Changes In Store For PHP V6

An anonymous reader sends in an IBM DeveloperWorks article detailing the changes coming in PHP V6 — from namespaces, to Web 2.0 built-ins, to a few features that are being removed.

Magic Quotes Removed

[iamhigh]

Citing portability, performance, and inconvenience, the PHP documentation discourages the use of magic_quotes. It's so discouraged that it's being removed from PHP V6 altogether, ... ... If you're using magic_quotes to escape strings for database calls, use your database implementation's parameterized queries, if they're supported. If not, use your database implementation's escape function, such as mysql_escape_string for MySQL or pg_escape_string for PostgreSQL.

This was discussed just a few days ago in the some what wrongly titled 500 Thousand MS Web Servers Hacked [slashdot.org]

Re:

[robo_mojo]

So does this mean that if you are using magic quotes and you upgrade to PHP6, suddenly you will become vulnerable to SQL injection attack? Wow, I'd consider that to be a major regression, then.

Re:

[The MAZZTer]

I hope they have some sort of protection against that; specifically, if you have magic_quotes turned on in php.ini (or whatever the linux equivilant is) PHP should refuse to start, perhaps logging an error message which explicitly tells the webmaster magic_quotes is no longer supported, and that it must be turned off, and the possible consequences of using old scripts designed to work with magic_quotes on. This forces the webmaster to actually go into the config file and turn magic_quotes off, and if they

Re:

[615]

Actually, undoing magic_quotes is quite a bit more involved. Some things to consider:

• - magic_quotes affects more than just GET, POST and cookie data
• - GPC data may contain arrays
• - magic_quotes doesn't process the keys of top-level arrays

Here's an excerpt from my personal library that addresses these issues and more. It works in PHP 4+ (I forget which minor version). Just give me some credit if you use it!

// magic_quotes_runtime is _like_ magic_quotes_gpc/sybase, except that it
// applies to return d

Re:Magic Quotes Removed

[Just Some Guy]

So does this mean that if you are using magic quotes and you upgrade to PHP6, suddenly you will become vulnerable to SQL injection attack?

Of course not! Since no one has been stupid enough to directly insert submitted strings into SQL before sending it to the server for at least 5 years now, this won't affect any modern code in the slightest.

Re:Magic Quotes Removed

[Quietust]

So does this mean that if you are using magic quotes and you upgrade to PHP6, suddenly you will become vulnerable to SQL injection attack?

It would probably be more accurate to say that you will become more vulnerable to SQL injection attacks, since magic_quotes was never 100% foolproof to begin with.

Re:

[WWWWolf]

So does this mean that if you are using magic quotes and you upgrade to PHP6, suddenly you will become vulnerable to SQL injection attack?

"The Management would like to announce that we're switching to slot-loading CD-ROM drives next week. We will be reserving more burn ointments in the first aid room for the next week or so and the janitor has been instructed to stock extra tissues in the bathrooms, but people who have been using CD-ROM drives as coffee cup holders should seriously stop using them as coffee cup holders ASAP."

Magic quotes did the wrong fix that incidentally happened to work for some people. The problem was that people had

Re:

[jacksonj04]

And even more irritatingly, mysql_escape_string() has been deprecated as well. You should use mysql_real_escape_string().

Re:Magic Quotes Removed

[TheLink]

But shouldn't you be using mysql_genuine_advantage_escape_string() instead ;).

It's stupid stuff like that and "Magic Quotes" that make PHP a sad joke.

Magic Quotes = mixing input layer filtering with output layer filtering = bad. You tend to get data corruption amongst other things.

Then there's addslashes and friends.

PHP: "Making The Wrong Ways Easy, and The Right Ways Hard".

Oh well, I guess php6 is where they are finally trying to do things right now.

All the pain is because php coders were doing things terribly wrong in the first place. Don't forget the PHP devs were encouraging them to do things wrong for years.

Quick summary

[Anonymous Coward]

... for those too lazy to RTFA:
Additions:
Better Unicode support
Namespaces! (this is being backported to PHP 5.3)
SOAP and the XML Writer/Reader modules compiled in and enabled by default (also in PHP 5.3)
Removals:
magic_quotes, register_globals, register_long_arrays, safe_mode
ASP-style short tags ()
Freetype1/GD1 support
ereg (use of preg encouraged instead).

Re:

[kestasjk]

Too bad the backwards-compatibility is going to make migration very slow.. PHP5 is very backwards compatible with PHP4, and the move to PHP5 is still going on, PHP6 will take a long time.

safe mode hurray!

[remmelt]

Each time I read that they're ditching safe_mode, I do a little happy dance and shed a tear of delight.

All the other stuff is great as well, but safemode has made the quality of my life significantly worse in the past.

Backwards compatibility is very important

[unity100]

i am servicing around 350+ clients in a small fish web host. even at that small web host, there are a phletora of different scripts, programs that clients are using to conduct their everyday business, their estores, their livelihood. some of them are dependent and locked-in to the software they are using like a small business company that extensively uses ms products is locked into microsoft.

regardless, backwards compatibility is important for those people. for starters, these are the people who have chosen php as the platform to conduct their business on, making php a de facto dominant language for the web instead of being a small time web language that was used on web savvy, webmasters. the financial impact of this is going to be huge for them, to adopt to that many changes php dev group started to introduce in the span of 1 to 2 years. this is too much.

you gotta slow down. or you are going to alienate the small business community from using php with what you are doing. if you break a small estore owner's store script every 1.5 years for 'upgrading', the second time you do it they will jump the language ship.

do not start to become an elitist group out of touch with the people, increasingly caring for nifty programming issues rather than what would the users think.

