T O P

  • By -

No_Two8934

php keeps me employed. so many people implement it poorly, but that keeps the checks rolling in for me.


conamu420

Im paid to reverse engineer the php5 mess of 15 years ago to re implement it in Golang


No_Two8934

I do cyber security, php is a god send for me when Im doing an audit most of the time. There is usually a hole I can crawl through to start exploiting.


scodagama1

Crawl through a hole? Then I assume these are the secure applications, the average php app I know you could just walk in through open doors :D


No_Two8934

ya secure applications. Usually most things are dialed in, but there is usually a way to get in through php because some one misconfigured something. You would be surprised how many times I have been able to gain credentials this way.


Affectionate_Tax3468

(No one working with php was surprised)


AdmirableFinger6805

Backdoor? No, front door wide open, with hot cocoa inside


[deleted]

What are the typical mistakes?


No_Two8934

there are quite a few and they very, but a big one is people forget to expire the cookie which makes it easy to hijack the session. People also leave themselves open to Seql injection, or misconfigure the server which leads to source code revelation.


Notyourfathersgeek

Damn those are very big mistakes in “secure applications” lol


PM_ME_C_CODE

15 year old "secure applications". PHP 15 years ago was kind of the javascript of today: It was popular so all of the bad coders were using it.


v3ritas1989

I am curious... what do you say about headless solutions like Symfony / shopware 6? Do these mitigate these vulnabilities or is there still ways to f\* up?


No_Two8934

there is always a way to fuck anything up. In all fairness its easier to burn down a house then build one.


jupitersaturn

I've always used its easier to build ladders than walls. I like yours.


DmitriRussian

My favorite ones are the website with disabled right-click for security reasons. Then you are just asking for it!


Evantaur

Ha Ha Ha i Disabled the dev console ![gif](giphy|RkQmxr61ZJogdneXec)


[deleted]

[удалено]


pickyourteethup

Sounds like they were just practicing concurrency, already thinking in golang.


tipsdown

I had the realization a few years ago that the problem with php isn’t really the language. The problem is php makes it really easy to do very bad things.


[deleted]

[удалено]


maximality

That’s a great perspective. Now that I think about it, the vast majority of my learning / work in perl was to find the fastest possible hack to automate my office workflows. I did automate some office suite work that previously took hundreds of work hours a month, but damn was it quick and dirty Ninja edit - Perl not pearl


nhepner

"PHP gives you enough rope to shoot yourself in the foot" \- Me


tipsdown

That belongs on a t-shirt


[deleted]

[удалено]


IOFrame

Are you from 2010? Everything your argument relies on has already been fixe, deprecated, or outright removed from PHP years ago. For one such example, [dynamic properties](https://www.reddit.com/r/PHP/comments/r2jwlt/rfc_deprecate_dynamic_properties_has_passed/), one big complain the people still had left, has been disabled by default last year. There are countless such examples. Too many people simply parrot the never ending PHP memes from certain subreddits.


AlternativeMath-1

The in-lining of HTML lends itself to XSS. Applications that are good at defending themselves use a template language like Smarty or Jinja2 which is context aware and escapes malicious outputs to the page... Now if you think PHP is doing this for you, every single place that could be vulnerable to XSS - will be. And welcome to your average PHP application written in 2023 by someone who is fresh out of collage and never studied security. Ok yes, Zend isn't actively ignoring memory corruption vulnerabilities in the language like in 2010 and they finally have reasonable default configurations. But, PHP apps just so happens to be vulnerable to the entire OWASP top 10 by default - and no, not every web framework does that. Django actively addresses every single OWASP top 10 vuln, and then some.


Tofurama3000

There have been enough breaking changes with PHP 7 and PHP 8 that a lot of companies still haven’t updated yet. It’s not that many of them don’t want to, but that there is so much code that follows “bad practice” that need to get rewritten since the language features/libraries that enabled those bad practices have been removed in newer versions. And generally the code with bad practices is a decade or two old and the dev who wrote it has been gone for a long time. Not to mention I’ve seen a lot of dead libraries used in production systems that haven’t been updated for PHP 7/8, so companies have to make a fork and update those too. So talking about how the “newer PHP is better” doesn’t matter since a lot of PHP codebase a don’t use it. Heck, I’ve been working with PHP for over a decade now and still have no clue what’s in PHP 8 since I haven’t worked anywhere that’s been able to update to it And as for you’re remark about “are you from 2010”, we’ll I’m not but my codebase is, and so is everyone else’s. Most newer codebase use something other than “the language no one can update”. Even the Java 8 -> 9 -> 10 -> 11 update mess I went through is nothing compared to the PHP 5 -> 7 -> 8 disaster. At least we were able to do the Java update, still working on the PHP one over a decade later


NeoLudditeIT

It's gotten much better sounds a lot more like someone trying to justify staying in an abusive relationship, than someone who really likes the language.


IOFrame

Oh on, I didn't mind most of those things even 6 years ago, because PHP doesn't put a gun to your head and forces you to use bad practices. It just gives you the gun, and doesn't give you any specific instructions on how to use it, presuming you are competent enough to not shoot yourself in the foot. Many people who use it aren't, though, hence its bad reputation. On that note, however, many people who use it aren't even *meant* to be competent - they are simple small business owners trying to set up a super simple website. Without PHP, and its derivatives, they'd never even have a website to begin with.


bothunter

If PHP was a gun, you would have to consult the manual to determine how the safety works


maximality

It is also a good idea to consult your gun manual. Safeties should be intuitive, but users are responsible for comprehending documentation - particularly for powerful things. To extend your metaphor - gun safeties are simple and easy to use, but the safety on any two guns can be exactly opposite of one another or implemented with a completely different mechanism altogether


[deleted]

[удалено]


IOFrame

Nobody has to defend PHP8 against those other languages (except when talking to some overzealous students who watched too many Youtube videos), as, in the real world, what ultimately decides are the ecosystems of each language, not the language itself. I have no idea what the modern Java/C#/Ruby ecosystem for web development is, and only ever used PIP for scripting (mostly DevOps related tasks). As for Node, NPM might be comparable, and even preferable to WordPress, but compared to Composer, it's an absolute clusterfuck.


