PHP 4 End of Life Announcement

perbert writes "The PHP development team has announced that support for PHP 4 will continue until the end of this year only. After 2007-12-31 there will be no more releases of PHP 4.4. Critical security fixes will be made available on a case-by-case basis until 2008-08-08. For documentation on migration for PHP 4 to PHP 5, there is a migration guide. There is additional information available in the PHP 5.0 to PHP 5.1 and PHP 5.1 to PHP 5.2 migration guides as well."

Thank God

[Daengbo (523424)]

I hope that everyone has moved beyond PHP 4.X by this point. 5.X is more secure and capable.

Re:Thank God

[Arancaytar (966377)]

You'd be surprised how many shared web-hosts are still out there running ancient and unpatched PHP versions. Partly out of laziness and partly out of an unwillingness to make their customers work on their equally ancient applications. register_globals being enabled can be one of the least security concerns there.

See also http://gophp5.org/ [gophp5.org]

Re:

[flight_master (867426)]

I am the owner of a shared hosting provider, and partially I need to rebuke your statement.
Sure, most of our systems do run on the latest LAMP stack (Apache 2, MySQL 5, PHP 5), however we still have some systems runnning PHP4, as clients insist on using old software like phpBB (for example) that doesn't run at all on version 5. Not to mention, those of us who use cPanel need to wait for them to get the entire system stable before we can upgrade.

This combines well for us though - we announced that PHP4 s

Re:Thank God

[NeoThermic (732100)]

For those using phpBB2, as long as you're not using an obscure PHP5 config, it will work fine. We just don't officially support it as phpBB2 was written for PHP3 and PHP4 only (since those were the only versions out when it was released). Or, get them to move over to phpBB3, which not only supports PHP4 and PHP5, but will actually run on PHP6-dev versions. (Although if you're running -dev on a live server...)

NeoThermic

Re:

[ctr2sprt (574731)]

Yep, I work for a hosting company, and I wish to emphasize your point that a lot of customers are running old apps held together by spit and baling wire that won't work on PHP5. And if we tell those customers to get with the program and fix their shit, they will just go find someone who will give them PHP4.

Another problem is that RHEL3 and RHEL4 - which are still, by a wide margin, the most common versions out there - don't support PHP5. They support it in the sense that RPMs exist and you can install t

Re:

[KermodeBear (738243)]

You would think.

I work for a company that hosts several major, big name websites; millions of hits a day. There has been a massive resistance to move from PHP4 to PHP5 for several reasons, one of them being that nobody in management wants to spend the time necessary to test ALL of the code under PHP5 and those in charge of the servers don't want to spend the time upgrading the machines. It would not surprise me if we were still on PHP4 a year from now. After all, "If it ain't broke, don't fix it."

Hopefully,

Re:

[rhizome (115711)]

I hope that everyone has moved beyond PHP 4.X by this point.

Someone forgot to tell Redhat. They only make PHP5 available for Release 5, which is very much in the minority of their installation base.

Needed But Will Be Troublesome

[detain (687995)]

While I can completely understand the need for this to occur, I can see this causing alot of problems for many small businesses, personal webpages, and hosting companies. PHP5 is definitly worthwhile switching to from PHP4, but there are so many poorly coded sites out there that wont run properly under PHP5, and this at some point is going to cause a nightmare for various hosting companies.

Your typical small business or personal webpage will frequently use PHP, and have little knowledge of how to fix their code to get it working, or how to upgrade their 3rd party software to a PHP5 Compatible version. At the same time hosting companies who will reach a point where they need to upgrade to PHP5 in order to keep their systems as secure as possible (because PHP4 security fixs might not be coming out) will be faced with many angry customers who are unwilling to spend time or money to change a site that they see as working previously.

I can completely understand why a company might need to stop supporting an old version of their product at some point when newer ones are freely available, I just am not looking forward to all the headaches its going to cause. I can hear the phones of angry customers threatening to kill me because i "broke their site" now.

Oh well, hopefully all PHP5 code will wind up working just fine in PHP6 when it comes out.

Re:

[timmarhy (659436)]

"there are so many poorly coded sites out there that wont run properly under PHP5, and this at some point is going to cause a nightmare for various hosting companies."

cry me a river? upgrading pains are a part of the IT industry, people need to either accept this or get out.