Re:

[Anonymous Coward]

And forward innovation is not important? Besides, you wouldn't upgrade all 350+ clients at once and in place? Perhaps having two host accounts, one for php5 apps and one for php6? Just a thought.

Re:Backwards compatibility is very important

[MROD]

Many commercial PHP-based systems are only now just changing over to PHP5 from PHP4. (Yes, I know...)

That's the way life is, I'm afraid. Most people who are depending upon these sites and software have no control over the vendors and definitely don't have the ability of fixing the code themselves.

Changing the API so greatly and so often in a non-backwardly compatible fashion does cause genuine problems.. and hosting sites can't afford to support multiple versions. Well, not unless they charge their customers too higher price for hosting their pages.

Re:

[truthsearch]

Just like PHP 4 was supported for a very long time with security updates, so will PHP 5. Your clients won't be obligated to upgrade for many years.

One major issue with PHP is old cruft, such as magic quotes, that were terrible feature additions in the first place. These are so bad it's really in everyone's best interest to remove them. I think features like POSIX regex, however, should remain because they don't do any harm.

Re:

[njcoder]

Sounds like you're using mod_php. That's a very insecure way to run php in a shared hosting environment and also doesn't give you the ability to run more than one version of php.

May not seem like a big deal until some idiot doesn't update his scripts and some script kiddie comes along and you get 350 calls from your clients asking you why there's some terrorist propaganda on their website.

Re:

[unity100]

your ears are weak.

also you should note that, the same customers would make much more stampede when they are asked to pay for development work for their running estores, because php team had decided to deprecate some features, for the second time in 1.5 years.

Re:

[njcoder]

sucks to be them

actually not

[unity100]

php's success compared to other languages like asp, which tried to compete with it and came out about the same time into prominence is due to php becoming more than a small nifty toolset for doing knickknacks on hobby sites and forums. php started to be used for business, and this created a demand for php programmers, and this in turn fueled more entry into language. same did not happen for asp. go check elance. youll see zillions of php projects that are put up, and equally many php developers. search for

Re:

[CastrTroy]

Try doing a search on Dice.com, where they post jobs. ASP.Net Developer [dice.com] returns 3626, while PHP developer [dice.com] only returns 1514 jobs. That's less than half. So while PHP may be used by tons of hobbyist coders (I use it myself), ASP.Net is used much more in the business world.

Re:

[njcoder]

By the way, you do realize that you don't have to upgrade your server right? You can leave the current version of PHP and everyone will be happy. There are tons of hosts still only offernig php4.

The part where I said there are ways to run different versions of php for different users didn't seem to register for you either.

Re:

[fimbulvetr]

Yes, actually very soon you will need to update your server. PHP4 is no longer being updated - this means security and all types of other bugs, including data loss/critical bugs. From now on, security updates will NOT be official and subject to people's whim. It's absolutely retarded that you suggest one can stick with PHP4 and be happy. The happiness will only last until there's no fix for their dataloss bug or their system has been hacked.

Re:

[unity100]

You sound so very bitter

u.s. people tend to use this a lot, and i really dont see that it fits any situation, leave aside this one.

and your only argument seems to be "you'll break hosting providers".

you missed the core of what i posted then. you should read again.

Any hosting provider that can't handle this change does not deserve to remain in business. Honestly, this is a very small change that should not be difficult to incorporate into an existing hosting service.

its not about providers, pal. its about users. if you go up to php 5, 6 and clients have their estores broken, only to learn that they have to spend considerable bucks on having their stores upgraded, recoded, or anything during the course of the same 1.5-2 years, AND therefore decide that they should change their software and jump to

Re:

[MindStalker]

Realistically its not a huge change, just removal of some insecure features. If you must keep these features stay with PHP4, no big deal really.

Re:

[unity100]

the catch is that, quite a many of the prominent scripts that are popular had been using some of those insecure features since some time ago, and there are a lot of people still using those old versions.

Re:

[unity100]

this is not about blames. this is not about 'idiocy' either. this is about reality.

world is not a programmers' haven. there are a lot of people apart from us programmers. regardless of what we may see as 'idiotic', people may need to use them at a given point in time, and they may use them, and they may have to stick with them. you cant go jacobin on issues like this.

Re:

[fyoder]

Where I work we have a couple of shared hosting servers which run two apaches, one for php4 and one for php5. It's a bit of a pita, but it works, and for us is easier than forcing clients at gunpoint to upgrade their php4 applications.

Unless there is a really compelling reason to add a third apache/php, I don't think we'll be quick to adopt this version. The better OO support in php5 made it something we wanted just for the stuff we write, but there doesn't seem to be much in php6 that is that exciting.

Re:

[unity100]

add it to that the fact that clients do not know, or give a damn about oop, and we get the complete picture.