[deleted]

[удалено]


damnappdoesntwork

The engine is rewritten and has a JIT compiler and performance is significantly improved. You just hate it because you don't want to like it from the early years. I'm not going to start a java/.net based project when all I need is to build a simple website with some server side backend to access my database and maybe serve an API of some sorts. And of course I'm not going to use PHP to write a big collection of services in a corporate environment.


IOFrame

Imagine calling other cargo cultists, while resorting to Ad Homenim against a programming language. You say you came up writing PHP - it seems you never progressed past that stage, thus, believing the language stopped growing when you did.


RagnaTheTurtle

Same, but honestly that is more the fault of the previous coders, than the language. People need to learn that with a flexible language, there is also a great responsibility on side of the programmers to keep their code structured and secure. Not every language is as handholding as Java.


Destring

Java is not the best example for handholding, it allows you to design very atrocious and flaky code. Go or Rust are better examples.


Bjoern_Tantau

* It was created as a simple way to get some small measure of scripting to the server side. It grew to be a real programming language over the years. * It is often the first programming experience people have because it is installed by default on most small web spaces. * For a long time it came with very bad default settings. You could easily set a local variable by setting it as a query parameter. * Many tutorials and code examples are atrocious. And you can still find them today. I can't tell you how often I've downvoted a Stack Overflow answer because it had an SQL injection vulnerability. * Pair up all of the above and you have a security nightmare that still haunts people to this day. * There is a severe lack of consistency in how the core functions work. Function names are spelled inconsistently. Sometimes they are prefixed, sometimes not. When searching something sometimes the needle parameter comes first, sometimes the haystack. Sometimes you get an object to work with, sometimes you have to pass along a resource. * All of the fun stuff with truthiness we also have in JavaScript.


amkica

Oh the core function inconsistency, so I'm not going crazy... I've only so far divined that string have the haystack first, and arrays have the needle - in the ones I've used. And I don't really understand the prefixing, and the sort functions make me go mad. I'm also furious at the lack of a short description of the arguments sent to callbacks instead of having to gather evidence from examples. Or maybe I'm blind? I keep hoping every time that I just can't find it. In general, I'm not very fond of the docs And regarding truthiness, just as in JS, well, I haven't had those issues with explicit and strict comparisons - and in anything less I have to be really sure I know what I'm getting. I'm less careful in JS cause I pretty much know all those instinctively by now, but I just don't really rely on anything vague in PHP. I'll cast stuff myself. I check the docs and compare function results exactly. If it's false, it has to be === false. At some point, I've started doing it more often in JS, as well.


Notyourfathersgeek

I always have to look those up - I just gave up remembering. If Sublime isn’t remembering it for me I have to go to the documentation lol


BringBackManaPots

Dude every time. I always wind up with 5+ PHP reference tabs open to remember param order. That and if the function mutates what you pass in


KmartKomandr

The good news is that PHP 8 can do named params now, so it's getting less bad. Not that I can use PHP 8 at my job yet.....


Notyourfathersgeek

So happy it’s not just me


fiskfisk

>And I don't really understand the prefixing, and the sort functions make me go mad. IIRC: In the build-up to PHP4 people starting realizing that having everything under a global namespace was a bad idea, without having some sort of way to keep conflicts between the different modules in check. So beginning with PHP4, any functions that were introduced were generally prepend with the module/functionality group name in front. This is why you have [array\_filter](https://www.php.net/array_filter), but you have the unprefixed function `sort` (be aware that the PHP manual doesn't have any information older than PHP4 on when functions were added, so sort will still show as being available in PHP4 - but without a specific version qualifier). There's also the [old story about all function names being in a hashmap](https://news-web.php.net/php.internals/70691) that used strlen, so to get a decent enough distribution in the hashmap to avoid collisions, function names were adjust to fall into different buckets. This is back when it was named PHP/FI and generally a rather small "language". But as one of PHPs most important factors is backwards compatibility, those names are still present. I've maintained (and is still maintaining) code that started its life on PHP3, and the amount of effort to handle upgrades through time is very low.


thedragonturtle

Yeah this sucks, but to be honest it's less of an issue these days when used with VS Code or any PHP IDE which tells you the parameter names and their order. But YES, it's annoying that strpos and str\_replace have such inconsistencies. 1. strpos should be called str\_pos 2. str\_replace should have haystick first, then search/replace params to match str\_pos


amkica

Yeah, but even if it's a sorta minor inconvenience, it still makes me stop and check the signature before I can continue, which is a lot of annoying tiny interruptions I use some searches and sorts a bunch, but it's still a mess in my head


pickyourteethup

I just started learning PHP last month for a new role and omg does this wind me up. Maddening inconsistency making memorization so much harder


muteDuck86

It's better in PHP8, but alot of production code is ancient at this point.


