Is PHP going to die?

  • (6 Pages)
  • +
  • 1
  • 2
  • 3
  • 4
  • 5
  • Last »

87 Replies - 9715 Views - Last Post: 22 March 2017 - 11:17 PM

#31 jon.kiparsky  Icon User is offline

  • Chinga la migra
  • member icon


Reputation: 10627
  • View blog
  • Posts: 18,187
  • Joined: 19-March 11

Re: Is PHP going to die?

Posted 24 March 2016 - 08:22 PM

View PostCTphpnwb, on 24 March 2016 - 09:43 PM, said:

If you have to think about that, then you're a terrible developer who's using deprecated (actually removed in PHP 7) MySQL code instead of prepared statements in PDO or MySQLi, both of which have been around for more than a decade.


jon said:

I don't know, maybe this particular issue has been addressed since I last had to suffer through PHP a few years ago, but this goes on throughout the language.

Was This Post Helpful? 0
  • +
  • -

#32 e_i_pi  Icon User is offline

  • = -1
  • member icon

Reputation: 879
  • View blog
  • Posts: 1,893
  • Joined: 30-January 09

Re: Is PHP going to die?

Posted 24 March 2016 - 11:53 PM

Quote

Quote

What are these security issues with PHP? I'd be interested to know.


The biggest one is that you have to pay far too much attention to security. If you have to think about security when you're developing functionality, you're already screwed. Simple example: input validation. I had an interview a few years ago, for a PHP job. One of the Big Questions was a "what's wrong with this code" - there was a snippet that got some input from the user and consulted the database and did a little dance and printed some output. The answer was "it doesn't sanitize the input before it hits the DB, so you could get a SQL injection attack".

I've seen this in every language I've coded for. SQLi is not new, and it's not restricted to just PHP. If you are not validating transferred data (e.g. user input):
  • Client side, in order to improve UX and cut down on failed commit traffic between client and server
  • Server side at a front controller / first point of contact level, to ensure user input abides by contractual commitments and business rules
  • Server side between class method calls to ensure that non-typable/interfacable business rules are adhered to by the coder, and
  • Data layer pre-commit, to ensure that typing is mapped properly between your model and your data layer

...then you are asking for trouble. If you're relying on the language to do this for you, then you're making a dangerous assumption, and this isn't just PHP. I have seen security holes in other application all over the place. Some examples in the time I have been in IT:
  • At a major emergency service provider, they stood up SSRS are exposed it to the 10k people out there in userland, allowing them to utilise ReportBuilder, including writing their own SQL. The service account had dbowner privileges. When I saw what they had done, I warned them that anyone could go in, create their own "custom get statement" defined as DROP DATABASE {...}
  • At a boutique IT company I worked for that had several clients in the ASX200, the main application was written in C#.NET, and the client decided to create a node in the org hierarchy to move employees to when they had put in an insurance claim against the company. This node was not secured as it sat in a section of the hierarchy marked "public".
  • At a major financial institution, the main application was written in C#.NET, which allowed anyone to log in to the site with a self-service account, and then fill out forms that got executed on the database as concatenated SQL strings. The validation was handled by Javascript and nothing else, with a function named validate(). I demonstrated that you could navigate to the site, go into developer tools, type function validate() { return true; } and completely bypass security, after which you could commit SQLi.


This is idiocy of the highest degree, and comes about due to the fact that the coder is stupid, not that the language "allows it". Theoretically, I could stab someone in the street in the next five minutes. The solution is not to enforce universal spoon usage.

Quote

Use a real framework, <snip>

Valid discussion there, but I have to go entertain guests, so I just thought I'd point this out, because it is missed very often. PHP is a language, not a framework. Languages allow you to code at the most base level within that language, frameworks abstract that away, expose only what they want you to see, and often contain a lot of "fixes" to the underlying language (q.v. jQuery and browser compliance). Coding in raw PHP, without a framework, is a bad idea. Use a respected framework, or if you're like me and have the time and patience, create your own.