Re:

[CastrTroy]

I'm with dreamhost, and I still have the option to switch my domain over to 4.4.x, although I'm currently running on 5.2.x. I don't see why a webhost with a large number of customers, couldn't support multiple versions of PHP, especially if there was a large number of customers (at least 10-15%) using that particular version.

Re:

[unity100]

read my post again.

Re:

[unity100]

For real? If the code is even half decent, the bulk of the changes should require a handful of global find/replaces. You really think the people who don't fall into that category, who couldn't be arsed to write good PHP, are going to spend the orders of magnitude more time learning another language and finding a host that will accommodate their poor practices, than troubleshooting existing code? And so what if they do? Good riddance, and I think the folks behind PHP would agree. After all, the language has such a negative reputation not for becoming a modern language with features real developers expect it to have, but from having major issues related to past encouragement of bad habits (such as the magic_quotes and register_globals nonsense). If PHP is going to continue to grow into a viable, scalable, respectable language that can be trusted for serious web applications, I don't think we need to worry about coddling the folks who can't be bothered to write decent code in the first place.

thats the attitude im campaigning against. this is pure elitism, even if it is for the good.

masses of small businesses do not give a damn about 'good php', 'poor practices', heck, even the nifty words we use to hype software like 'scalability' or anything. they dont care about any opinions like 'the nonsense that are magic_quotes and register_globals' either. these doesnt mean anything for a 55 year old estore owner from Pennsylvania.

we cant write down such people. regardless of what kind of software

get_magic_quotes_gpc

[Dachannien]

Removing the get_magic_quotes_gpc function altogether seems like the dumb way to handle backwards compatibility, breaking scripts for no good reason. Why not keep the function and just always have it return false?

Re:

[Dragonslicer]

Removing the get_magic_quotes_gpc function altogether seems like the dumb way to handle backwards compatibility, breaking scripts for no good reason. Why not keep the function and just always have it return false?

I thought that's what they were doing. I know there was some discussion about it on the internals mailing list, but I thought sanity prevailed in that one.

Re:

[Dachannien]

Besides, PHP programming should be as independent as possible to PHP settings.

Fine, that's great. Going forward, people writing for PHP 6 can forget that magic quotes ever existed.

But there is still a lot of code out there written in contemplation that a PHP 4/5 system wasn't installed by the person writing or installing the scripts (such as shared server environments), meaning that the magic quotes setting is immutable for practical purposes. That means that the script author has to check whether the system is using magic quotes and handle the affected input strings accordingly.

I

Magic Quotes was never a security function.

[gandhi_2]

It was to protect you from the O'Malleys and O'Connors. The PHP framers were obviously fans of Mel Brooks' film, Blazing Saddles: "We'll take the niggers and the chinks but we don't want the Irish". Or I'm missing something.

Real change

[Anonymous Coward]

Make it like a modern language.

Change . (string concat) to +

Change -> (pointer-to-member operator) to .

Done. Huge productivity increases.

Thank you.

Re:

[SanityInAnarchy]

...Wow.

I can think of a dozen things off the top of my head that would make PHP a better language, or at least make it suck less.

And this is what you came up with?

Even of all the syntax tweaks -- and there's so much more that's wrong with PHP than syntax -- I can think of so many more useful things to do than that. In fact, having concatenation be different than addition is a feature, not a bug -- if you add 2 and 2, you always get 4. If you concatenate 2 and 2, you always get 22. With + meaning both, you h

Re:

[jyurkiw]

Ever wondered why they picked the '.' for a concatenation operator over the trusty '+'?

PHP is a loosely-typed language.

The '+' is also the arithmetic operator.

Is a line of code reading
$c = $a + $b
adding $a and $b? or is it concatenating them?

What if $a = 513 and $b = 4201?
Are we talking about a phone number? Or am I trying to come up with $c = 4714?

There was a very good reason for having '.' as the concatenation operator.

Why PHP sucks

[rootpassbird]

They've fixed a lot of things that were being complained about under the terms "why php sucks" http://www.google.com/search?q=why+php+sucks [google.com] .
Related news is that PHP runs much better now on Windows Server 2008, as per the official Zend statement. But I doubt we will see too many people switch to WISP. This is flambait, agreed.
Also if you now have a PHP-fed brain with no place for anything else, with the new namespaces-on-steroids (http://www.php.net/manual/en/language.namespaces.using.php) change, you'll li

what's with the 'phpsucks' tag?

[sneakyimp]

I've noticed that every single article here mentioning PHP is immediately tagged 'phpsucks'. I find PHP incredibly expressive and am always surprised by the incredible variety of libraries/modules/plugins to manipulate graphics, flash, pdfs, to support protocols like SOAP, JSON, etc.

Perhaps we need an article on 'why php sucks' ?

Re:what's with the 'phpsucks' tag?

[FooAtWFU]

You mean like this? [www.tnx.nl]

It's not the lack of modules that people complain about. PHP is excessively convenient, if nothing else. :)

Re:

[diskofish]

PHP just makes it really easy to write sloppy code. I switched to doing primarily .NET few years back, and I prefer the more structured environment and compiled code. The only time I touch PHP now is to maintain existing code.

Re:

[CastrTroy]

As a fellow .Net developer, I really have to agree. I use PHP for my hobby projects, because it's easy to find a cheap webhost that has it, but I really don't like the unstructured mess that is PHP. Despite the fact that I like to use open source software wherever possible, I have to say that .Net really is quite a bit better than PHP.