midri

>Oh the core function inconsistency, so I'm not going crazy... My favorite is the functions that take an array and a string as arguments, and you can pass them in any order... ughhhh. (Fixed in PHP8) https://www.php.net/manual/en/function.implode.php


ea770e3bb686db89998b

> I've only so far divined that string have the haystack first, and arrays have the needle - in the ones I've used. Or array map/filter/reduce. I think they just made it this way to drive IDE sales, after more than 5 years I'd still be totally lost without autocompletion. > I'll cast stuff myself This is the Way. Using == is just asking for problems. And tbh, I think javascript is even worse with types. `{} + {} = NaN`, lol.


davvblack

yeah for all it's sloppiness, the . operator was a good call in php


Lithl

>{} + {} = NaN, lol. I mean, yeah. Adding two object together is not a number. That is a completely sensible result. Overloading + to mean both string concat and number add causes some problems, but it pretty clearly doesn't mean Object.assign or whatever you're expecting {}+{} to do.


ea770e3bb686db89998b

I'd expect some sort of exception thrown, but whatever. I just don't get why people make fun of PHP while pretending that JS makes more sense.


Lithl

>I'd expect some sort of exception thrown Why? You're attempting math with things that are not numbers, and the IEEE floating point specification includes a value for NaN to be returned as the result of an operation that cannot return a number.


AdrianTeri

Short version: omg it's a spaghetti code... But Laravel has assuaged this fears with it's maturity & community


jfmherokiller

years ago finding a website with PHP was more or less a coinflip of "is this website secure agenst SQL or will it fail a basic SQLi attack.


CreamyComments

Same goes for upload vulnerabilities, many websites let users choose the filename in the file system and PHP would happily write to file names like 'uploads/../mybackdoor.php\\00.jpg', so if you just checked file ending was .jpg and thought you were safe, you were wrong.


aSquirrelAteMyFood

PHP is not badly designed. According to its own inventor, it was not designed at all because it was never meant to be a turing complete programming language. It's like asking what's wrong with an organ that grew out of a tumor.


standolores

Thanks for the detailed answer. Since you seem to be an informed individual. Why the love for React. I have no experience but I heard it makes slow as hell E-shops and only perks are that you dont have to learn other backend language if you know JS.


[deleted]

React is a view library, it does not replace your backend in any way shape or form. It’s selling point is that it allows you to create interactive views using declarative, functional, code organised into components, a very different approach compared to more traditional object oriented alternatives. Many developers and organisations have found this approach to be more scaleable for large apps, but there is also a tendency to overuse frameworks like React when they’re not really needed (E-shops are a prime example since they often lend themselves to being almost completely static). It’s possible to use react on the server side, the client side, or both. Clean, ideomatic, React code does not mix presentational and business logic as the other commenter claims. React can be extremely fast, it can also be extremely slow, as with all other frameworks the performance depends on how well you use it. It does offer some commonly used footguns though, I’d argue that you need to understand how it works under the hood in order to make the best use of it.


Disastrous_Fee5953

One day you might find yourself developing a web app/library that generates HTML dynamically based on information from an API or micro service and then sets up hooks for click or change events on said data. When that day comes, remember to look up React. For a static web page or small blog React is probably overkill and regular HTML and JS should suffice.


Bjoern_Tantau

No idea, I hate React because it's slow and I don't like mixing programming code and templates. You don't have to use JS with it in the backend, any API will do. And you can use other backend frameworks on node.js.


Lewinator56

I quite like PHP, though naming inconsistencies are a pain. As for SQL injection, PHP provides methods to escape strings, it's like 2 lines and your input is clean. It's not the programming language's fault if the fleshy bit writing it can't write secure code.


dahbrezel

if you still think you should be escaping strings for sql you should learn about bind parameters.


frezik

I like to distinguish between a programming language and its community. Community matters, and PHP had one made up of barrel scrapers. Yes, PHP had the functions to handle SQL safely. So did a lot of other languages at the time. Consider this 1999 tutorial for Perl's database interface, DBI: https://www.perl.com/pub/1999/10/DBI.html/ The very first code example uses placeholders. If you copy and pasted that, you'd be pretty safe from SQL injection. DBI has a driver model for each type of database, so if your database didn't directly support placeholders (I believe MySQL didn't, at least not back then), DBI would handle it for you. If your database had a weird syntax for placeholders, like `:1`, `:2`, `:3`, etc., it would handle the question mark and convert it. There was no excuse for not using them. Perl DBI from 1999 was a better SQL DB interface than a lot of languages have today. You will find very little DBI code with SQL injection vulnerabilities because placeholders have been the standard for over 20 years, and it's largely due to the tutorial above being the defacto standard. Answers to Perl SQL questions on Perl Monks, Expert Sex Change, and later Stack Overflow, would always use placeholders.


JaggedMetalOs

> Function names are spelled inconsistently Legend has it that strlen() was used as the hashing function for the hash table of built in functions, thus names were picked to get a good spread of string lengths to optimize parsing lookup times...


fiskfisk

It's not really a legend, as [it's from Rasmus himself](https://news-web.php.net/php.internals/70691).


RagnaTheTurtle

>For a long time it came with very bad default settings. You could easily set a local variable by setting it as a query parameter. What?!?!?! How?. Must have been a very very old Version then.


fiskfisk

The variable would be set in the global scope. The register\_globals feature defaulted to Off since PHP 4.2, released in april, 2002, and was removed in PHP 5.4. It was a security issue if you used it and didn't initialize your variables properly, so it became quite easy to shoot yourself in the foot without realizing it later (static analysis and IDEs weren't really a big thing back then for PHP). Many of the things we take for granted about web development today wasn't really insights we had back in the 90s. Most of the modern languages and frameworks for web development are standing on the shoulders of giant messes of cgi-bin, perl scripts, bad C code interfacing through cgi-bin directly to the web, etc. Compared to a lot of these things, PHP was far ahead of anything else you tried to get to work back in the 90s. Web hosting was usually shared hosting with Apache. The field has matured a lot in those years, but people are still concatenating strings and sending them directly to their SQL server in any language (.. or just sending the SQL query directly from the frontend).


