PHP has a few downsides, everything from poor naming conventions to security vulnerabilities. People around these parts are always looking for the cleanest solutions to their problems and the latest methods available. PHP's relative age and problems make it neither.
That said, I coded my first startup in PHP. It's dead simple to make a dynamic web page with PHP, but it's also dead simple to create a huge mess. In that sense, PHP reminds me of C. It's pretty simple to write an app in C, but there are 1,000 pitfalls.
Just like with C, there are definitely talented coders out there who can make PHP behave correctly. Sadly, they are a minority. Many of them move on to other languages and frameworks.
I've since moved on to Ruby (on Rails) as well as Python. Both languages offer simplicity and power. Rails, in spite of being the Dane Cook of frameworks, makes it extremely easy to create a web application.
I agree with more or less with what you said but a downside of PHP is not security vulnerabilities, that's really just a myth. I can't remember the last vulnerability which could be directly attributed to PHP as a language.
Sure, there are plenty of apps containing holes but those are not caused by PHP but by not coding correctly, eg not checking input making SQL injections possible etc.
Which might confirm what you said, it's easy to create a huge mess with PHP.
But then, it's easy to create a huge mess in any other language, too. It's probably even easier with Ruby due to its highly dynamic nature.
Languages are like tools, you have to know how to use it but you can't blame the tool if somebody misuses it.
Languages are like tools: buying a the best set you can afford is the best possible start to a project. PHP doesn't cause SQL injection flaws, but it doesn't make it any easier. How many escape functions are there ? Shall we count them ?
----------
mysql_escape_string() - Escapes a string for use in a mysql_query
mysql_real_escape_string() - Escapes special characters in a string for use in a SQL statement
mysqli_real_escape_string() - Escapes special characters in a string for use in a SQL statement, taking into account the current charset of the connection
addslashes() - Quote string with slashes
stripslashes() - Un-quotes a quoted string
The magic_quotes_gpc directive
The magic_quotes_runtime directive
stripcslashes() - Un-quote string quoted with addcslashes
stripslashes() - Un-quotes a quoted string
addcslashes() - Quote string with slashes in a C style
htmlspecialchars() - Convert special characters to HTML entities
quotemeta() - Quote meta characters
get_magic_quotes_gpc() - Gets the current configuration setting of magic quotes gpc
----------------
I especially love the contrast between "mysql_escape_string" and "mysql_real_escape_string," since the first one is fake in a magical, side-effect-laden way.
It basically argues that in PHP there's often an easy, insecure way to do something and a verbose, secure way to do it. With regards to SQL injection, Java is the same way; prepared statements are much more verbose and annoying than string concatenation.
They do exist, but I would never use any of them. I'd use a prepared statement. PHP has come a long way since stripslashes. It just isn't flavor of the month.
"One of these things, is not like the others, one of these things is not the same..."
No, there's nothing "mythical" about bad PHP security. At the point where there is a two order-of-magnitude difference between PHP and Python/Perl/Ruby, I stop even really caring about the "why". PHP may be popular, but it's not that much more popular. (And even if you want to say that PHP is two orders of magnitude more popular, well, not all Python/Perl/Ruby vulns are web-related, either.)
Well, all those bugs seem to be related to apps written in PHP but not related to PHP itself - other than at some places making it confusing for beginners to know what to use.
And if there are many bugs in apps this is also correlated to the fact that there are a LOT of apps but not enough good developers... ;)
I like this quote about PHP: "HP is just this piece of shit that you just put together—put all the parts together—and you throw it against the wall and it fucking sticks." (Terry Chay)
Ok.. nice way to leave logic at the door, but it's not just that PHP is more popular. It's that it's been around longer than Python and Ruby. That list goes back a decade for PHP.
Anybody using PHP seriously in a production environment is also using Suhosin and PHP is secure enough at that point to just be a consideration and not a problem.
No, as documented by others, it is that PHP has a long history of virtually begging you to put security vulnerabilities into your app, then jerking you around with crappy fixes, which interact poorly with other crappy fixes. As far as I am concerned, I can't afford to use PHP, because the community has a long, long, long history of claiming X is secure when in fact it is very, very not. ("No, really, we got it this time!") I have no reason to trust your assurances that no, no, really, really, it's all right this time, if you add this thing that I presume is not a core app and tweak it right and... no, thanks. The PHP community has no credibility left on that front, hasn't had it for years, and I've not seen some burst of skill lately that convinces me any differently.
PHP's four years younger than Python and a year or two younger than Ruby. Age is no excuse for its security problems -- nor is the No True Scotsman fallacy sufficient to wave away its flaws.
The security issues mostly come from the community; PHP is branded as a language that's easy to learn, and in that same spirit, a lot of the examples offered by the manual and by people trying to teach others are horribly insecure.
I think nearly every SQL example, for instance, totally ignores the concept of SQL injection.
Dane Cook is a comedian who hit it BIG, in part, due to MySpace. He's been in a couple of movies, including "Employee of the Month."
He's got millions of fans, but also a sizeable group of haters, inlcuding many of his fellow comedians. He's just another in a series of people or items that hit it big, leaving many of us wondering why.
Well, I didn't want to get into the details here, but yes, that's part of it. :-) He's also been criticized for not actually telling jokes when it is his material, being/attracting the worst sort of humanity, etc.
That's why I am unsure about Zed Shaw at EuroDjangoCon. I love to have smart and capable people around, but Zed still has to prove he can play well with others.
I think PHP compares well to the saying "Guns don't kill people, people kill people." Most of the time security issues are in the hands of the programers. Although, PHP sure makes it easy sometimes to create those issues.
Just like with C, there are definitely talented coders out there who can make PHP behave correctly. Sadly, they are a minority. Many of them move on to other languages and frameworks.
What does that mean? I'll take the compliment, but I'm not sure what the difficulty is in making PHP 'behave correctly.'
That said, I coded my first startup in PHP. It's dead simple to make a dynamic web page with PHP, but it's also dead simple to create a huge mess. In that sense, PHP reminds me of C. It's pretty simple to write an app in C, but there are 1,000 pitfalls.
Just like with C, there are definitely talented coders out there who can make PHP behave correctly. Sadly, they are a minority. Many of them move on to other languages and frameworks.
I've since moved on to Ruby (on Rails) as well as Python. Both languages offer simplicity and power. Rails, in spite of being the Dane Cook of frameworks, makes it extremely easy to create a web application.