Why PHP does NOT suck

[mcrbids]

I've worked with PHP professionally, building a healthy, heavily profitable, and rapidly growing company providing information management services to schools.

From the simple standpoint of "concept to implementation" - PHP ROCKS. It's very, very fast, requiring little in the way of "planning" and "structuring" while letting the features come out... FAST. It is, bar none, the best RAD environment I've yet worked with. Not that it's the best in every area, but that it clearly has the best balance between features and "gotchas". It has its weaknesses, such as lousy error reporting, but even that can be largely mitigated with a little intelligence in advance. But it really does have a number of key strengths that I leverage to the hilt:

1) Stability. It just doesn't die. Ever. I've never, ever, ever had a problem with PHP "not working". I don't troubleshoot it. It's there, it works, and I don't sweat it.

2) Scalability. It's "share nothing" approach makes clusting and random-host selection boil all the way down to a simple session manager. Having 1 or 10 application servers running side-by-side is almost trivial!

3) Code density = excellent! It's a fairly dense language, meaning that lots can get done in a few lines. Just for giggles, I've written a self-forking, multi-process daemon with a process manager and hundreds of managed children forks performing a deep-level network scan in like 50 lines!

4) Security. Yes, you heard me correctly. Although you can certainly use PHP "wrong", you can also use it "right". Once you do, you discover that PHP has a number of features that make things like SQL injection and shell parameter expansion a thing of the past. Really. Learn your tools!

5) Flexibility. You can run it as a module inside Apache. You can run it as a standalone executable. With tools like Ion Cube and PHP-GTK, you can create a cross-platform GUI application without revealing source.

6) Availability. Any $5/month web hosting company supports PHP, and there are many free ones, as well. You can download a CD, install Linux, and have PHP/Apache up and running in under 10 minutes. There are batrillzions of apps available A LA SourceForge for free. PHP is the most commonly available web development language. And, by no means is it a web-only development language!

Sorry you can't handle a few quirks in the function names. (so write out a file of wrapper functions - DUH!) Sorry that it's attempts to simplify variable management weren't perfect. Geez. Just code in c and be done with it, why don't you?

In short, PHP is everything that VB and .NET wished to be, only cross-platform. It's an excellent tool for developing information-processing applications, very, very rapidly. Yes, it has its weaknesses, and nobody's forcing you to use it, and the devs are working on the weaknesses, too. Go use Ruby if it makes you feel good. But PHP works well on Windows, Mac, Linux, BSD, and many others. Seriously: you really can't go too wrong betting on PHP unless you need 3D graphics!

Re:

[bigtrike]

I've used PHP for about 7 years now and I've had the entirely opposite experience.

1. Stability isn't that great. I've run into many glitches over the years and had my share of segmentation faults fixed. Ever run make test on a build? I've never once had PHP pass all of its own unit tests.

2. PHP is so inefficient with memory that anything but the most simple application can take tens to hundreds of megabytes. This isn't a huge deal though, because gigs of ram are pretty cheap these days.

3. PHP seems sim

New PHP features are great and all but....

[FilthCatcher]

My biggest issue with new PHP changes is fact that the sheer size of the PHP libraries mean that these new features don't bubble through to the whole core.

For exmaple take the newish try / catch exception features. On first glance you think "finally I can write decent exception handling into my own code" - which is great for your own exceptions but too many of the core functions used by your code or by a framework you're using don't throw exceptions - they indicate an error codition in the function's result.

So now we're seeing loads of code out there by people trying to do things "The right way (tm)" but it's full of bugs as there's exception conditions being raised by core functions that don't get caught by the catch blocks.

The line from TFA that concerns me is "Much improved for PHP V6 is support for Unicode strings in many of the core functions"

Many? That will means developers will start using unicode only to find scattered lines of code throughout the app doesn't work as the core function it uses doesn't support unicode. The overhead of keeping track of which functions do and don't support unicode will be a nightmare.

Exception support only half works in PHP5

[bigtrike]

Hopefully they can fix exception support in PHP 6. Currently it breaks in a lot of weird ways which can be nearly impossible to debug. For example, the following code:
function a() { new DateTime("2007-02-32"); } register_shutdown_function("a");
Generates:
Fatal error: Exception thrown without a stack frame in Unknown on line 0
Tracking down such an error in PHP 5 can be quite time consuming since current debugging solutions only work in very limited situations.

Re:

[CastrTroy]

That's the big problem with PHP. They get all these great new features, but since they weren't there in the first place, you can't really take full advantage of them. Take namespaces for example. It's great that they have namespaces now, but it doesn't help when the entire PHP API is completely devoid of namespaces. You mentioned exception handling, where it's nice that they finally have it, but it sucks, because the current API doesn't employ it. Even things like object oriented programming are only

IBM: Low quality as usual

[porneL]

Apparently writing about PHP automatically allows using dumb code in examples:

function is_authorized() {
if ($expression_that_returns_boolean) {
return true;
} else {
return false;
}
}

and

echo "Welcome, $_GET['cross_site_scripting_attack']!";

I guess PHP needs magic_entities ;)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Tetsujin]

This attitude - that new versions of the language should always support everything the old versions supported - only makes sense if you assume that the initial design was perfectly sound to begin with.

