PHP 5.2.2 and 4.4.7 Released

daeg writes "PHP 5.2.2 and 4.4.7 have been released with a plethora of security updates. Many of the security notifications come from the Month of PHP Bugs effort, and range from double freed memory to bugs in functions that allow attackers to enable register_globals, to memory corruption with unserialize(), to input validation flaws that allow e-mail header injections, with an unhealthy sprinkling of other bugs and flaws fixed. All administrators that run any version of PHP are encouraged to update immediately."

I want to see someone claim again

[suv4x4]

I want to see someone claim that the "month of bugs" projects harms the products involved. From what we saw with Apple and PHP, they finally closed holes gaping for many previous versions.

Now if only could PHP also fix their performance and inconsistencies..

Re:

[KidSock]

I want to see someone claim that the "month of bugs" projects harms the products involved. From what we saw with Apple and PHP, they finally closed holes gaping for many previous versions.

Now if only could PHP also fix their performance and inconsistencies..

There's nothing "gaping". All the "month of bugs" were non-critical stuff pumped up by Esser for whatever reason I don't know. For example, there were a number of bugs that required the attacker to be able to supply their own code. If the attacker can su

Re:

[suv4x4]

At first I thought you were trolling but from your "fix their performance" statement I realize you just don't know what the hell you're talking about.

Right. PHP's the fastest language out there, as proven in this test [debian.org].

Re:

[nxtw]

That's pretty damning... If C# and Mono are faster, I can only imagine that MS's CLR would be even faster. Java's results vs. PHP are very similar.

Perl is usually better [debian.org] as well, as is Python, Tcl, etc.

In PHP's defense, how does performance compare once some sort of accelerator is involved? Are those fancy output caching engines or do they actually precompile/cache the code or something like that?

Re:I want to see someone claim again

[suv4x4]

In PHP's defense, how does performance compare once some sort of accelerator is involved? Are those fancy output caching engines or do they actually precompile/cache the code or something like that?

When you run a PHP file, there are two stages of execution:
[build a parse tree from the source and output bytecodes] [interpret the bytecodes]

The accelerators cache the bytecodes, so next time they are loaded (usually from RAM) and interpreted directly.

However compare with what you get with the CLR by default:
[a compiler builds the parse tree and outputs bytecodes] [opcodes are compiled to machine code] [natively run machine code linked to a runtime library]

You basically never ever repeat the first step more than once there, and in some cases the second. And running as native code is hella faster. A big problem with PHP is it abuses string hashes and fails to do early binding where appropriate (indexed serial arrays, class objects and methods etc.).

So everything you reference in PHP requires a bunch of hash lookups. It's terrible.

Re:

[cheater512]

Mono/C# are semi-compiled whilst PHP isnt (without a accelerator).

If you tried using Mono/C# in a real world situation you'd find that it would be horrible because it would run as a CGI. The initialization for it would kill the server.

I notice that none of the tests were remotely related to a web page as well.
How the hell is Mandelbrot relevant?

Re:

[cortana]

Surely in a real-world situation you would run the C# app in a separate process and proxy requests from your frontend web server to the separate process via HTTP, FastCGI or SCGI.

Or perhaps even build an interpreter into the web server itself (mod_mono).

Spped problems eliminated.

Re:

[nxtw]

Or perhaps even build an interpreter into the web server itself (mod_mono).

mod_mono actually just sends the request to a mod_mono_server, which is a special version of the Mono ASP.NET web server that has a special interface.

mod_mono's advantage is the ability to manage the mod_mono_server processes for you, while using standard HTTP proxying would require the user to start the process on their own.

It is pretty similar to server-side Java.

FastCGI support [mono-project.com] for Mono would be nice so that non-Apache servers cou

Re:

[nxtw]

If you tried using Mono/C# in a real world situation you'd find that it would be horrible because it would run as a CGI. The initialization for it would kill the server.

I don't think there's many high-perormance websites out there that work using forking (standard CGI). In fact, IIRC Mono doesn't even support working as CGI, and I'm pretty sure Java doesn't as well. They only support running via an external process server (much like Java), e.g. via FastCGI, local proxying, or a special webserver/process s

Re:

[cheater512]

In fact, IIRC Mono doesn't even support working as CGI,

Uhh...Anything can run as CGI as long as it can be executed.

Heck you can make a bash script output your website for you. Or even QBASIC.

Re:

[nxtw]

Mono's ASP.NET implementation does not support working as CGI (for good reason). When someone refers to Mono or .NET in this context they are usually referring to ASP.NET.