Translation

[a16 (783096)]

cry me a river? upgrading pains are a part of the IT industry, people need to either accept this or get out.

Maybe so, but let me translate what you just said slightly:

cry me a river? upgrading pains are a part of the IT industry, my customers need to either accept this or go to a host that hasn't upgraded yet, and stop paying me money.

I'm guessing you aren't running a business...

I work for a reasonably large hosting company that held off until a few months ago to announce that we're going to PHP5 in a few weeks. Before this point, we'd had a steady trickle of 1-2 customers a month asking when we are going to PHP5. Since the announcement, we've had up to 4-5 customers a week complaining that they will leave if we dare upgrade, they can't stand companies that change things for

Re:

[LighterShadeOfBlack (1011407)]

I'm sure some people won't like it. Most businesses don't like spending money, even if they know it's for their own benefit in the long-term. If they've got code that they have no means of supporting that's bad management, I mean how can a business rely on something that they have no means of updating or fixing if it goes wrong?

If a small business owner got an employee who knew a bit about electrical wiring to come in and wire their physical place of business, and then a few years later a safety regulator c

Re:

[petermgreen (876956)]

If they've got code that they have no means of supporting that's bad management, I mean how can a business rely on something that they have no means of updating or fixing if it goes wrong?
afaict the typical scenario is that a small buisness cannot afford to have a proper software engineer on staff even if they can find one so things are either written by an employee who happens to have some skill in the area or by a contractor. Either way those commisioning the site will not have the skill to judge if the r

Re:

[fyoder (857358)]

I can hear the phones of angry customers threatening to kill me because i "broke their site" now.

Run two versions of apache, one for most sites with php5 (many php apps that worked on php4 will work on php5), and one for the minority of 'legacy' sites using php4. I believe the trick is to have them listen on different ip addresses.

Re:

[1110110001 (569602)]

You could just use FastCGI to use as many different PHP versions as you want, with the same webserver on the same port and IP.

Re:

[BVis (267028)]

So sandbox all your customers who won't do the work to upgrade to php5 off on discrete servers (or use virtualization to accomplish the same thing). Make sure your customers understand (or at the very least are given information regarding) the fact that their security is affected by php4 no longer being maintained, and let them make the decision. Do your due diligence as far as security is concerned (code audits if you're able) but, ultimately, you can lead a horse to water, but you can't keep him from ge

What about CentOS?

[mcrbids (148650)]

I have a large (ahem... LARGE) codebase written in PHP4 that's running CentOS 4. Supposedly, CentOS will be updated until 2010. But how could they keep this promise if the underlying packages are no longer supported?

Guess I'll have to see what PHP5 will do to my software, thinking I could put this off for another couple years.

(sigh)

Re:

[timmarhy (659436)]

it's possible centos will put their own security patches into their php4 packages. they've done similar stuff before.

Still installing CentOs 4

[slashkitty (21637)]

I know lots of places still installing CentOS 4.

yum updates for Centos 4 will not upgrade your php.

Is php that full of holes that they can't continue to support it?

Re:

[Christianfreak (100697)]

Same issue here. Really I think this is a problem with PHP more than with CentOS. The Cent folks try very hard to make sure that updates don't break your stuff and they are very good at that. One of the main reason I use it.

The PHP folks dug themselves a hole by making a language that's so fundamentally broken as to require breaking everything with an upgrade.

Seems strange to me

[ls671 (1122017)]

Sorry, all I have done in PHP was modify or patch other programs so I do not know much about it.

But in Java/J2EE, I still run applications that were developed (and even compiled sometimes) in java 1.0 on the java 5 platform without any changes or security issues. I see some "backward incompatible changes" in the PHP migration info.

With the java/J2EE/jsp programs I have running here and there, I sure do enjoy the care the maintainers of a language take to insure backward compatibility even if it is some

Re:Seems strange to me

[panaceaa (205396)]

PHP began as a hacky side project of a lone developer (Rasmus Lerdorf). I'm not wholly aware of the details, but my understanding is that Rasmus was a Perl coder and wanted to generate minorly dynamic web pages by putting Perl-like code inside of his HTML. As the capabilities of his technology grew, he released it as an open source project, and due to its extreme ease of use it quickly turned into a popular web development language.