This post has been edited by e_i_pi: 24 March 2016 - 11:55 PM

Was This Post Helpful? 0
  • +
  • -

#33 jon.kiparsky  Icon User is offline

  • Chinga la migra
  • member icon


Reputation: 10627
  • View blog
  • Posts: 18,187
  • Joined: 19-March 11

Re: Is PHP going to die?

Posted 25 March 2016 - 07:54 AM

Quote

I've seen this in every language I've coded for. SQLi is not new, and it's not restricted to just PHP. If you are not validating transferred data (e.g. user input):
  • Client side, in order to improve UX and cut down on failed commit traffic between client and server
  • Server side at a front controller / first point of contact level, to ensure user input abides by contractual commitments and business rules
  • Server side between class method calls to ensure that non-typable/interfacable business rules are adhered to by the coder, and
  • Data layer pre-commit, to ensure that typing is mapped properly between your model and your data layer
...then you are asking for trouble.


All of this is boilerplate that the programmer should never have to think about. If your language or framework asks you to think about this each time you get some input then you're not just asking for trouble, you've already got a big plate of it. Security should never be optional, and it should never depend on hoping that the programmer got it right every time. Again, this approach guarantees that you will have failures, and the only way to remediate those failures is to devote your code review time to making sure that the boilerplate is all absolutely correct. This means that the programmer writing the code and the reviewer checking it are spending a significant portion of their time not thinking about the things that the user wants, they're wasting their time and the enterprise's money reimplementing security features that should be handled automatically.
As if this disaster weren't bad enough - and it should be bad enough for anyone - when you're done with this you have a steaming mound of WET code with a bunch of security-critical code staring at you, ready to be broken by the next commit. So now every commit, forever after, requires a security-level review.
This is no way to live.

Now, it's possible that there are PHP frameworks that handle this stuff correctly. If so, fantastic. Then you're just left with the fractal of failure that is the PHP language, but the security issues would have been mitigated for users of that framework. This is a point of agreement, so I want to lean on it a little bit: I agree with you 100% that if you have a PHP framework that takes security seriously and handles things like input validation, then the above points do not apply to you. I'm just talking about people who use the language for its intended purpose here. Those people, we agree, are totally screwed.

Quote

Coding in raw PHP, without a framework, is a bad idea.


Another point of agreement. PHP, when used as directed, is a bad idea. I'm glad we're finally getting somewhere.
Was This Post Helpful? 0
  • +
  • -

#34 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 3701
  • View blog
  • Posts: 13,378
  • Joined: 08-August 08

Re: Is PHP going to die?

Posted 25 March 2016 - 08:25 AM

PDO is part of raw PHP and has been since (I believe) 2004. Here in 2016, if you're using PDO properly you have no worries about SQL injection. Frameworks are a separate discussion.

Oh, and I think security is always optional, which is what makes it so difficult. You might think you're secure because you're using PDO's prepared statements, but SQL injections aren't the only threats. In another language, you might have avoided buffer overruns, but missed a few memory leaks.

No matter the language, you can never assume you're 100% secure, because you're not.
Was This Post Helpful? 0
  • +
  • -

#35 jon.kiparsky  Icon User is offline

  • Chinga la migra
  • member icon


Reputation: 10627
  • View blog
  • Posts: 18,187
  • Joined: 19-March 11

Re: Is PHP going to die?

Posted 25 March 2016 - 08:43 AM

Quote

Here in 2016, if you're using PDO properly you have no worries about SQL injection.


Security should never be optional.

Quote

No matter the language, you can never assume you're 100% secure, because you're not.


True enough. But if a language leaves basic security features up to the programs "using X properly", then it means the programmer is spending their time thinking about details and getting them right. That means less time for thinking about real security issues - the ones that the platform can't help you with.

The more you guys talk, the more convinced I get. PHP dalenda est.
Was This Post Helpful? 0
  • +
  • -

#36 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 3701
  • View blog
  • Posts: 13,378
  • Joined: 08-August 08

Re: Is PHP going to die?

Posted 25 March 2016 - 09:43 AM

So then you think any language that uses pointers is dead too, right?