Re:

[cheater512]

What do you mean by 'supported'?
It wont work or you wont get support if you bork your system doing it?

Re:

[nxtw]

Mono's ASP.NET implementation does not support working as CGI (for good reason). It sounds pretty unambigous to me. That is, it won't take the page arguments from environment variables and then output HTML over stdout. It operates using its own HTTP server or special MonoApache protocol, similar to Java servlets.

CGI is unsuitable for any high-performance website, anyway.

Re:I want to see someone claim again

[digidave]

The raw speed of PHP isn't very relevant. It's a language for low to mid-range web apps that is flexible enough to do high-end web apps as well. If your PHP app is slow it's probably due to poor programming or poor database indexing or design. PHP usually takes request data, gathers a database result, shuffles around some data, then displays an HTML page. It's easily fast enough for its purpose.

There are plenty of good criticisms for PHP (and every other language), but performance is only a factor in PHP web apps when the programmers do really stupid things.

Re:

[suv4x4]

The raw speed of PHP isn't very relevant. It's a language for low to mid-range web apps that is flexible enough to do high-end web apps as well. If your PHP app is slow it's probably due to poor programming or poor database indexing or design. PHP usually takes request data, gathers a database result, shuffles around some data, then displays an HTML page. It's easily fast enough for its purpose.

What you're saying: PHP is only good for gluing your DB to your HTML, straight procedural code. But that was true

Re:

[Bill, Shooter of Bul]

Their framework has terrible speed on their own language.

care to site benchmarks? I saw one that had zend framework doing horribly as well. They were using version 0.4 beta. They're up to .92 beta now. From what I've heard on the news groups its doing better. Take a look at the language shoot out for comparison. Its still much faster than ruby.

Re:

[crayz]

Yup. And as an ex-PHP coder, I spend about 1% of my time lamenting the performance hit from switching to Ruby. The other 99% of the time is spent glad I'm not using that nightmare of a language any more

Re:

[Bill, Shooter of Bul]

O've never really understood the problem with the "nightmarish language" that is php. sure, I've programed in c, python, perl, pascal, delphi,Java, and yes php. They're all sort of messed up in their own ways. From having taught english, I can tell you its very messed up. part of being a programmer is thinking in new, creative, and yes nightmarish ways. Like putting Linux on a toaster, or making translating the Bible into Klingon. I would argue that PHP is the eqiuvalient of Linux on a toaster. The fact tha

Re:

[jsebrech]

The raw speed of PHP isn't very relevant. It's a language for low to mid-range web apps that is flexible enough to do high-end web apps as well. If your PHP app is slow it's probably due to poor programming or poor database indexing or design. PHP usually takes request data, gathers a database result, shuffles around some data, then displays an HTML page. It's easily fast enough for its purpose.

What's also important is that PHP is meant to be parallelized, which lets it scale better to higher traffic. The l

Re:I want to see someone claim again

[RzUpAnmsCwrds]

At first I thought you were trolling but from your "fix their performance" statement I realize you just don't know what the hell you're talking about.

Right. PHP's the fastest language out there, as proven in this test.

You're comparing two completely differnet language types. You might as well compare Java and C++.

Compared to other interpreted (e.g. parse tree is built on the fly rather than by a compiler) languages like Python or Ruby, PHP is about average.

Compare PHP to the CLR (or Mono) or to the JRE, and PHP is going to be way slower.

But calling PHP slow because of some benchmark is just bull. Yes, Java or .NET is faster, and if you're writing an application that does a lot of crunching, by all means you should use a platform that is good at it. There are plenty of good reasons to choose J2EE or ASP.NET over PHP, but performance just isn't one of them in a lot of applications.

The Wikimedia Foundation runs Wikipedia (the 10th most popular website in the world) with PHP and 123 commodity PC servers. What does that prove? It proves that application design and system architecture is FAR more important than what platform you choose. You can run benchmarks all day long, but that doesn't change the fact that Wikipedia does far more with far less than most websites out there - and they do it with PHP.

I serve over 10 million pageviews a month on WS Network [wikinote.com] using PHP, MySQL, and a virtual server with 50MB of memory, a fraction of a 2.4GHz P4, and 100MB of swap. My informal load testing indicates that I could handle as many as 30 pageviews per second (80 million per month) with my current hardware and DB setup.

Maybe I could do more with J2EE or ASP.NET (or, perhaps I could do far less - ASP.NET and J2EE aren't as easy on memory as PHP for small apps). But the fact is that I am doing a hell of a lot already considering the very limited hardware I'm running on.