Had PHP4 been perfectly designed, and perfectly well-suited to what people are now using PHP for, there wouldn't be any need to change it at all. But PHP isn't perfect. They've found ways to make it better. They could fork off a new project containing those changes - but PHP6 is more like PHP5 than not - an

Re:

[i.of.the.storm]

I would think swapping mysql for XML would make things run slower on the whole, especially large databases, but I'm not an expert in that field. XML and mysql really serve different purposes, and I don't think replacing mysql with XML would be a good idea for the vast majority of use cases.

Oh, and what happened to the spiffy discussion2 stuff? Now comments open in new pages again and I can't reply inline. What's up with that?

Re:

[Foofoobar]

This actually is a very good observation believe it or not. Most MVC frameworks use XML to load the structure for the site and PHP's XML parser is extraordinariraly subpar so I created an MVC framework whose structure was loaded and cached from MySQL; as a result, it scales better, has a faster page load and blows Zend and others out of the water for speed as a result.

Its not the best approach for all intents and purposes (only 95% SEO compliant) but it has also enable a siwplistic approach for adding a

Re:

[i.of.the.storm]

Hmm, everything should be enabled properly. Seems like discussion2 is randomly changing?

Re:

[cheater512]

No.
XML is a format designed to transmit data between machines, not for data storage.

Imagine a 50 gigabyte database. I have one.
Now imagine the same database in XML.
The size would explode and you suddenly have to seek the entire db for a simple select.

Re:

[truthsearch]

XML is also designed for small amounts of hierarchical data, e.g. OpenOffice documents.

Re:

[SanityInAnarchy]

XML is not a database. MySQL is not a format.

Suggesting that XML can replace MySQL is like suggesting that power steering can replace fossil fuels. Power steering may be good, and fossil fuels may be bad, but they're also completely orthogonal.

Now, if you were talking about an XML database, or a document-oriented database, your comment might make a bit more sense. But for a single machine, MySQL probably beats both of those -- it's only really going to be a benefit if you start scaling to large clusters.

Re:Is this really news?

[truthsearch]

Especially since most of the "new" features are either already available or will be included in v5.3. There's literally nothing new here except better Unicode support.

Re:Is this really news?

[bcat24]

There's literally nothing new here except better Unicode support.

True, but better Unicode support is a very major feature in and of itself. Let's face it, writing a Unicode-enabled Web application with PHP 5 is like hunting wildebeests with a BB gun. It's possible, but it sure ain't easy.

Re:Is this really news?

[dgatwood]

What makes PHP nice is that, language-wise, it is basically C plus a subset of C++ wrapped up in a scripting language. Almost any code written in C (or C++ without templates/exceptions/other icky stuff) can be trivially ported to PHP by replacing the type names with "var" and adding dollar signs in the right places. (I'm exaggerating slightly, but not much.)

PHP doesn't have any weird syntax like Perl regular expressions---you can do Perl regex, but it is neatly encapsultated into proper strings the way it should be. There's no having to manually re-indent dozens of lines of code because you needed to add another nesting level and whitespace is part of the language, etc. It's just a really clean, lightweight OO language that's exceptionally easy to learn and happens to integrate very well with HTML.

Don't get me wrong, PHP has plenty of weak points when it comes to performance (particularly when dealing with massive complex data structures), availability of modules to do various obscure things, etc., but as a language, it is pretty nice, IMHO---mainly because it isn't a kitchen sink like Perl.... :-)

Re:Is this really news?

[moderatorrater]

and happens to integrate very well with HTML

Yes, like regular expressions happen to be good at finding string patterns. PHP is good because it is first, foremost, and almost exclusively a web scripting language, which means you get really like features like super globals, HTML embedding, loose typing, great escaping functions, etc. Most other languages try to be all things to all people, but PHP has a focus and it does it pretty well.

Re:

[kylehase]

While I agree with your point let's not forget that it can be all things to all people. M0n0wall (and forks like PFsense and FreeNAS) uses PHP for shell scripting [m0n0.ch] like startup and configuration scripts which I thought was pretty cool.

Re:Is this really news?

[moderatorrater]

Can you be more specific about how PHP "has a focus" on Web scripting

PHP was made originally to program web pages and, while it's been expanded to other uses, its main focus is still web pages. $_GET, $_POST, $_SESSION, $_COOKIE, and $_REQUEST are (as far as I know) unique to PHP in being built into the core of the language. As frustrating as it sometimes is, PHP files are considered standard output unless they have tags enclosing them, whereas in perl everything is considered code unless stated otherwise.

Loose typing and non-strict syntax in general is particularly well suited to the internet because each request generates a completely new environment. Something that was wrong with the previous request, unless specifically stored, doesn't affect the next request. Strictness in programming stems from the need to keep far flung parts from affecting each other; the web is modular by nature and thus resistant to wide spread bugs. Thus, loose typing and other, less strict forms of programming that make life easier at the expense of fragility is counterbalanced by the modular nature.

Many won't agree with that analysis, and that's fine. Sloppy coding has gotten more than one web project in trouble, and more than one feature of PHP's that was intended to make life easier ended up going to far and introducing security holes. But that doesn't change the simple fact that PHP was made for the web and has conveniences built into the core that other languages either don't have or require an add on for.