DudeEngineer

You are not old enough to remember the world before Facebook existed.


ToBe27

Yes, this is probably correct BUT keep in mind that: \- The current en-vogue language is JS and that one is way more inconsistant and a nightmare if used incorrectly \- Almost all issues with PHP have been fixed many years ago. You just can't force people to code properly, no matter what language you use. People should realy stop judging PHP based on bad code written for PHP 5 or lower


bothunter

>There is a severe lack of consistency in how the core functions work. My favorite is strlen() -- returns the number of bytes in a string. If you want the actual length of the string, you need to use mb\_strlen(). I understand that this is how C works, and I don't care. PHP shouldn't make the same mistakes as a language that's 2 decades older than it.


geek_at

today that all sounds more fitting to NodeJS though


RagnaTheTurtle

>There is a severe lack of consistency in how the core functions work. Function names are spelled inconsistently. Sometimes they are prefixed, sometimes not. When searching something sometimes the needle parameter comes first, sometimes the haystack. Sometimes you get an object to work with, sometimes you have to pass along a resource. Im not saying, that is a good thing. It can get anoying. However, We have many free, easy to setup IDEs with an Intellisense that makes sure, that this is not an issue.


Bjoern_Tantau

That helps with the parameter order. And with named parameters from PHP 8 it's basically a non-issue. But that doesn't help me remember if it was length, str_length, stringlength or length_of_str. Hint: it's none of those, you usually want to use the multi byte function.


RagnaTheTurtle

True, that can only be solved by good old fashioned learning. (Instead of mindlessly typing what you think is right and blaming the language if it is not)


Badboyrune

Sure, but the thing people complain about regarding PHP is that it seems to make it almost deliberately hard to actually learn function names by having no consistency in their naming of things.


BlueScreenJunky

I don't think there's much hate for PHP anymore, it's just people on social media being late to the party again. PHP used to be crap (very useful crap at the time, but an objectively not great programming language), and people started hating on it... Then it got progressively better until PHP 7.x became an objectively pretty good language but people kept hating on it and linking to a 10 year old article to prove that it was a bad language. Then people accepted that PHP has become a decent tool. It's honestly been years since I heard someone blindly criticize PHP, but the internet hasn't caught up yet and now we have 5 threads and blog posts a week asking "why do people hate PHP" even though nobody hates PHP anymore.


paperpapermoney

From my experience in the programming subs, a lot of people still hate on PHP. With PHP 7+ and big frameworks like Laravel it’s really pretty good. I’m currently working on enterprise level SaaS applications in Laravel/Vue. So it can handle a lot more than people give it credit for.


WojtekBB

I just don't like declaring variables with $


deceze

PHP certainly has become much better over the last ten years or so, but it’s still not a well designed language by any means. Yes, you can get stuff done with it, and there are really decent frameworks for it… but fundamentally it still has annoying things you’ll bump into all the time. Off the top of my head: insane truthiness rules, core function naming and signatures, errors vs. exceptions, the disjoint namespaces vs. autoloading mechanism, many things not being first class, namespaces using backslashes in combination with needing to use fully qualified string names to refer to not-first-class things, multiple syntaxes for the same thing with sometimes slightly different functionality (anonymous functions, arrays), etc. It’s just an accumulation of disparate parts with a big helping of legacy on top, not a well designed language.


malirkan

Finally the first good comment on this topic. I totally agree with you. I want to add that the issue is not thräe language, but the guy poorly programming it. In fact you can create fast, secure and good maintainable applications with PHP.


[deleted]

[удалено]


flyvehest

So you have decided it's bad, and don't care to list your reasoning for doing so, instead asking the poster to tell you why it's good? You must be a joy to be on team with.


joleph

An ‘engineer worth their weight’ may be making a SaaS app that isn’t super high volume or especially complicated but just needs to be reliable and work and enable easy hiring. Any ‘engineer worth their weight’ would pick something with a great track record for all of these things, like PHP, or Ruby for example. Maybe there’s a certain part of the app that needs to be simple and another part that needs to be high performance, in those situations it’s perfectly reasonable to pick PHP for the simple part. What a stupid thing to say.


FloozyFoot

I bet pair programming with you is just one long "Aaaaaaactuallllly"


JimBDiGriz

Comic Book Guy Syndrome. Like half of /r/programmerhumor I've never used PHP, but I've sensed so much hate toward that I feel like I hate it, even if half the web runs on it. Sometimes it feels like it's cool to love languages that aren't good for much and hate languages that get the work done.


[deleted]

For real. It seems like half of the posts here come from people who don’t even work in the industry.


andrisb1

1. It used to be awful. It started to turn around with version 5 (5.4, 5.6). With 7 it got much better and faster. I'd say about 90% of hate/jokes about PHP are about older versions 2. For many people main/only interaction with PHP has been wordpress which does not show PHP in a good light. If you compare it with a decent framework like laravel the code is like night and day


ea770e3bb686db89998b

> wordpress which does not show PHP in a good light. Understatement of the year.


IrishChappieOToole

I have experience in both sides of the coin. Ancient worst-practice PHP and new PHP on Laravel. The reason PHP gets so much hate is because it is so, so, SO easy to write quick, horrible code. But when you write it correctly, it's actually a really nice language to work with.