PHP code execution performance is not, and has never been, a major issue in my experience. It's the same way with Python, Perl, Ruby, and any other "scripting" language. The fact is, you're not going to write an H.264 codec or a PS3 game in Python. But many, many applications are not constrained by CPU performance. 8-core servers are now cheap. 16-core servers will be soon. Changing your language might give you 10x better performance. But architecture and algorithm improvements will probably get you much, much more.

"Performance isn't a problem until it's a problem."

Re:

[twomi]

The fact is, you're not going to write an H.264 codec or a PS3 game in Python.

No, but they made Civ4 with it ;)

Re:

[TheSeer2]

That's a big stretch. A really, really big stretch. Infact, it's just plain bull. (I do realise Civ4 makes use of Python mind you).

Re:

[amerinese]

Are you going to try to monetize wikinote? What are your goals?

I'm not against monetization, but if I don't understand what the provider is getting out of it, it makes me uneasy about using the service even if I like the service.

Re:I want to see someone claim again

[shish]

The Wikimedia Foundation runs Wikipedia (the 10th most popular website in the world) with PHP and 123 commodity PC servers. What does that prove?

Throwing more hardware at a problem will solve anything \o/

I'm running a service which was originally PHP on a throwout box in the corner of my bedroom -- after a few months, the service was so popular the box was in a state of slashdottedness 24/7. I then moved to a shared host, where it ran happily for about a year, until it got so big it started breaking their uber-servers too. I have now rewritten it in python, and moved back to hosting it myself :P

Comparing mono with C# is unfair

[anss123]

Mono is a byte compiled language, not interpreted. Even so, PHP is still beaten quite badly by Perl. (In those benchmarks)

Re:I want to see someone claim again

[arodland]

For example, there were a number of bugs that required the attacker to be able to supply their own code. If the attacker can supply their own code, they can just call popen() or system() and dispense with all the hoopla required to compermise the worker and inject shellcode.

Well actually... no.

PHP enjoys overwhelming popularity in shared-hosting environments, where you put a lot of users on one server, and the users supply the code, but you don't really trust the users. You don't want them to compromise other users' reliability, or break your server, or do anything very interesting... but you still have to let them run their code because that's what the service is. So PHP comes with all sorts of features to facilitate this... "safe mode" and the like. But if there are security issues all through PHP that poke holes in this security model, then you find yourself in a microsoft-esque situation where the security isn't real at all, and you're screwed. Not so pleasant.

Re:I want to see someone claim again

[CopaceticOpus]

This is where we need to draw a line when talking about how good PHP's security is. For the case of a PHP developer running his own trusted code on a server, PHP can be very secure if the code is well written. That's the developer perspective. The other case is the PHP hosting company or system admin, running other people's untrusted code. In that case, the situation is much trickier. It may be possible to host that code securely, but it will take a lot of work and paying attention to security notices.

So how worried you should be about PHP security comes down to whether you'll be running your own code you trust, or hosting someone else's code you don't trust.

Re:

[cortana]

If you rely on safe mode to protect your system from your users, and your users from each other, then you have already failed.

The only way to get this kind of security is to rely on the operating system to provide it for you; this is done by running PHP interpreters belonging to different security contexts as seperate users.

With such a setup, the worst the user can do is screw up their own files (boo hoo!). :)

Re:

[nahdude812]

The PHP developers acknowledge that safe mode is a failure and PHP6 will not offer this feature. It was never meant to really be a complete sandbox environment, just a way to give a higher-than-usual level of isolation. People took this and expected more out of it than it was really designed to deliver, then criticized it for not being what they hoped it would be. It is already recommended that you use Xen or some other virtualization layer if you wish to sandbox your users.

Re:

[Bert64]

Thats why you use something like mpm-peruser...
That way, all the PHP code is executing as the individual web hosting user, and not as the global apache user. Thus:
A bug in one user's site compromises their own account, but cannot mess with any of the other accounts.
You cant stop users running buggy code, and its their own fault if they do. But you certainly should keep that code in a sandbox.

Re:

[Bert64]

No?
I'm using it, it works just fine...
Even supports eaccelerator too.

Re:

[HvitRavn]

If the attacker can supply their own code, they can just call popen() or system() and dispense with all the hoopla required to compermise the worker and inject shellcode.