Re:Is this really news?

[chromatic]

PHP doesn't have any weird syntax... It's just a really clean, lightweight OO language.... as a language, it ... isn't a kitchen sink like Perl.

Did you have to shower after writing this? Did you at least burn the keyboard?

Re:

[chromatic]

It's the only way to be sure.

Re:

[mini me]

What makes PHP nice is that, language-wise, it is basically C plus a subset of C++ wrapped up in a scripting language.

That's the problem with PHP. It requires all the hard work of writing C-like code, without any of the benefits that one might chose C for.

Re:

[encoderer]

First, the PHP code doesn't really make sense. Why are you passing in the $args parameter?

All this code is doing is accepting a method name, validating it as valid (yes, an Enum dt would help here), and returning it if it is.

In which case, this is much better:

if (is_callable($method)) {
return method;
}

Or, more on point, you'd never even call the __call() method, you'd just call is_callable().

I think the point is to show a plausible example of PHP being "hard work like C."

I'm not a PHP apologis

Re:Is this really news?

[Dogtanian]

it's not like writing your own string library is any monumental task.

Your string library still looks somewhat clumsy, particularly for small projects. And I note that your functions only concatenate two strings; what if you want to stick a few together at once? (Yes, you could use var-args, but what's the checking like on that)

What if you want to append a number to a string? Given that standard C doesn't support overloading, would you have to write a new *differently-named* method? It'd be a nuisance to have to keep track of all the different methods when (e.g.) PHP can simply do the whole lot using the '+' operator.

it's a scripting language, it makes no sense to resemble C in any respect.

Wrong; it makes perfect sense to use C-style syntax. That's almost certainly the most common syntax by far, used as it is in C++, Java, JavaScript, C# and many other languages.

Visual Basic's syntax is different, and I had to learn this all over again when I used it for the first time, because I'm used to C-influenced languages. The mental context switch required and my tendency to keep inadvertantly using C-style syntax (leading to syntax errors) is a PITA.

I wouldn't mind if the VB syntax was nice to begin with, but it's not. It's inelegant and clunky; probably not bad considering it was derived from BASIC, but still inelegant and clunky. It probably got that way because it mutated from BASICs MS-DOS/PC programmers were familiar with, carrying them along with it. However, if (like me) you're not already used to that flavour of BASIC and haven't even used BASIC for years, it's not easy to use at all. It's not even that much like the old BASICs I used to use. Though this is getting away from the main point...

There may be valid reasons for using a different syntax, but those should reflect underlying differences in the structure/approach of the language (even Perl syntax is somewhat C-flavoured in various respects). However, using a fundamentally different syntax just for the sake of it is a Bad Idea. PHP is easier to use because it has a C-derived syntax.

Re:

[natrius]

There's no having to manually re-indent dozens of lines of code because you needed to add another nesting level and whitespace is part of the language, etc.

First of all, if you don't re-indent your after adding another nesting level, you are making your code hard to read, and if I have to work on it after you, I will hate you for it. This is one of the reasons that Python is so pleasant. It forces people to write decent code.

Secondly, if you're manually indenting each line of code, you should start using

Re:

[RazzleDazzle]

Something like *Tidy is all you need if you don't feel like using some fancy text editor or are too lazy to configure your editor.

http://perltidy.sourceforge.net/ [sourceforge.net]
http://rubyforge.org/projects/tidy [rubyforge.org]
http://tidy.sourceforge.net/ [sourceforge.net]
etc

Re:

[SanityInAnarchy]

And yes, I'm manually indenting. I vi, therefore I am....

Vim can auto-indent. It shouldn't be too hard to find a command, or a script, to indent/unindent large chunks of text.

I use Kate. Click & drag to select a large chunk of text, then tab/shift+tab to indent/unindent it. Trivial.

Re:Is this really news?

[SanityInAnarchy]

More pointedly: If poorly-indented code is so troublesome that you'd "hate" the offending developer, you should start using a modern IDE.

I prefer a modern editor to a modern IDE.

I do want a certain amount of control over the structure of my code, even if a lot of it will be by convention. Having any automated tool try to "fix" someone else's code is likely to screw up things like comments which are cleverly indented and aligned with some code, or similarly interesting code.

And an IDE is overkill in many other ways, yet they still often find ways to miss some functionality I want. That, and I tend to be much more easily able to switch text editors than switch IDEs.

Disclaimer: I'm not GP, and I use Ruby.

Re:

[encoderer]

Honestly, any IDE worth it's salt has by now solved the auto-formatter problem.

It's a by-demand feature so it's not like Word AutoCorrect. And you should be able to use a nice WYSIWYG editor to build the rules.

This is what you get, for example, in Eclipse and Visual Studio.

Personally, I like things like integrated FTP, integrated subversion, integrated unit testing, and, most of all, an integrated server-side debugger w/ all expected function: breakpoint/play/step control, stack and heap manipulation, etc.

A

Re:

[SanityInAnarchy]

Personally, I like things like integrated FTP, integrated subversion, integrated unit testing, and, most of all, an integrated server-side debugger w/ all expected function: breakpoint/play/step control, stack and heap manipulation, etc.