And by using PDO properly, I mean not deliberately building queries using data.

This is NOT an accident:
$query = "SELECT * FROM users WHERE id='$id'";

It's begging for trouble.
Was This Post Helpful? 0
  • +
  • -

#37 jon.kiparsky  Icon User is offline

  • Chinga la migra
  • member icon


Reputation: 10627
  • View blog
  • Posts: 18,187
  • Joined: 19-March 11

Re: Is PHP going to die?

Posted 25 March 2016 - 10:21 AM

View PostCTphpnwb, on 25 March 2016 - 11:43 AM, said:

So then you think any language that uses pointers is dead too, right?


I certainly wouldn't use C or C++ to build user-facing functionality. C is great for constructing libraries that are built to be safe to use, but those libraries should be maintained as separate projects and called from a high-level language.

Quote

And by using PDO properly, I mean not deliberately building queries using data.

This is NOT an accident:
$query = "SELECT * FROM users WHERE id='$id'";

It's begging for trouble.


I agree. That's why a language which expects users to construct SQL queries instead of using an ORM is - let's say it again - broken by design. PHP, when used as directed, is broken. I love that you're providing my examples for me. Keep it up!
Was This Post Helpful? 0
  • +
  • -

#38 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 3701
  • View blog
  • Posts: 13,378
  • Joined: 08-August 08

Re: Is PHP going to die?

Posted 25 March 2016 - 11:05 AM

No one directs you to use code that was deprecated long ago. You're using PHP's legacy support as a straw man.
Was This Post Helpful? 0
  • +
  • -

#39 jon.kiparsky  Icon User is offline

  • Chinga la migra
  • member icon


Reputation: 10627
  • View blog
  • Posts: 18,187
  • Joined: 19-March 11

Re: Is PHP going to die?

Posted 25 March 2016 - 11:20 AM

If you're telling me that it's no longer standard practice to compose ad-hoc SQL on the fly in PHP, I suppose that's a good thing. Congratulations. PHP is a little less awful.

However, as I said several times, security fail is just a sort of extra added bonus fail on top of the big steaming mound of fail that is the PHP language itself. Pointing to the fact that security is less of a nightmare now than it was a few years ago when I was using the language is sort of a small victory when you're talking about a language that is built of 100% pure pain. PHP is basically an esoteric, but its users haven't quite twigged to the joke.
Was This Post Helpful? 0
  • +
  • -

#40 dday9  Icon User is offline

  • D.I.C Regular

Reputation: 94
  • View blog
  • Posts: 495
  • Joined: 17-April 13

Re: Is PHP going to die?

Posted 25 March 2016 - 12:43 PM

I've only read the first couple of post in this thread but my answer is that I sure how that it is going to die and soon. I am no fan of the syntax nor am I a fan of the documentation too. You can always make a programming language work for you but I like programming languages that work with me rather than for me.

Just like classic Visual Basic, I know that there is a very strong and passionate community for PHP, but I could just never fully embrace the language(same with classic VB too).
Was This Post Helpful? 0
  • +
  • -

#41 astonecipher  Icon User is offline

  • Too busy for this
  • member icon

Reputation: 2329
  • View blog
  • Posts: 9,359
  • Joined: 03-December 12

Re: Is PHP going to die?

Posted 25 March 2016 - 01:25 PM

I don't understand why it matters. If you don't like a language, don't use it.

Yes, PHP has its issues, but the majority of them are from ancient tutorials floating around. While working with ASP, I was amazed at how fast I could develop, because I didn't have to worry about the things mentioned, BUT you had to be happy with how .NET handles them. When you know what you are doing with PHP, you can have classes, just like .NET and likely Python and Ruby, that handle them the way you want to. I don't see that as a negative, I see it being more of an intermediate language because of that.

My biggest gripe with PHP is it being a loosely typed language, but there are several others in that same class.