It's not that simple. In the case of web hosts with the open_basedir restriction in effect, you can't *open() or system() anything outside the basedir. It's a pretty effective jail. Here's an excerpt from the open_basedir documentation [php.net]:

Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. Th

Re:

[laffer1]

Its nice to find someone else who sees inconsistency problems with PHP. For those of you PHP users who don't see it, if I have to change code to make things work with PHP then a new release is not compatible with an old release. There are also some oddities in the API. PHP often gets a free pass because its open source and one of the earlier ASP like alternatives.

I think the month of bugs helps consumers in the long term, but its certainly a bitch for the vendor to get flooded with tons of holes at once.

Re:

[cheater512]

The oddities are there to maintain backwards compatibility.

I've never had a script break with version jumps (including 4 to 5) because I write good proper code.
Some older crap wont work on PHP 5 but why would you want to run crap?

Re:

[laffer1]

Sometimes you don't have a choice but to run crap. Either you get stuck on a product before you know its crap and its difficult to migrate or your boss mandates that you install crap.

Besides, if Zend added the code to begin with how does one seperate what is going to go away from what is useful? Are they supposed to read minds? Seems very much like random windows apis that disappear or change.

Re:

[omeomi]

Now if only could PHP also fix their performance and inconsistencies..

Care to provide examples of either?

Re:

[Dragonslicer]

I can't speak specifically about performance problems, since I know pretty much nothing about the engine itself, but anyone that doesn't think PHP has consistency issues doesn't use the language enough. There's some pretty serious inconsistency in function naming, though that's pretty much limited to functions that have been in the language for several major versions (array and string functions especially). PHP5 is a huge improvement over older versions, but it would still be nice to be able to completely g

Re:

[omeomi]

Oh, you just mean naming conventions are inconsistent? I thought you were saying that, for instance, code written in one version of PHP doesn't work in a later version. That's a problem I haven't had. Upgrades have generally been pretty painless for me. And I've found PHP performance to be pretty good. My primary comparisons are with Perl and ColdFusion though, so maybe ASP is a lot quicker, and I just don't know it...

Re:

[Dragonslicer]

Yeah, the PHP devs have always put a lot of emphasis on maintaining backwards compatibility. Unfortunately, that has the down side of not being able to fix a lot of mistakes that were made in the past.

Examples of PHP inconsistency and performance

[Snover]

Sure, I'll give you some.

Inconsistent function naming (underscores):

substr_compare() vs.
strcmp()

More inconsistent function naming (verb location):

file_get_contents() vs.
get_html_translation_table()

Even within the same extension:

imagesetstyle() vs.
imagecolorset()

Flipped haystack and needle:

strpos(haystack, needle) vs.
in_array(needle, haystack)

Speed:

Scutigena Computer Language Performance Comparison [sourceforge.net] (see graphs)
There used to be another site that you could compare one language's speed relative to another that also showed PHP as one of the slowest. I can't seem to find it now, though. Also PHP5 might compare a bit more favourably, but this is all I could find after a quick Google search. Perhaps more importantly, PHP drags the speed of other things down (like Apache), since even though the core is supposedly thread-safe, nobody seems to know which extensions are and aren't, so eg. Apache needs to be run in prefork mpm instead of using a threaded mpm.

I think PHP is overall a fairly decent language; I've used it for many years with great success. But it does have major problems, and it would be nice for them to get fixed instead of pushed aside. (I read some minutes from a PHP 6 meeting a while ago where they touched on the issue of consistency, and the PHP Group decided that it wasn't important enough to fix. It's really annoying to me to need a PHP-aware IDE or a manual always handy to program in a language because the arguments and function names are so non-uniform.)

Re:

[Renegade88]

There used to be another site that you could compare one language's speed relative to another that also showed PHP as one of the slowest.

Yep, there still is. I think you are thinking about this one:
Computer Language Benchmarks Game [debian.org]>

That site features 19 programs implemented in 33 languages. Each program stresses something. You can see relative execution times and memory use, and it lets you pit one specific language and another and see how they compare.

Yes, PHP loses in pretty much every perfo

Re:Examples of PHP inconsistency and performance

[jsebrech]

Perhaps more importantly, PHP drags the speed of other things down (like Apache), since even though the core is supposedly thread-safe, nobody seems to know which extensions are and aren't, so eg. Apache needs to be run in prefork mpm instead of using a threaded mpm.

This is my main beef with PHP. They have their head in the sand with regards to server configuration.

Case in point: the company I work for sells PHP-based service center and reservations systems to large companies. These companies generally have windows-based server infrastructures, so we have to deploy on windows/IIS. If you look at the suggested configuration for PHP on IIS in the PHP manual, you'll find this page [php.net], which explains regular CGI and ISAPI (multi-threaded) configurations. What the manual doesn't tell you is that neither of these configurations actually work in production environments. Regular CGI configurations are too slow (on windows), and ISAPI is too unreliable (customers that deployed with ISAPI configurations suffered daily server hangs).