The debugger is the only thing I miss from a "real" IDE.

Subversion is garbage, of the "at least it's not CVS" variety. There are at least some ten or twenty distributed version control systems out there, at least one of which has got to work well for you.

FTP is garbage. Use anything else. Yes, anything else.

These are actually related. I don't really like most of the stuff you mentioned "integrated", as that usually means things like "I have a keyboard shortcut to run unit tests!" Great, but I'm comfortable

Re:Is this really news?

[SanityInAnarchy]

PHP doesn't have any weird syntax like Perl regular expressions---you can do Perl regex, but it is neatly encapsultated into proper strings the way it should be.

Regex is never really going to be readable without a separate course learning that. By the time you know regex syntax, a little extra syntax in your language isn't that bad.

There's no having to manually re-indent dozens of lines of code because you needed to add another nesting level and whitespace is part of the language, etc.

And there's no need to do so in any modern programming environment, either. Most text editors these days have ways to re-indent code, uncomment/comment keyboard shortcuts, etc.

It's just a really clean, lightweight OO language that's exceptionally easy to learn

Easy to learn if you already know HTML, I suppose. But where's my actual, interactive PHP shell that I can play with while I'm learning the language?

OO? Only recently.

Clean? Not even close, not when you've used a real OO language.

and happens to integrate very well with HTML.

So does everything else, now. I'd argue Ruby is actually better [hamptoncatlin.com] at this than PHP.

Don't get me wrong, PHP has plenty of weak points when it comes to performance

My language of choice right now is Ruby, so I don't really care about that.

availability of modules to do various obscure things

Considering the amount of crap built-in to the language, I doubt that's a huge stumbling block, either. I like CPAN, but it does help when the language itself is clean enough that I'll happily write a library of my own. But most that I'd need to do with a C library has bindings everywhere I really want to do it.

mainly because it isn't a kitchen sink like Perl

I think Perl has too many built-in functions, available everywhere, completely un-namespaced, compared to Ruby.

But you know what? Perl has a little over two hundred functions in the main namespace. PHP has a little over three thousand, according to this page. [www.tnx.nl]

So, it may not have the kitchen sink in the syntax, but it has the kitchen sink, the bathtub, the plumbing, and the neighbor's shower in the core library.

Finally, I call BS on this:

Almost any code written in C (or C++ without templates/exceptions/other icky stuff) can be trivially ported to PHP by replacing the type names with "var" and adding dollar signs in the right places. (I'm exaggerating slightly, but not much.)

Is there a language, other than Python, that this isn't true of, for very simple, "Hello World" or "My first HMAC implementation" examples? Sure, the rules would be different, but dropping all the type declarations (swapping for "var") and adding dollar signs is significant.

Oh, and does PHP support structs? What about function pointers? I doubt it's "almost any code". It's easy when you understand both C and PHP, but again, I assert that's true for many languages, particularly popular web scripting languages.

Re:

[Hognoxious]

I really despise this kind of post, where each sentence is torn apart and commented on separately;

That would be a lot easier if you actually wrote proper sentences.

usually with a sarcastic and snotty tone to it.

See what I mean?

In my opinion,

Which we all totally care about.

it's just high brow trolling

I find it quite amusing.

and makes the poster look like a right dick.

I know you are but what am I?

Re:

[NamShubCMX]

Unicode support is reported to become available for 5.3+ later as a module.

What I've heard the developers say, basically, is that there is no real roadmap for 6.0, since 5.3 has most of the planned features and unicode (the big new thing) will be available sometimes, although not built-in.

Re:

[MightyMartian]

I simply can't wait for an even bigger php.ini file to support disabling and re-enabling of deprecated functionality. I've spent several evenings over the last few weeks on a contract to clean up some really bad PHP code, and a good fraction of that time has been spent actually getting a test bed up and running, trying to match the Win32 PHP 5 install I'm forced to work with the Linux PHP4 install on the production server. More than ever before I'm convinced that PHP is the worst major language ever inven

Re:

[Enleth]

Well... Don't take contacts when you're not familiar enough with the technology it requires so that you don't need to struggle with it at all?

Re:

[pembo13]

That's pretty unfair circumstances under which to judge any language.

Almost..

[encoderer]

...He took the "contract." Nobody was forced.

But his post is inane.

Isn't it about as basic as it gets that code (outside of Java) should be developed on the same platform that it will ultimately be deployed upon?

If he had done that, all he'd have needed to do was get a copy of the binary as compiled for use on the production server, and their php.ini. Install, copy in the php.ini, and he's up and running in an environment identical to the Prod server.

Barring that, if he'd had gotten their php.ini anyone w/

Re:

[cayenne8]

"Isn't it about as basic as it gets that code (outside of Java) should be developed on the same platform that it will ultimately be deployed upon? "

You're still in school or new to the real world, arent' you?

:-)

Of course it should be that way...but, often out there, you run into just this situation. The mgmt. wants a change or something done, but, they don't wanna buy new hardware, etc....

It sucks, but, I've run into systems where the dev. and prod. are on different platforms...and this isnt' just beca

Re:

[njcoder]

"Isn't it about as basic as it gets that code (outside of Java) should be developed on the same platform that it will ultimately be deployed upon? "

You're still in school or new to the real world, arent' you?