The reason PHP5 could not continue backward compatability is because of its roots: It was designed to be EASY. In the first few releases, there wasn't serious thought put into making a proper software development language. But as web pages became more complex, soft typing, lack of proper scope, and lack of OOP patterns made developing complex PHP applications a world of horror. In addition, concepts like putting all query parameters into the scope of the program, which made developing simple applications easy, created a difficult situation for those trying to make complex applications secure. So to remove these security problems, and to remain relevant by providing richer programming constructs like classes, PHP had to break backwards compatibility.

And while Java is mostly backwards compatible, the technologies for developing Java on the web have changed dramatically. Originally, JSP developers would put Java code right in their HTML! Today this is highly frowned upon (though backward compatible). So developers switched to JSP tags, such as the JSP Standard Tag Library, which coincidentally enough aren't backward compatible between versions. If you're running a Java app server, you'll definitely run into problems when upgrading WebSphere, WebLogic or Tomcat, due to updated tag libraries and other JARs being incompatible with their previous versions. These problems aren't as bad as porting your average PHP app from PHP4 to PHP5, but upgrading versions not a straight-forward process with either programming language.

Stepping back, PHP is in a pretty similar spot to Visual Basic. VB.NET is wholely incompatible with VB6. Microsoft has announced a dropping of support for VB6. However, half of VB developers still program in VB6. Many VB programmers don't understand VB.NET's features, and hence are quite reluctant to move to VB.NET (and they're probably angry, too). And most existing VB6 code would nearly require a complete rewrite to get running in VB.NET. What might just happen is that Microsoft and PHP will have to continue supporting their legacy versions or simply lose beginning programmers as customers. Microsoft will probably continue to end-of-life VB6, but I believe they will release a language highly similar to VB6 that's easier to move over to. It will be interesting to see whether PHP follows a similar path or just leaves its developers to either learn PHP5 or move to another webby language, like Python.

Re:Seems strange to me

[1110110001 (569602)]

PHP5 could not continue backward compatability, PHP had to break backwards compatibility, ...

I keep reading this and am wondering if you ever ported code from PHP4 to PHP5. I did it with a bigger project and the only problem I had was, that someone had uses StdClass without creating an empty instance first. Took about a day to fix that. It's nothing like VB6 vs. VB.NET.

Re:

[mrdaveb (239909)]

PHP3 to PHP4 was also a big jump. But if you actually look at the backwards incompatibility list [php.net] between PHP4 and PHP5, it is a very short list of very minor tweaks. I can say with a very good level of confidence that they aren't going affect me at all! OK, I can say this because I already switched, but you see my point.

There have been big steps forward 'under the hood' and with the new object orientation and better scoping... but this is basically all new stuff. Nothing widely used has been removed. I th

Re:

[massysett (910130)]

or move to another webby language, like Python.

How good is Python as a web language? Python is very easy to use and structured, while PHP is yucky. Does PHP have some strong points that make it particularly suitable for Web development vs. Python?

I ask because it seems to me that anyone who has an informed opinion about PHP says it has serious shortcomings. I wonder if PHP is like Windows: acknowledged to be technically inferior, but widely used because it has a huge adoption rate.

Re:

[sgtrock (191182)]

If you're interested in Python Web development, you'll find a host of network and Web specific frameworks. I suggest checking out Twisted [twistedmatrix.com], Zope [zope.org], Plone [plone.org], and Django [djangoproject.com] for examples. You may also find some other goodies when you explore the Python Cheese Shop [python.org].

Of course, no mention of Python can pass by without someone bringing up Ruby on Rails, so I'll just do that right now. :) However, I have no experience with it whatsoever, so I'll withhold any opinion.

Re:

[M. Baranczak (726671)]

Does PHP have some strong points that make it particularly suitable for Web development vs. Python?

PHP is an absolutely horrible language. (I won't reiterate all the ways in which it's a horrible language, because I'm pressed for time, and you've probably heard it all anyway.) But its one killer feature is convenience - and that's why it's become so popular. The basic features of PHP can be quickly learned by anybody with half a brain, and deploying PHP apps is usually just a matter of putting the files into Apache's web doc directory. I've never worked with Python, so I don't know what it's like... but

Re:

[RAMMS+EIN (578166)]

``java 1.0 on the java 5 platform without any changes or security issues.''