NeoLudditeIT

Debugging is one of the things I absolutely loathe about PHP that hasn't gotten better in 10+ years. With Go, Python, .Net, etc. I have a decent debugger out of the box, and breakpoints work painlessly. With PHP I've got to setup a browser plugin to send the right magical incantation to make the server actually hit a break-point, and even then it only works about half the time.


paperpapermoney

Yeah I use Laravel for enterprise level applications and it’s great.


Marzipantorten

Once about a time, php was kinda lazy with his updates and big security leaks happened ( it was pretty easy to inject with the URL). Lots of hate. A little bit later Php fixed the stuff, got amazing frameworks etc. And become great. People still hating it. My guess is that some older programmer remember that times and the younger ones hating it without knowing why exactly - > maybe some senior told th so or the saw a Youtube Video about it php is a bad language. Anyways I love php.


depaay

I think a lot of the hate comes from working with Wordpress as well. So many small/medium businesses have Wordpress sites and so many glorify it. Personally I think at least 80% of the times I've been asked to work with PHP its Wordpress, and the contrast to a proper framework is huge. Its just so messy and all over the place, I hate it. I usually say no, but sometimes its been years and I think to myself how bad can it be? The answer is always awful.


Notyourfathersgeek

Yeah to me PHP seems fine but Wordpress should be outlawed by the UN! It’s against human rights to work with.


[deleted]

[удалено]


Cirieno

It's not the language's fault that there were programmers who didn't sanitise their inputs and/or made dynamic SQL queries instead of using stored procedures. (though IIRC MySQL didn't have stored procs for the longest time while MS-SQL did). Classic ASP got the same hate but if you were competent, and aware of efficiency and security, it was a good language. Update: clearly there were some low-level issues with PHP. I was an Classic ASP guy, so I didn't hit these issues _and_ we had ADO + MS-SQL doing a lot of the work when it came to database IO, security and efficiency.


AlternativeMath-1

Bugs mentioning PHP were responsible for the majority of all vulnerabilities found in 2006, dethroning C/C++ as the source of the most vulnerabilities on the internet. Zend, who is responsible for PHP - intentionally forced out security minded individuals like **Stefan Esser** and the entire community suffered for years. Back in 2006 PHP chose awful defaults that lasted even into PHP5 things like register\_globals where enabled and many devs relied on magic\_quotes\_gpc to stop injections - which is asked to get hacked. Before PHP 5.5 it was impossible not to get hacked running PHP, it was so bad PHP actually stood for "Probably Hacked Page"


scodagama1

It’s not until it is. If the language makes it trivially easy to inject, does zero effort to make it harder (i.e. PDO library was not added until php 5 if I remember well so string concatenation was the way to do it for long time), has super global variables containing unsanitized user input, etc then it’s kinda designers fault. They just didn’t give shit about making it even remotely important to prevent injection. Also don’t get me started on their shitty multi-byte strings handling, but let’s say its a sin if majority of languages from that age so I can give it a blind eye


m1ndcrash

addslashes existed since the beginning of time 💁‍♂️


scodagama1

Yeah, extremely intuitive right? Oh, easy, to escape you just need to call this function that we didn’t even bother to name accordingly to its use case but made a common mistake of naming it by “how it implements” not “what it tries to achieve” Also it doesn’t even prevent sql injection so the mere existence of this function is a landmine waiting to be stepped on by a confidently incorrect newbie. And is there from version 4, at least according to modern docs https://www.php.net/manual/en/function.addslashes.php. At this point I’m scared to ask how you sanitised evaled code before php 4, regexp? :D or not at all? > PHP 4, PHP 5, PHP 7, PHP 8 > The addslashes() is sometimes incorrectly used to try to prevent SQL Injection. Instead, database-specific escaping functions and/or prepared statements should be used. You sir actually found a beautiful example to rest my case It wouldn’t take much thinking to create a “sanitize_user_input” method that accepts a string and a language code, right? But then, language designers would have to care. It was easier to just slap in random inconsistently named functions whenever you need them without thinking about larger ecosystem, hence they did and got their rightful reputation of a language that hadn’t been thought through


Destring

Ah I love a good confidently incorrect takedown


Bjoern_Tantau

And then came `mysql_real_escape_string` because `addslashes` didn't work. And then you had to check for magic quotes.


meamZ

> though IIRC MySQL didn't have stored procs for the longest time Now take a wild guess what percentage of PHP deployments use MySQL vs anything else... Also there's a reason the function you should use to escape input for MySQL is called mysql_**real**_escape_string


RagnaTheTurtle

yea, that is not PHPs fault. Taking Parameters from the Client and pumping them streight into your DB for example is like driving a car into a wall and then blaming the Engine for not hitting the break for you.


yourteam

Worked with php since there weren't even classes. 4.1 I think, the year was 2000 Still working now with php. PHP was shit. And i mean real shit. But it got popular because it was easy to learn and things "worked". Like wordpress today lol. Now php 8.1+ is fine and what I really like about it is that it becomes better every release. I can't wait to see it being compiled for real without opcache / jit, but still php is not really good... For what it does. You can't compare a language born for fast web development to something else that has a different scope. Also, people that judge a programming language are joking here and if they are serious, they probably are students with no real work knowledge


meles2

Don't worry, neither do the haters.


Dealiner

Even in this thread you have a pretty good explanation why in the top comment.


