I recently migrated my diary to a new server, and was amused by some of the problems I faced doing so. Deploying PHP applications should be a simple affair – set up the database, upload the code – but moving to a newer version of the language brought many problems. PHP now bothers to check for errors in a lot of circumstances where it previously didn’t, causing warnings and notifications to pop up all over the place (and filling my logs with nonsense). PHP has always fought hard to try and be the least secure computing platform in existence, but even I was amazed to see how many SQL injection vulnerabilities I’d managed to include in the code when I originally wrote it a few years ago. While it’s pleasing that I’ve learnt so much in a short space of time (I now know what an “SQL injection vulnerability” is, for example), I can’t help feeling a little bit frustrated about the situation. Just a couple of examples:
- While other languages provide proper abstractions to access databases (e.g. the fantastic SQLAlchemy library for Python), PHP positively encourages you to just mysql_connect() and start firing queries into the database (at least that page now carries a warning).
- Some languages give you a framework to access data passed in by the user. At least PHP doesn’t just spread them around anymore, but it does make them easily available – so easily that it’s natural to grab hold and start using them, even if that’s the security equivalent of leaving the front door wide open.
Apologies for what’s turned into a rather snarky rant, but I’m in good company. It turns out there’s a whole community of PHP-haters: you can find out more via http://phpsadness.com/, http://www.phpwtf.org/, http://two-pi-r.livejournal.com/622760.html, and PHP Turtles for examples. I’ve recently really enjoyed reading this post:
I can’t even say what’s wrong with PHP, because— okay. Imagine you have uh, a toolbox. A set of tools. Looks okay, standard stuff in there.
You pull out a screwdriver, and you see it’s one of those weird tri-headed things. Okay, well, that’s not very useful to you, but you guess it comes in handy sometimes.
You pull out the hammer, but to your dismay, it has the claw part on both sides. Still serviceable though, I mean, you can hit nails with the middle of the head holding it sideways.
You pull out the pliers, but they don’t have those serrated surfaces; it’s flat and smooth. That’s less useful, but it still turns bolts well enough, so whatever.
And on you go. Everything in the box is kind of weird and quirky, but maybe not enough to make it completely worthless. And there’s no clear problem with the set as a whole; it still has all the tools.
Now imagine you meet millions of carpenters using this toolbox who tell you “well hey what’s the problem with these tools? They’re all I’ve ever used and they work fine!” And the carpenters show you the houses they’ve built, where every room is a pentagon and the roof is upside-down. And you knock on the front door and it just collapses inwards and they all yell at you for breaking their door.
That’s what’s wrong with PHP.
Web development, especially secure web development, isn’t easy. Even helpful articles are full of errors: this page recommends SHA1 for password hashing (and assumes that the only problem with the algorithm is hash collisions), even though that technique went out with the ark. What’s irritating is that PHP makes it incredibly easy: easy enough to shoot yourself in the foot again and again.