Unfortunately, PHP and security issues can only be put in the same sentence when "many" is also present.

Re:

[Tony Hoyle (11698)]

Java does have upgrade issues just the same - I worked on one project that was written on java 1.3 and simply couldn't be ported because there were too many changes (different parameters to many functions, plus the killer was some stuff didn't appear to work at all in the 1.4 variant when the client was behind MS Proxy server.. never fathomed that one). Luckily you can run your own private JRE without affecting everything else on the machine (we tended to say one machine == 1 application though as is commo

finally!

[Spliffster (755587)]

This is a great move I think. php 5 has been out for years, superior and pretty backward compatible to php 4. Many problems in the past with 4.3/4.4 and 5.0/5.1 releases have happend due to the backward compatibility of php 5. I hope this will ease development and result in a robuster solution.

Becasue php5 is already in the wild for years and there is still more than a year of security updates available, I think there should be time enough for migration to php5. I is also not too hard to migrate, I have done this in the last 1-2 years on many sites. There are some really annoying changes in php 5 but the php guys have documented it well [1].

Using the "Migrating from PHP 4 to PHP 5"[2] Documentation was very helpfull and it turned out to be pretty easy (except for scripts/applications which were already ported from php 3 and still were using php 4 backward compatibility "features").

1) http://www.php.net/manual/en/migration5.incompatib le.php [php.net]
2) http://www.php.net/manual/en/migration5.php#migrat ion5.changes [php.net]

Coordinated switch-to-5 campaign

[yelvington (8169)]

Coinciding with this announcement is the launch of a campaign to switch major PHP-based Web applications to PHP5-only support. The GoPHP5.org [gophp5.org] website has details.

Projects supporting this move have pledged that by Feb. 5, 2008, they will no longer accept PHP4-specific changes in their codebase and that all future upgrades will assume PHP5 availability.

This doesn't mean they are rewriting all their code to OOP-style, or that they will end legacy version support for security patches, et cetera. What it means is that the developers are liberated from having to code around PHP4's limitations and can take advantage of PHP5 features for all future enhancements.

Often something that might require hundreds of lines of code in PHP4 can be done with just a few in PHP5. The SimpleXML parser is probably the best example.

Application teams already on board for this switch include Drupal, phpMyAdmin, Typo3, Symphony, Gallery, DeskPRO, and many others. Several major projects not yet committed are known to be preparing to do so.

This is most important to hosting companies as a signal that robust PHP5 support is a requirement going forward.

Re:

[jkrise (535370)]

If only the subject had left out the "4." "PHP End of Life." I'd cheer for that. I'd say good riddance to a braindead language.

Are you saying Microsoft is a braindead company for tying up with Zend to enhance PHP on Windows servers? Microsoft and Zend Technologies Announce Technical Collaboration to Improve Interoperability of PHP on the Windows Server Platform [microsoft.com]

Re:

[misleb (129952)]

Are you saying Microsoft is a braindead company for tying up with Zend to enhance PHP on Windows servers?

Sure, why not? They're just doing whatever makes business sense. It has nothing to do with the quality or capabilities of the language.

-matthew

Re:

[rubycodez (864176)]

Microsoft sure panders to braindead customers.

Re:

[suv4x4 (956391)]

Are you saying Microsoft is a braindead company for tying up with Zend to enhance PHP on Windows servers?

You don't know Microsoft very well, do ya. They don't partner with PHP since they like the language. Everyone knows PHP is garbage, and PHP developers worth their salt doubly so (*shameless plug* well I'm a PHP developer and I think I'm worth my salt */shameless plug*).

PHP's value is that it's everywhere. EVERYWHERE. Sometihng like 99% of the shared hosts out there run on PHP. So when you develop for PHP

Re:

[kestasjk (933987)]

If language was everything then Python and Ruby would be good, but unfortunately support and libraries are also important, so PHP and Perl are the better choice if you want something as useful as possible.

Re:

[kailoran (887304)]

I'd say it's not even support or libraries, it's being actuallyinstalled at cheap webhosts. PHP is everywhere, python and ruby - not so much.