The only viable configuration for production IIS servers, as it turns out, is FastCGI, which is not documented in PHP's manual section on IIS configuration. Their documentation actively misinforms people on how to configure PHP. That's bad.

Re:

[Neutrino Linguino]

Have you considered or evaluated a Windows-based Apache/PHP solution? Recently, I've even been able to compile mod_fastcgi under win32 for Apache 2.2...

As far as the thread-safe issue goes, [IMO] it has always been better to run Apache under a process-based MPM, as it's:
1) more secure, isolating
2) more stable

The common misconception of the performance penalty arises more from the lack of any further MPM configuration to the specific task and system.

Re:

[Just Some Guy]

Oh, you forgot:

5,343 built-in functions [php.net], assuming all the standard modules are installed. By comparison Python has 71 [python.org]. In other words, you have to keep track of about 75 times the number of name collisions when dealing with PHP versus Python.

This could be almost instantly fixed if they'd add namespaces to PHP, but that keeps getting shot down.

Re:

[jZnat]

Shot down? I was under the impression that namespaces were going to be in PHP 6, but the discussions over the syntax were pretty scary (should we use ":::" or "\"? they're the only two symbols left).

Re:

[Just Some Guy]

Shot down?

Yep. They were removed from 5.0.0 beta 2 [php.net] for various reasons [sitepoint.com].

Re:

[creativeHavoc]

you obviously don't understand the PHP versioning.. this is like Microsoft updating XP and Vista... it doesn't mean upgrade to latest version of XP, then to latest version of vista... it means update your version.

Bad release practices

[daeg]

I no longer use PHP, but these two releases highlight one of the things I hated the most about PHP. Every release, even minor "bugfix" releases (5.2.1 to 5.2.2) always do more than fix security and blocker bugs. That means that even if you're only updating to fix the mail() function, you have to run your entire site/system through testing to ensure the update didn't mysteriously break something else.

See, for example, the 4.6.6 release notes [php.net]:

The PHP development team would like to announce the immediate availability of PHP 4.4.6. This release addresses a crash problem with the session extension when register_globals is turned on that was introduced in PHP 4.4.5. This release comes also with the new version 7.0 of PCRE and it addresses a number of minor bugs.

That means that 4.4.5 introduced a major crash problem in a module every PHP website uses. How does that get missed? Also, why does that release also simultaneously bundle a new library version AND fix other "minor bugs"? Release the crash fix and that's it! Keep new features/minor bug fixes to point releases (4.5), not minor point versions.

Thank god Python doesn't do that. At least they keep all the big changes to individual versions!

Re:

[gnud]

[snip]This release addresses a crash problem with the session extension when register_globals is turned on that was introduced in PHP 4.4.5.[snip](emphasis mine)

If you use register_globals, you deserve all bugs that hit you. Period.

Re:

[maxume]

s/register_globals/php/;

Or maybe not?

Re:

[cortana]

No, you're right. ;)

Re:

[jZnat]

Don't you mean:

$msg = preg_replace('/register_globals/', 'php', $msg);

Re:

[maxume]

In the land of quibble, it would be:

msg=msg.replace('register_globals, 'php')

Re:

[Dragonslicer]

I usually hate to comment on moderation, but I don't quite see how this is flamebait. Nobody in their right mind has used register_globals for several years now (well, anybody that knew what they were doing never used them at all, but some of us were still newbies back then). It really is a giant bug just waiting to happen.

Re:

[cortana]

Yeah and one effect of that is that lot of old crappy PHP 'applications' reimplement it themselves... *bashes head against wall*

Re:

[atrus]

I've personally always hated this too. They can't keep anything straight, and the core of PHP is a giant ball of inconsistency. I used to write PHP code. I mainly do Java with some Python or Perl on the side. All of them are far better in tools and workability than PHP. PHP just seems to outright encourage sloppy "just make it work" programming, which leads to all sorts of really really bad PHP "programs" (though some are good, when they're not weighed down by the language).

Re:Bad release practices

[Ambush Commander]

What you're missing is that fact that PHP uses the three digit version numbering system to mean something slightly different than what you're used to. Increments in the 0.x.0 number indicate, besides major changes in the language, that extension compatibility was broken and thus they need to be recompiled (to see a great example of this, check PHP 4.4). 0.0.x releases do contain feature releases, but you don't have to worry about extensions breaking.