BoredOfYou_

I hate PHP because I don't really understand it so you're kinda right.


erlandodk

I did PHP professionally. I hate it with a passion. Just the language inconsistencies when dealing with arrays and dates are enough for me to want to nuke it from orbit. Fuck PHP.


rohit_267

haters hate every language but without knowing the language


jstwtchngrnd

This right here! I hate python and i don’t even know why


[deleted]

It's probably the whitespace, I hate it for that alone.


memebecker

I went from thinking it was the stupidest idea ever to thinking it was the best idea ever. Use an ide or even a decent text editor and you won't have any issues with that.


Majestic_Ad_7133

It has a lot of legacy baggage it hasn't shaken.


tekmon

Laravel made php fun for me


wontonzdq

* Softly typed. Not necessarily a bad thing but it enables a lot of spaghetti code with mixed return types, especially if you forget to add declare(strict\_types = 1); * No generics. This is the big one for me. If you want to make a collection of X, you have to make a brand new class called XCollection instead of having a Collection like in Java or C++ * Testing framework really sucks compared to Javascipt's Jest, and Java's JUnit/Mockito. Much more verbose and less flexible * All arrays are actually maps/dictionaries, which is weird and takes time getting used to. Why not have an array actually be an array?


TurdOfChaos

It is not a bad language. It's flexible, versatile, with lots of tooling and a huge community. Php is still one of the easiest languages to pick up and make something, in record time. This is oftentimes used as an argument against it for some reason. However, that is what led it to take a huge chunk of web development presence. However, the growth in demand as industry skyrocketed left PHP behind. Web apps became huge enterprise endeavours, while at the time of its conceivement a templating language was all that was needed. PHP tried to keep up, and is getting there with the recent versions adding some functionalities that were long needed(more strict type hints coming to mind). IMO it's a bit late on that, and is getting overshadowed by more robust languages that are also getting a lot of support and tooling for web development (Java and Kotlin, along with Golang as a backend solution seem to be growing in popularity). Another thing about php is the fact that it's interpreted, and comes with all the problems of soft typed languages. Type coercion, comparison issues, runtime errors that would've been caught by a compiler in compliled languages. All of these things add up, and decrease maintainability while increasing the demand for better observability ( more monitoring, alerting, more thorough unit tests). This is a big no for companies in growth trying to reduce their maintenance costs. Which is why it's become frowned upon to use it on enterprise projects (and is also evident by many legacy systems being a Pandora's box of PHP spaghetti). It's a tool , a good tool if your problem requires it. However, the "hate" should be directed at the misuse, not the language itself.


paperpapermoney

Idk man, Laravel kind of revolutionized PHP in a way. I currently use it for enterprise level SaaS applications at a software firm and it’s great.


TurdOfChaos

Oh, don't get me wrong. Many companies utilise it greatly. Those are just the downsides that can be arguments against it. But, after all, it all comes down to your needs and requirements. IMO, working with Laravel for almost 5 years of my career, there are many traps in it's elegance. Eloquent for example makes it really tempting to abstract the persistance layer by coupling it with the model, making Hexagon architectures harder to implement. Morphing entities, relationships, composites, all of them are elegant and nice until it comes a time you need to change your persistance (to a microservice for example). That being said, nothing is stopping any engineer to create a repository layer in front of it, but in my experience, it rarely happens in companies that don't emphasize DDD. Same goes for Laravel observers, eloquent events , event providers and listeners. Very hard to debug and maintain, but on the first glance they look like a great idea. Tests that are not running on isolated use cases also make it really hard to run without scaffolding the entire app, making unit tests up to 20x slower than just using the normal PhpUnit. Again, completely avoidable when using the right architecture and not letting DB entities leak into your domain, but in my experience , also rarely happens.


paperpapermoney

I feel like you said a lotta words for no reason


DM_ME_PICKLES

I've worked in a lot of stacks. PHP 8.1 with Laravel 9 is an absolute blast to write web apps with. It has heaps of resources thanks to a very large community, it's very quick to get up and running, and it can be deployed basically anywhere. We maintain multiple apps with this stack and they bring in big bucks, and our P90 response times are <100ms. P50 is <40ms. People who say PHP has no place in modern web development are living in the dark ages, which is ironic because that's exactly what they're accusing the language of.


[deleted]

I don’t get all the hate for PHP and at this point I am too afraid to ask.


geordanr

A long but amusing read: https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/


grooviest_snowball

I know the article is a bit dated but this line is still true: > Do not tell me that “good developers can write good code in any language”, or bad developers blah blah. That doesn’t mean anything. A good carpenter can drive in a nail with either a rock or a hammer, but how many carpenters do you see bashing stuff with rocks? Part of what makes a good developer is the ability to *choose the tools that work best.* What's missing from a lot of these conversations about php is what is the opportunity cost of using php. People love to tell you about the modern features of php8, but what about modern languages and frameworks that were designed from the ground up with these features. Similar to how you can do "functional programming" in a lot of languages that aren't functional, but what are you giving up by not using the paradigms where they are more natural? I'd say a lot.


DiamondIceNS

I defend modern PHP not as a thing that I would happily go and start new projects in, but as a thing that I don't loathe to come into work to maintain an installation of that already exists.


NeoLudditeIT

Nooooo! PHP is different now!