Re:

[daeg (828071)]

There's a plus side to that: Everyone and their mother can run a CPanel-based "host" that runs PHP. Not everyone can run a good Python or Ruby host, so most Python or Ruby hosts you find are not only knowledgeable, but passionate about Py/Rb support.

Re:

[misleb (129952)]

I dunno, I hear Dreamhost, the big Ruby on Rails host, really blows. If you want good support, at least for Ruby/Rails, you're much better off getting a Private Virtual Server. That way everything is just the way you want it (OS and all) and you get root access.

Re:

[misleb (129952)]

But you don't have any control over the web server software, AFAIK. That can be very important to getting a Rails app running just the way you need/want.

I think one of the reasons PHP is so universal is that it is dead simple to setup. Just install mod_php and you're pretty much done. Other languages and frameworks are a lot more complicated.

-matthew

Re:

[rho (6063)]

PHP has an easy learning curve. You can go from nothing but HTML with a simple dynamic counter, to an entire DB-backed dynamic site. The documentation for PHP is excellent. And if you're competent in any other language you can add PHP to your repertoire easily. This makes for a compelling arrangement for a large, multi-person project. Everybody from experts to duffers can contribute.

Re:

[petermgreen (876956)]

When I look around for software to run a site on, most of the top few choices are written in PHP. Why?
If someone already has a hosting account that offers php and nothing else and they want to add another service to thier site are they going to migrate all thier services to a new host (risky)? are they going to have two seperate hosting accounts (expensive)? or are they just going to choose a php app to provide the service?

I see php on the web as similar to VB on the desktop. It provides an easy way for tho

Re:

[the_womble (580291)]

If someone already has a hosting account that offers php and nothing else

Not common enough. Every hosting service I have looked at offers at least Perl as well, most several other languages.

are they going to have two seperate hosting accounts (expensive)?

Most of the cheap hosts charge per site, expensive ones really should not be offering just PHP.

possibility for users who can barely program to hack in thier own changes,

Now, that is the killer, IMHO. It is very easy to learn PHP and alter or extend apps.

Re:

[PhrostyMcByte (589271)]

The reason is simple: PHP makes it exceedingly easy to get away with things. Things that programming and web development newbies love because it lets them hack together a quick app. Things that experienced programmers will cringe at because they know full well that it will likely cause a headache later.

They've done some good work in stomping out these bad practices in recent times, but they still have a while to go.

Re:

[misleb (129952)]

OK there is plenty of good software in other languages, but ugly, boring PHP seems to be doing very well.

Be that as it may, it is still a boring, ugly language that I wouldn't be sad to see it go "End of Life." That's all.

Re:

[Christianfreak (100697)]

For the same reason that Windows is the most popular OS. It was easy to use and available and now we're stuck with it.

Large hosting companies like it because its an easy way to give a scripting language to their customers. Everyone now uses it so the hosting companies arent' going to switch.

The big CMS folks that you mentioned were smart to use PHP since that's what all the hosting companies have. Not to mention that those projects started out as open source projects probably by people who didn't have a lot

Re:

[misleb (129952)]

I'm not going to bother with a language flamewar, but suffice to say that I think PHP is a boring, ugly language.

Re:

[raju1kabir (251972)]

What exactly is so bad about PHP?

It's too street to have any snob value.

The linguistically nouveau riche, who have recently tried to score a little upward social mobility by learning some Python or Ruby, resent nothing more than the teeming masses of hungry PHP developers underbidding them.

Re:

[Antique Geekmeister (740220)]

I've seen good reports of fully virtualized servers for this, up to 10 entirely distinct operating systems on the same hardware server, to support exactly this sort of need. VMware and Xen seem to work well for this.

Re:

[Spy der Mann (805235)]

I only wish PHP4 had reserved some FORWARD-compatibility, like allowing words like "public", "private" and "protected" even if they wouldn't mean anything at the time. Same goes with constructors and destructors.

Re:

[Mr. Picklesworth (931427)]

Django is not like PHP. Django is more like God. It creates perfection with single lines of code. Try it, and your false idols (those PHP-based "content management systems") will no longer thieve your attention.