Firefox does the same thing too, except they end up stepping on extension authors feet when they increment the third version number! That's why they introduced a fourth number 0.0.0.x for memory leak / security fixes. But Firefox has the luxury of an auto-update system: something PHP doesn't have. It is in both sysadmin's and PHP's developer's best interests to not be releasing new versions every other week.

Re:

[elronxenu]

Hmm, wouldn't they be better off with X.Y.Z, where:

• X means "functionality improvements" (relative to X-1)
• Y means "bugs fixed" (relative to X.Y-1)
• Z means "security fixes" (relative to X.Y.Z-1)

?

Re:

[jZnat]

Of course sysadmins have an autoupdate system! We have APT (Debian and co.), yum (Red Hat and co.), emerge (Gentoo), and various other autoupdate package managers. I believe there are even tools like XAMPP for Windows that include autoupdate features.

Re:

[Ambush Commander]

Yes, but any sysadmin worth their salt doesn't blindly install new versions of mission critical software until they make sure that it does indeed work properly.

Re:Bad release practices

[Dragonslicer]

Yeah, I hate to admit it, but release management hasn't been the PHP developers' strength lately. I think 5.1.0 might have been the biggest screwup, where, after I think 7 release candidates, somebody committed new code a few days before the final release that created a builtin class named 'Date'. The thousands of people that used the PEAR class named 'Date' weren't too happy. In an amusing twist of irony, the developer that committed the code was a staunch opponent of adding namespaces to PHP.

Re:

[jZnat]

I don't remember if this was before or after the situation you describe, but there was a huge discussion on the PHP developer mailing lists on what to name the class. I believe it ended up being called DateTime.

Re:

[Dragonslicer]

Yup, it is called DateTime. It was after the 5.1.0 fiasco, because they picked the name specifically to not conflict with PEAR. It's a fortunate side effect that it's also a bit more descriptive (the class handles dates and times, not just dates).

Re:

[TooMuchToDo]

Any online resources or books you could suggest to help someone looking to write web apps in Python?

Re:

[daeg]

As a good start, i recommend Django [djangoproject.com]. It's a nice framework that takes care of a lot for you, but still lets you write Python. They have a few tutorials as well as a good community and an ongoing project, The Django Book [djangobook.com]. I transitioned directly from PHP to Python without any books. Most coding forms transition directly over to Python. As you learn more Python, you'll find shortcuts, e.g., the list constructs and lambda functions.

I also recommend reading over PEP 0008 [python.org], the "standard" coding structure for the

Re:

[VGPowerlord]

Ugh... the old spaces vs. tabs debate.

I used to fall on the spaces side until I realized how iritating it is to respace things when you move down an indentation level and you're not using an IDE.

I've been a staunch tab supporter ever since.

It's not just that, either. If one uses tabs, then anyone else who has to edit it can set the tab size to whatever they wish. If Paul has a super widescreen monitor and wants his tab size set to 16 characters, more power to him! If George has a super small monitor and

Re:

[cortana]

Basically the problem is that there are a lot of people out there that don't know how to use their editors; and a lot of broken editors that default to inserting 8 spaces when the user presses the tab key.

The Tab key is not a shortcut for pressing space 8 times, damnit!

Re:

[daeg]

The reason Python recommends spaces is because of line continuations, not because it makes things readable. If you follow the well-thought out coding guide, columns never go more tan 79 characters, so generally you'll find things like this:


some_call(arg1, arg2,
arg3, arg4)


but moved over, obviously. If you used tabs in there instead of spaces, and someone changes their tab size, your code instantly becomes completely unreadable.

Re:

[VGPowerlord]

That kind of thing is the only time that I can think of right offhand that I mix tabs and spaces... of course Python doesn't like that.

(I haven't learned Python yet, so I'm just guessing)

Re:

[cortana]

But why would you use tabs there in the first place?

Tabs should be used for the initial indentation. Once you reach the indentation level that you want, use spaces to line things up (the clue is in the name... you can't "line things up" by using a spacing character that has a variable length... so don't!)

Re:

[daeg]

Obviously my attempt to line it up in the element above didn't turn out as planned.

To answer your question, though, Python doesn't "like" mixing tabs and spaces. It's also nice that almost all Python code follows "PEP 8". When interviewing for Python-heavy positions, for instance, I can ask if they know what PEP 8 syntax is. If they've never even heard of it, they aren't really interested in the language as far as I'm concerned. I wasn't a fan of spaces, either, until I switched into Python as my language o

Hate to whine, but...