@dday9, if you are use to VB, no wonder you don't like the syntax. PHP still uses the C family syntax. Which is more used than any other.
Was This Post Helpful? 0
  • +
  • -

#42 jon.kiparsky  Icon User is offline

  • Chinga la migra
  • member icon


Reputation: 10627
  • View blog
  • Posts: 18,187
  • Joined: 19-March 11

Re: Is PHP going to die?

Posted 25 March 2016 - 01:52 PM

Quote

I don't understand why it matters. If you don't like a language, don't use it.


Well, the guy asked if he should focus on PHP. The obvious answer is no. I would have thought that would be the end of it.
Was This Post Helpful? 0
  • +
  • -

#43 xclite  Icon User is offline

  • I wrote you an code
  • member icon


Reputation: 1230
  • View blog
  • Posts: 4,016
  • Joined: 12-May 09

Re: Is PHP going to die?

Posted 25 March 2016 - 01:58 PM

Initial question:

Quote

Hi everyone,
this is my first post. And as a new developer just starting out and learning all the basic skills I was wondering: is PHP a language that will soon die?
I have a decent knowledge of both PHP and Javascript, and I see that the wall between client and server side scripting is getting demolished by js implementing server side scripting elements and ajax tricks too.
So I would like your opinion about this; is it still worth learning and using PHP or would it be better to focus on the latest js frameworks?


Will it soon be obsolete or hard to find? No. Will it ever be the case that programs stop running or being written in PHP? Not in the next 5 or more years, if ever. Is it worth investing in? I'd advise against it since there are just better options out there today.
Was This Post Helpful? 0
  • +
  • -

#44 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 3701
  • View blog
  • Posts: 13,378
  • Joined: 08-August 08

Re: Is PHP going to die?

Posted 26 March 2016 - 06:26 AM

View Postjon.kiparsky, on 25 March 2016 - 01:20 PM, said:

If you're telling me that it's no longer standard practice to compose ad-hoc SQL on the fly in PHP, I suppose that's a good thing. Congratulations. PHP is a little less awful.

Well, "standard practice" varies from shop to shop, so I wouldn't blame a language on the poor practices of shops unwilling to spend the time/money to improve their practices.

PHP has a C-like syntax that I like. I see no real difference between:

template <class S, class T>
T foo(T x, S y) {
	return x + y;
}


and
function foo($x, $y) {
	return $x + $y;
}


other than PHP can easily return the correct type. My point here isn't that PHP is better than C++. It's that languages all have their strengths and weaknesses. You're just focusing on PHP's weaknesses, which tend to be the people (mostly beginners) using it. Just remember that if they stop using it, many of them will start using your favorite language and you'll start seeing more crappy code there.
Was This Post Helpful? 3
  • +
  • -

#45 jon.kiparsky  Icon User is offline

  • Chinga la migra
  • member icon


Reputation: 10627
  • View blog
  • Posts: 18,187
  • Joined: 19-March 11

Re: Is PHP going to die?

Posted 26 March 2016 - 09:28 AM

Quote

You're just focusing on PHP's weaknesses, which tend to be the people (mostly beginners) using it


Yes, I'm focusing on PHP's weaknesses, but those are not the people using it. Take another look at the article I linked to earlier. Why would anyone tolerate a language that has even a quarter of those failures? Each item listed there would send a responsible language designer back to the drawing board. PHP doesn't care about them.

Yes, other languages have idiosyncratic design choices. Python's "self" construct is kind of strange, and learning your way around method resolution order is not trivial, Java's insistence on reserving == for strict identity comparisons is a questionable design choice, I get it - other languages have problems as well. But PHP is different. It doesn't have a few quirks, it has a multitude of massively bad decisions. I can't think of any other language, outside of R and the esoterics, which is as thoroughly riddled with fail as PHP is. This is not about the users of the language, it's about the language.

To repeat myself: I'm not interested in convincing someone to give up a language that they've already invested in. That's your choice, you can do what you like. But if someone's asking whether they should put in that investment in PHP, the answer is always "no".
Was This Post Helpful? 0
  • +
  • -

  • (6 Pages)
  • +
  • 1
  • 2
  • 3
  • 4
  • 5
  • Last »