP. Because they are the ones who make the code unsecure. PHP only allow these functions but it is still the developer's decision on it or not even though it is somewhat you call a flaw in coding.
Was This Post Helpful? 0
  • +
  • -

#15 Christopher.Burkhouse  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 20
  • Joined: 03-March 15

Re: Why is PHP Hated by so many Developers?

Posted 04 March 2015 - 08:00 PM

My personal belief on this...

Quote

PHP encourages an insecure programming style by design.
...
encourages you to splice unescaped
...
leading to SQL injection and cross-site scripting vulnerabilities.


Wrong wrong and wrong. PHP allows MANY ways to secure data. With the introduction of PHP5, even more safe methods were added using MySQLi. If you don't sanitize your data prior to entering into your database, you deserve to be hit with XSS vulnerabilities and SQL injection. You're asking for it! PHP enables more flexibility and the cost of security. However, all the ways to secure code is there, some programmers just don't know about it even though it's right in front of their face. This user seems like he's complaining it's encouraged not to read and learn how to properly program in PHP by the devs. Nope. Even the dev notes warn users about this.

Quote

The language is a minefield of hidden security problems. Even something as simple as...

The example here was again a case of not understanding how to properly secure a password protected website. Or maybe I don't see the entirety of the code and am missing why they would do this. However, ALL languages have their bugs, security holes, etc, and that's why you're encouraged to report these! I'm still not understanding why the user password protected their admin files this way. Am I wrong to feel this way? strcmp seems redundant in this case.

Quote

The documentation is full of harmful advice.
...
(htmlspecialcharsdoes not escape single quotes!)

Except that PHP htmlspecialchars DOES escape single quotes. Another form of not understanding something. That's quite sad on this author's behalf. Maybe it wasn't at some point, but I'm pretty sure it always did (as I don't remember a single moment I used it that it did not escape both single AND double quotes). It even says right on the documentation what it escapes, so that was a fail on the author's behalf :P


Quote

HP references are brain-damagingly wrong.

I'd like a single REAL example. The examples were horrendous long stretches, HOWEVER, I know some rather bad examples that have me scratching my head, or some the simply lack full references. Any documentation is like this, though. I wish PHP's documentation was a bit better at times, but that's what we're here for! :D AND what trial and error is for. No language is perfect, and I do believe the PHP team did a fairly good job at their VAST documentation, but can agree it can be improved greatly (that means they'll never be bored at least?).

---

Anyways this is an example of a user being hyper-critical about something he refuses to understand. I see it all too often. It's different therefore he wants to trash it. You see the same when it comes to religious beliefs, country alignment, even class warfare. If I don't understand it, I hate it, GRR!!! Noooo, take the time to learn it! PHP is a quite chaotic yet beautiful language.

OH and to the comment about FB straying away from PHP, the author read the first line and didn't read the rest (how sad!). In short, PHP is choosing a language that best suites their methods, rather than switching because PHP sucks as the article implies. I do believe, however, Facebook is a prime example of how PHP can perform quite well at such a high capacity. But hey, as he saying goes, they hate us 'cause they 'aint us. Okay maybe that doesn't fit in here, but I love that show.

Don't agree with something I said? Let me know. I love to be wrong, only because I love to learn! Programming, science, religion, I LOVE to debate, and LOVE to be corrected. If you tell me I'm wrong and WHY I'm wrong, I can be right! So please tell me if any of the above can be disputed, I'd appreciate it. I also hope this helped answer some of you questions Dogstopper (:

-Chris
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2