[Jasin Natael]

I failed to include support for curl when 5.2.1 came out and just spent close to an hour waiting for PHP 5.2.1 to compile, yesterday. Guess it's time to run ./configure again.

Re:You must be mistaken.

[MrMunkey]

I'm not sure if you had some /sarcasm there or not. I'll assume not and say that you're partly right.

I'm a PHP developer. I love PHP because I haven't come across anything that I can not do with it yet. Does that mean it's the best programming language ZOMG 3V3R! No. PHP is a pretty good general purpose web scripting language. Like all the other languages out there, it has bugs or features that haven't been implemented or thought of yet, and that's why there are version numbers.

PHP does suffer some of the same issues that C++ has suffered in the past, and they are due to the fundamental ideas of the project. PHP doesn't have a framework for you to do everything. I guess that mostly comes up with ASP and probably Ruby, but I'm a little under read on Ruby. Much like the C++ vs. Java debate, C++ makes you do things yourself (or at least you need to know about the community projects that make life easier... like smart pointers and the like). That's pretty much the same with PHP. You have the base functions, and there are extensions you can get to help, but MVC and other parts of frameworks are left for you to decide what you want or need for your project.

So, with that in mind, security is also left up to the developer. PHP 5.2.x has made a lot of great strides in helping out by introducing the Filter extension and others. If people do not filter/escape the input/output from their pages, they're just opening up a can of worms. I'm a firm believer in saying it's easier to filter yourself than undo a filter that the system did for you automatically.

PHP has its issues, but I don't think it would be as popular as it is if PHP didn't serve a purpose and do it somewhat well.

Re:

[wwmedia]

Yea really? what about multi-threading and proper unicode support?

Re:

[Jasin Natael]

For multi-threading, install a shared-memory cache, like apc, eAccelerator, or mmcache -- or use an in-memory table in your RDBMS. Now, you can spawn background tasks and monitor their progress or receive return values through the cache. You can even start a task as a server and keep it running indefinitely with set_time_limit(). I do plenty of unicode apps as UTF-8, and haven't had problems yet. If you're talking about UCS-2, then you have a good case. It's in development [php.net], but it's for PHP 6. Honestl

Re:

[MrMunkey]

You made good points about multi-threading, but it's possible the GP was also talking about multi-threaded support. It's a rumor that PHP itself isn't multi-threaded. Some of the older extensions are not multi-threaded, and that is why the suggestion to not go with multi-threaded apache exists.

Re:

[wwmedia]

ah i know well how to start a new process from command line (and do so in a php based sockets server) but if you ever did Comp Architecture 101 you would realise that there a difference between a process and a thread, threads are lightweight processes with less switching overhead and smaller footprint, im talking about a Java / C# style threading model and an example were this would be usefull beside the sockets server i mentined would be an efficient proxy script, current php proxy scripts are over bloat

Re:

[Dragonslicer]

PHP never has any security problems, its just people writing bad software in it that gives it a bad reputation.

Are you implying that those two items are mutually exclusive? I would be very impressed with any software project beyond "Hello World" that has never had a security problem. Having said that, a lot of the negative reputation is because people who haven't written more than 10 lines of PHP code think that phpBB and phpNuke demonstrate the only possible way to write PHP. Any language that lets you ru

Re:

[Generic Player]

What are you talking about? Read the summary, PHP has just fixed yet another batch of security holes. Trying to distract from the fact that PHP itself is poorly written and constantly full of exploitable holes is bull. Yes, lots of people write shitty PHP code. No, that does not mean PHP itself is secure, as their never-ending stream of security holes demonstrates.

Most of these bugs are completely preventable

[chatgris]

There is really no excuse for those memory bugs. There are free, simple tools that check C code and memory management (and php itself is written in C).

"double freed memory to bugs in functions that allow attackers to enable register_globals, to memory corruption with unserialize()"

The authors of php should use valgrind, and with a few test cases, could virtually eliminate memory errors.

Memory errors have been around for so long that there are numerous tools for dealing with them, many of them free. I know

yeah yeah yeah

[Nappy Headed Ho]

yeah, PHP is sloppy, insecure by nature, and full of bugs - but there's a lot to be said for good programming practices as well, which when used can remedy many of these flaws. it's unfortunate that PHP is so easy to learn, as it has attracted hordes of people who couldn't or wouldn't learn another programming language, and of course, failed to learn (or have no desire to learn, hey it works just fine) anything about security, program efficiency, or how someone could take advantage of their sloppy coding. c

Re:

[CopaceticOpus]

PHP is getting better. They are cleaning up security issues, and providing more and more of a solid core of capabilities. I just wish that the users were more excited about these developments. I can't understand why so many continue to develop in PHP4. Every change and step forward gets a mixed response.