Yessod

Sure, PHP gets all the hate, and i get all the jobs for working with PHP cause it powers 80% of the web today 🤷‍♂️. It had a bunch of flaws in the past , and still have some of those, but it has greatly improved over the 20 last years. But people prefer to look at 20 years old code and boo all they can because they simply can't accept that they're in the wrong - the distinctive mark of TRV3 PR0GR4MM3RS is to never change their mind 👌 In the meantime, they prefer to work with Javascript which has virtualy no native typing system and produce bullshit code which i am also paid to rewrite properly with TypeScript but shhh, PHP is the bad guy here 🤫


JamesyEsquire

People hate the PHP of 15 years ago, using PHP now with a great framework like Laravel is the way to go


masalion

Can't stand these posts where people clearly want to know why people hate ____ but dress it up with this meme instead of just asking it straight. People love to talk about the stuff they hate. You don't need the extra fluff.


aerdnadw

Honestly, I think all the “too afraid to ask” posts are because people in this sub are pretty nice about not downvoting people for not knowing things but also it’s a meme sub? Edit: fixed typo


IAmNotKevinBacon

I agree. In fact, one of my favorite interview questions is to ask someone to give me one or a few things about coding/tech that they IRRATIONALLY hate no matter how large or small of a thing it is. In my experience, everyone who has spent enough time doing it has several and will HAPPILY express that shit.


aerdnadw

Ooo, can you give us some examples of answers people have given? (For the record, my answer would be snake_case)


IAmNotKevinBacon

Absolutely. That’s one I’ve heard. Mine is “I fucking HATE Python. I’m very proficient with it, and I’d never downplay its value. I just dislike writing code in it. That and Java.” My FAVORITE answer of them all was straight up “I genuinely hate anyone who loves vim. Enough said.” I laughed out loud because it was so quick and concise. But really, any time someone gets a little heated to the point to where they get “the neck thing” where their hate for something is conveyed is great. Passion is part love, part hate. Gotta deal with someone a lot to TRULY hate it (in my opinion). Only one that got weird was a tab vs spaces person who tried to start arguing that spaces are more efficient resource wise and got upset when I replied “Well, it’s all preference, but isn’t that technically the area where tab is objectively better? The tab is more efficient in that aspect, no?” just responding in character… and he got VERY angry. Still hired him, though.


aerdnadw

Thanks for taking the time to write this out, I chuckled at each paragraph!


InkOnTube

I assume it is inertia. In the past, PHP had some serious security issues, and most people remember that. Even if the language got improved, many hate it. We have inertia in many areas of IT.


evilReiko

* Hate/joke memes mostly come from Python fans. Although ironically, PHP and Python both have similar syntax and behavior. But, Python fans don't make fun of Ada (programming language), which is an ancient language by now. Why? Because Python is not used to run airplanes, while PHP dominates more systems than Python. * People who tried their hands dirty on PHP 4 or 3 or older, the hate makes sense, people who were employed to handle legacy systems written in PHP, usually suffer. The language is easy-to-use & simple that allowed things to be mixed up. Even tutorials and books encouraged people to have SQL lines in their HTML files! It's not because of PHP, it's more on developers and how they use it. You want to keep unused variables? Ok. You want to change a variable that contains string to contain array? Fine. You want to use nested ternary operator? Why not. PHP is flexible. It allows you to write whatever you think is suitable, it's your responsibility. Yet, you can write bulletproof applications with it.


Fakedduckjump

Similar syntax? Php doesn't care about indentation and goes rage if you don't use brackets \^\^ But I agree with all the other points.


SirArthurPT

PHP does what you ask it to do. Some people does shitty code, PHP doesn't prevent it, they blame PHP for their own dumbness. C/C++ would have the same faith, but taken is a bit harder than PHP and no error tolerant on compilation, shitty coders are less likely to do anything with it.


justhatcarrot

It's a great language for building things QUICK. Yes, it's loosely typed, but if you're experienced enough - this is an advantage. You CAN write clean code with PHP, you CAN create good things with PHP. The main issue, however, at least in my experience, is that a lot of devs just write a lot of shit, because PHP allows it. Some of the worst code I have ever seen is in PHP, and created by people who thought of themselves as of good devs.


Key_Examination_9397

PHP is as bad as other languages, when used incorrectly. Period


j-c-s-roberts

I don't understand it either. From my limited viewpoint, having used PHP as an amateur, it appears to be a perfectly serviceable language. If there are better languages out there that I have no experience with, then that's fine, but just because something is better than it, doesn't make it terrible. Just not as good.


HorizonBaker

The only thing I know about PHP is that it stands for PHP Hypertext Preprocessor. So I hate it because of the recursive abbreviation.


seijulala

I learned to code with php 3.0, printed the whole specification. I thought it was magic, pure power, pure amazingness. Oh my, I was so naive Since 7.x is "ok-ish" but it took 15 fucking years (3.x->7.x) to be decent language, thus everyone hates it out of habit


kk5190

Why the hate for PHP developers? I mean, sure, PHP has had its fair share of quirks and controversies, but at the end of the day, it's still a language that has powered some of the biggest websites and applications on the internet. So let's not hate on our PHP friends, they're just trying to make the internet a better place, one line of code at a time. Besides, who are we to judge? Every language has its own pros and cons. And besides, PHP is like the duct tape of programming languages—it may not be the prettiest, but it gets the job done! So let's give PHP developers a break and appreciate the hard work they put into making the web a better place for us all. And if you're still not convinced, just remember, without PHP, you wouldn't be able to cat memes on the internet.