I do most of my Java web development on either win2k or winXP. (For other reasons I need certain windows apps).

I use netbeans to develop and I generally deploy to RedHat, CentOS or Solaris using different servlet engines. Mainly Tomcat and Resin. I don't remember the last time I had problems deploying a WAR file from Windows to Linux or Solaris, other than what's in Context.xml, which is what that file is for. Sometimes people put things in web.xml that are related to the context and run into issues.

Us

Re:

[truthsearch]

The articles may not always be winners, but the tag lines and comments make up for that.

Exactly [seenonslash.com]. (Warning: blatant plug.)

Re:

[eebra82]

I don't see why this is a major update (5 => 6).

If I had a software development business, I would do this if I wanted to push a release a little extra. People don't care as much about decimals as much as they care about entirely new release numbers.

Re:

[SanityInAnarchy]

Depends.

Linux 2.4 -> 2.6.

Better example: Anything after OS X. We're up to 10.5 now, but everyone's drooling over it. Why? No numbers at all -- it's just "Leopard."

If they called it "PHP 5.5 -- the version that doesn't suck" or "PHP 5.5 (Quail)" or... put any kind of marketing spin on it at all... it might have as much or more impact than simply calling it 6.0.

Re:

[Dragonslicer]

I don't see why this is a major update (5 => 6).

I believe it's because the Unicode support involved a significant amount of work in the engine. I vaguely remember that this means extensions will need to be modified to work correctly, but I'm not certain about that.

Re:

[SanityInAnarchy]

I don't know, I think Ruby is even worse -- given that it was invented by a Japanese guy, so you'd think it'd be the first to have Unicode out of the box.

Re:

[Haeleth]

There was actually a lot of resistance to Unicode in Japan: there were some unfortunate misunderstandings early on that led a lot of Japanese people to believe that Unicode was trying to force them to use Chinese conventions for character shapes. It also doesn't help that all the various UTFs appear to be less efficient at encoding Japanese than their various legacy encoding systems. (Of course, neither of these things is really an issue in practice, but we're talking about popular perception here!)

I don'

Re:Major version?

[Splab]

"and a bunch of stuff removed"

The stuff addressed are some of the widest security holes. On top of that the old way of programming PHP and most guides out there encouraged the usage of these bad functions, getting them totally removed is a huge step forward.

Re:

[WK2]

They are removing some things. According to Splab, above, removing these things is a huge step forward. More importantly, removing things should always be a major release. They are breaking backwards compatibility with everything that uses the things that they are removing.

Re:

[truthsearch]

On /. Netcraft can only be used to confirm that things are dead, not alive.

Re:Too Little Too Late

[thetoadwarrior]

Um, no it's not. It's only downfall is that it's too easy to do powerful things so idiots make dangerous code.

That is not the language's fault. Not everyone wants or needs a JBoss server or something equally silly for their website. PHP is still very good. Safe programming in PHP just needs to be preached more to the new users of PHP and some of the self taught people who perhaps learned off the net from someone else with little experience rather than a book since all books I've seen cover the basics on safety.

The only thing that annoys me is the fact it's function naming methods aren't consistent. It shows that it's had input from various places without any thought into standardizing things.

Re:Too Little Too Late

[FooAtWFU]

That's not its only downfall. Its other downfalls include some miserable organization and bloated core, though much of this may be attributed to lack of namespace support - which is being remedied, but it's a bit late. There's still a lot of package_name_prefix_with_function_name functions, and I don't see them going away soon.

Beyond that, and the pervasive "make it easy to do the WRONG thing" un-philosophy, I still haven't heard about it getting lexical scope, closures, and anonymous functions. Of course, this only matters if you're a good programmer (as opposed to merely a Decently Adequate one).

Re:

[njcoder]

Um, no it's not. It's only downfall is that it's too easy to do powerful things so idiots make dangerous code.

Most people don't write their own php scripts, they use what other's have written. And if one big vulnerability gets discovered in a script and you start seeing a bunch of websites getting defaced or worse. Most people are using some sort of shared hosting, so your site may get affected even if you don't have any php.

Since it takes less resources and performs better, most hosting companies run all php scripts as the same user. Yeah there are ways to jail it to a certain directory per user but that's not

Re:

[Falesh]

Don't be daft, PHP 5 is a solid language and it doesn't take much to learn how to write secure code. If you view it from a rookies point of view it could be dangerous, but that doesn't magically make the language crap in the hands of more experienced developers.

Re:Too Little Too Late

[KnightMB]

Unfortunately, everyone has already realized that PHP is an insecure, featureless piece of crap. Real web developers have moved onto other platforms, or stuck with Perl.

I think I hear this every time someone has been hurt by a buddy who was able to code circles around them in PHP while they struggled in Perl. Real web developers use every tool at their disposal, not just Perl or PHP only. Your statement alone shows the conceit you have about your own skills as compared to everyone else that makes a living doing web development, apparently much more successfully than you.

Re:

[njcoder]

Absolutely. It's not like anyone still uses PHP [php.net].

Yeah. What happened in 2005 to make it plateau like that?

Won't change a thing

[cortana]

PHP scripts will still manually implement it, and each one will do it in a slightly different but still broken way, generating hundreds more security vulnerabilities...