I would rather be unemployed than forced to write code in PHP

My blog currently uses WordPress. I’ve written numerous times about the various PHP based attacks I see every day because of the stupid security mistakes PHP programmers make. I’ve also made a few changes to the WordPress software to make it saner about handling and logging requests. Thus I knew PHP was awful from my own limited interaction with it. Then I came across this article: PHP: a fractal of bad design. This one point from that article should be enough to result in a death sentence for the language:

PHP’s one unique operator is @ (actually borrowed from DOS), which silences errors.

Holy shit! The developer(s) of PHP remind me of a coworker in my first post college job. He thought he could design and implement a new language. Yet he had no idea what the computer science terms “parser”, “lexical analysis”, “tokenizer” etc. meant. I suspect he would be welcomed by the PHP community.

Published by

Kurtis Rader

I'm first and foremost a Secular Humanist and Atheist. To pay the bills I'm a software engineer. When not working I walk or play with my dogs, read lots of non-fiction (and some fiction), and watch lots of movies.

One thought on “I would rather be unemployed than forced to write code in PHP”

  1. The main reason there is so much bad code written in PHP is that the language is popular and hence easy to learn for beginners, because there are many resources readily available. Although, big part of those resources are written by other incompetent developers.

    I agree that there are many stupid features and strange design decisions in PHP, like the mentioned error suppression modifier, but they have survived so long because at some point PHP core developers decided to have backward compatibility as far back as possible.
    Some “features” lack any logical reason and I still have to look up argument order for some functions.

    Both reasons have led to many instances of insecure code, but incompetent developer will write insecure code no matter what language he’s using. A good indication is the typical buffer overflow cases in projects written in C et al. IMO, writing C requires much deeper understanding and expertise than writing a sloppy PHP upload script (or finding one online), but security-concious developer will not make those 101 mistakes.

    The recent multiple libstagefright issues came to mind and that code affected more than 950m devices and still affects many. Mozilla also used the library, but they fixed the issue before public disclosure. Unlike many Android device manufacturers who will sit on their hands to meet the bottom lines.

    Back to PHP, people have tried to determine the most secure/insecure server side language by using statistics but there is not clear correlation besides the fact that PHP is the most frequently used language in web development.

Comments are closed.