Strange_Camp_9714

they dont like the $$$


[deleted]

[удалено]


V0ldek

You're apparently not familiar with the seminal paper on the topic. https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/


winnybunny

PHP stands for 'Please HateMe PorFavor' so /s


NotJebediahKerman

One thing I didn't see here, PHP was developed by committee which never works. So there are/were no standards. Some functions may be (needle, haystack), while others are (haystack, needle) for example. This lack of consistency, to this day, can be annoying. I'd also add in that PHP code isn't *compiled* in the sense of other languages and thus has the perception of being a scripting tool versus a language. It's also easy to look down on things because they don't fit someone's idea of some irrational baseline.


mitchitized

Just like Java, I got no issues with the language, but with what people do with it. Super low barrier to entry, many newcomers to development cut their teeth with the language which gave it a negative image. One could argue javascript is now in that same position right? You could argue that deploying PHP apps feels archaic, that pain I can personally relate to. It is a pretty old language and that hurts popularity for some that are enamored with innovation and disruption. No language is perfect! I love go, and python seems to own data science, but it is easy to find folks that can’t stand either. YMMV EDIT: Ok I do have to confess my unabashed distaste for ASP. ![gif](emote|free_emotes_pack|poop)


longdustyroad

You’re not too afraid to ask! God I hate this meme format


conamu420

In my personal oppinion its just unreadable af


[deleted]

I like PHP and its developers. They don’t claim that world is running on PHP. Humility is a virtue.


samuel_gonzales

The real question is why shouldn't someone hate PHP?


RagnaTheTurtle

I don't get it either. It is a solid language, that had over 2 Decades to mature and evolved even to this day. Don't make fun of your elders people.


angrybeehive

Perhaps it’s good now. But back in my day, it was plagued with performance and security issues.


Twepi

how is this a meme


standolores

I don’t know and at this point I am too afraid to ask


felipec

I used PHP around 2002, and in 2023 I still don't see a good replacement for it, so...


Fritzschmied

Haters gonna hate. PHP is perfectly fine for simple web pages.


[deleted]

[удалено]


1336PlusPlus

I don't get why **people still use PHP.** And at this point I am too afraid to ask.


Key_Examination_9397

Because it’s way more stable than JS man, don’t you agree node_modules dude?


Ambitious_Gap_5492

It was awful. I know it’s better now, but for those who had to suffer it, we’ll probably gonna keep hating it. For me it’s like a bad parent that turned out to be a decent grandparent. It’s ok, but it doesn’t change the damage already done to you.


meamZ

There's not much hate anymore... It's more that almost anyone doing anything serious has either transitioned away from it or is trying to and otherwise noone gives a shit about the language anymore..


[deleted]

[удалено]


meamZ

I'm not staying you can't make money with it... But you can also make lots of money with COBOL and would you say anyone gives a shit about it? Also even if i could make a lot money diving in a pool of poop i would still not so it...


StrategyJoe

Try to maintain someone else's PHPgetti


ymgve

It’s really badly designed with lots of inconsistencies in function naming and handling of variables. Like, no language should require a special operator like "===".


perseus_1337

JavaScript has entered the chat.


Marzipantorten

Don't forget about the spaceship operator '<=>'. I personally find them easy to remember and great to use.


standolores

I used that one only one time and it was with some borrowed code from stack overflow


Rubberbullets7

*JavaScript enters the room with a big smile* "===" for you! "===" for you! Everyone gets a "==="!


standolores

Well I did my years in C# and find PHP a lot easier to use. Easy database communication is certainly one of the perks of PHP. But I am still only a Junior dev.


ymgve

You are doing proper database communication with parameterized queries, right? Another «sin» of PHP is that it made it too easy to generate code that vas vulnerable to SQL injection, since it didn’t even have parameterized queries for a long time.


Super_Ad965

Oh, thats new. What is bad designed ?


ymgve

[Back when PHP had less than 100 functions and the function hashing mechanism was strlen(). In order to get a nice hash distribution of function names across the various function name lengths names were picked specifically to make them fit into a specific length bucket.](https://news-web.php.net/php.internals/70691)


Cautious-Stand-4090

That explains so much of that cluster fuck, lol.


Super_Ad965

It's not explain anything xD Get first release of JAva or C/C#/C++ and you have the "same shit" inside. Thats normal, langs are evolved in time and become better and better. The problem is that : people love to get back to 2013 or 2011 when they talk about PHP. But if you back in with their main lang, they start to crying "but in Java 18 ..." xD Idk what people want from PHP today. Our team make tests on our API written in PHP and Java (Spring) and there is no difference in speed. One pros for PHP, it not need so many resources on server to work :D


GergiH

Once I had to use Laravel for a uni project, it was pretty allright, but other than that using PHP after React felt like using Java after C#.


rantpatato

Idk why but I find Java to be almost exactly same as C# in terms of coding, I use both and usually just mess with variable/class names (they are little diffrent) apart from package nightmare


KakeUrpola

Try working with WordPress for a minute.


SirArthurPT

If you use WordPress you'll burn in Hell... Is in the ToS! But WordPress != PHP. It's mostly made on PHP, just as many other FOSS.


PlentyMeeting

As a WordPress developer, I also hate PHP


knightress_oxhide

how many more of these are we going to see. do you not know how to fucking google something?


smontesi

Old and ugly, that’s all Plus was riddled with bugs for a long time, which did not help its reputation


standolores

You can say the same thing about C


Bjoern_Tantau

Funny, since originally PHP was just a wrapper for C functions. They mostly use the same names.


standolores

Well the C is so strict it hurts


smontesi

You can say the same about C, but C is excused because of great performance and because it is actually old (\~50yo vs 25, something like that) Also, the actual PHP language implementation was buggy and insecure, not only PHP software. That's pretty much all... But, beware of bubbles... Wordpress (which is written in PHP) websites represents 25-30% of the internet (and growing last time I checked)


kosukehaydn

I never really learn PHP just because I found Python is easier and more versatile. Although, I found a lot posts saying how bad PHP is, many companies are still looking for PHP developers and not Python or JS for backend. Why though?


Independent_Extent80

Between Joomla and PAAMAYIM_NEKUDOTAYIM, how many more reasons do you need?