Personally, I'm all for breaking conventions if it will result in making PHP a better language. I wish that they would bite the bullet and rename all the functions to follow a consistent style in PHP6. T

Re:

[Octopus]

I would LOVE to switch to PHP 5. But the truth is, I work for a variety of small companies that all want the cheapest hosting option I can find, and I can't always rely on PHP 5 being available, so most everything I build is in PHP 4. I'd much rather use some real OOP, but PHP 4's class framework works just fine for most of the projects I'm on.

It has been discussed before that many of the larger hosts (GoDaddy, et al) run simple RedHat installations with specific packages of Apache, PHP and MySQL that the

Re:

[CopaceticOpus]

I've used PHP 5 on both 1&1 and on Dreamhost. I don't know how you can get much cheaper than that.

I can understand that it's not practical to upgrade existing code just for the sake of upgrading. But for new projects, I think maybe you're holding yourself back.

Missing file from 5.2.2 for Win32: php_xmlrpc.dll

[jgbustos]

I tested it last night on a Win2003 Server box, and there is a missing file from the Win32 ZIP distribution: php_xmlrpc.dll.

http://bugs.php.net/bug.php?id=41292 [php.net]

The file can be obtained from the latest snapshot, though: http://snaps.php.net/ [php.net]

Updating

[MrMunkey]

Here's another issue I have with updating to the latest version of PHP. I'd venture to say that quite a few companies out there use RedHat, SuSE, or some other OS/distribution because they get support. If we upgrade to the newest version of PHP, we lose vendor support for it. That's not to say that I can't compile it, it's just that the company isn't willing to risk losing support.

better

[CiderJack]

Despite all the criticism I'm reading here, it still beats .aspx for database implementation, HANDS DOWN.

Re:

[Craig Maloney]

Here's a link to Secunia's Tomcat 5 advisories, one of which is a remote code buffer overflow exploit.
http://secunia.com/product/3571/?task=advisories [secunia.com]

So yes, while PHP's advisories are about 10 orders of magnatude more numerous than Tomcat's, it still "bug that would let a remote user execute code or change configuration settings or read files or doing a double-free or any of that kind of thing".

And trust me, it's just as easy to create fragile code in Java that can open your server like goatse as it is in

Re:

[Anonymous Coward]

The buffer overflow you have referenced is in the mod_jk Apache module, written in C, which provides an AJP connector for communicating with Tomcat. It was not in the Tomcat application server.

Re:

[VGPowerlord]

PHP is just some hyped, misdesigned, inconsistent, unproductive kinda tool.

Unfortunately, mod_php is still more programmer and administrator friendly than mod_perl, which probably explains why it has a higher usage rate.

Try Fastcgi

[TheLink]

If you don't need total control over how Apache behaves, use mod_fastcgi not mod_perl. For fastcgi typically the webserver forks off the webapp as a separate _persistent_ process and then they talk to each other via a socket (you could actually have the webapp on a separate machine, but I haven't had much need to do that yet). Fastcgi apps can be coded similar to CGI/mod_perl apps there's just a loop around the "Fastcgi accept" call.

With fastcgi you can use perl, python, ruby, C++ or whatever - just like yo

Re:

[VGPowerlord]

I've tried using Perl with FastCGI before. It bugged me that you have to manually loop the accept call. It means that you have to wrap any code written for plain CGI... something that mod_perl's Apache::Request does for you.

Re:

[TheLink]

Didn't bug me that much, coz I usually wanted to do some useful stuff before the loop, like make persistent database connections, initialize caches, set up logging to syslog, set up other stuff.

The mod_perl stuff tries to do the persistent DB stuff but in a kludgy untidy way that has a lot more gotchas. Same for PHP's mysql_pconnect. Go see people say "turn off persistent DB connections" in one answer and then "turn on persistent DB connections" in another answer ;).

I've tried mod_perl, FastCGI is cleaner,

Re:

[Anonymous Coward]

you -are- a troll. I can write C programs just as insecurely as I can in PHP. If you are careful and have goood programming practices, you won't be affected by many of the 'holes'. The only problem is, the bar for entry is pretty low for PHP and there are lots of people who just learned 10 a=a+1 : 20 print a : 30 goto 10 and php is their next big adventure.

If people like you were right, we'd all have ditched perl long ago because of the phf bug.

PHP, like any software has its holes, but a properly secured sy