PHP: A Fractal of Bad Design



  • @essay said:

    I can’t even say what’s wrong with PHP, because— okay. Imagine you have uh, a toolbox. A set of tools. Looks okay, standard stuff in there.

    You pull out a screwdriver, and you see it’s one of those weird tri-headed things. Okay, well, that’s not very useful to you, but you guess it comes in handy sometimes.

    You pull out the hammer, but to your dismay, it has the claw part on both sides. Still serviceable though, I mean, you can hit nails with the middle of the head holding it sideways.

    You pull out the pliers, but they don’t have those serrated surfaces; it’s flat and smooth. That’s less useful, but it still turns bolts well enough, so whatever.

    And on you go. Everything in the box is kind of weird and quirky, but maybe not enough to make it completely worthless. And there’s no clear problem with the set as a whole; it still has all the tools.

    Now imagine you meet millions of carpenters using this toolbox who tell you “well hey what’s the problem with these tools? They’re all I’ve ever used and they work fine!” And the carpenters show you the houses they’ve built, where every room is a pentagon and the roof is upside-down. And you knock on the front door and it just collapses inwards and they all yell at you for breaking their door.

    That’s what’s wrong with PHP.

    In case you ever wondered why PHP is so hated. Full article is worth a read.



  •  YES.



  • He's so right. Quote: "PHP is a community of amateurs" - for  a good example, I give you http://sourceforge.net/projects/ldapauthmod/files/. From the installation instructions:

     

    ## Installation Level: moderate
    ## Installation Time: 30-45 Minutes
    ##
    ## Files To Edit: (17)
    ##     common.php
    ##     login.php
    ##     search.php
    ##     admin/admin_users.php
    ##     admin/admin_board.php
    ##     admin/admin_groups.php
    ##     includes/functions_selects.php
    ##     includes/page_header.php
    ##     includes/usercp_sendpasswd.php
    ##     includes/usercp_register.php
    ##     language/lang_english/lang_admin.php
    ##     language/lang_english/lang_main.php
    ##     templates/subSilver/overall_header.tpl
    ##     templates/subSilver/profile_add_body.tpl
    ##     templates/subSilver/admin/group_edit_body.tpl
    ##     template/subSilver/admin/user_edit_body.tpl
    ##     templates/subSilver/admin/board_config_body.tpl

    [stuff omitted]

     #
    #-----[ OPEN ]-------------------------------------------
    #
    common.php


    #
    #-----[ FIND ]-------------------------------------------
    #
    include($phpbb_root_path . 'includes/db.'.$phpEx);


    #
    #-----[ AFTER, ADD ]-------------------------------------
    #
    include($phpbb_root_path . 'includes/functions_ldap_groups.'.$phpEx);
    include($phpbb_root_path . 'includes/functions_ldap.'.$phpEx);

    This madness continues for 1100 more lines.




  • I've never used PHP, but this article reinforces my impression. The language looks like the sort of thing you do when you're messing around, trying to figure out some concepts. Since you don't really understand what you're doing yet, you do some things incorrectly and inconsistently. Eventually, you get a handle on what you're trying to learn, and you throw out your scratch work and start over with a better understanding and an idea of things to avoid.

    But they never threw out their initial sandbox, and are trying to patch over the original nonsense with newer stuff that they've seen in other places. Unfortunately, they're doing the same thing over and over with these new concepts. It's an awesome spiral of amazing.



  • I simply love their solution for the integer overflow vulnerability:

    if (size > INT_MAX) return NULL;

    But they recognized the error of their ways and concocted this new sanity check:

    if (size > INT_MAX || size <= 0) {
    return NULL;
    }
    With size being a float.



  • Shouldn't they be working with size_t in the first place if it's an allocation size



  • @blakeyrat said:

    What’s wrong with PHP

    I'm still voting for $igils.



  • @nexekho said:

    Shouldn't they be working with size_t in the first place if it's an allocation size

    That's what the current version looks like:

    int charsize = sizeof(char);
    /* still the same float-based calculation here */
    if ((size > INT_MAX || size <= 0) || ((size * charsize) > INT_MAX || (size * charsize) <= 0)) {
    return NULL;
    }

    Yeah, I'm also not quite sure what those guys are smoking.



  • The sad part is that PHP's probably the best language for use on the web out there, although I've never looked at real CGI libraries so I'm not sure.

    PROTIP: HTML is not a graphics language, and developers should be trusted to write JavaScript.

    (Speaking of which, has anyone ever done server-side JavaScript right?)


  • Discourse touched me in a no-no place

    So all of the "the real WTF is PHP" trolls were right all along. Who knew?



  • @MiffTheFox said:

    The sad part is that PHP's probably the best language for use on the web out there
     

    Huh?

    Have you ever used .Net? I'm not saying it's perfect, but having used both PHP and .Net for an extended period of time, I know for sure that PHP is not the best.

     



  • @MiffTheFox said:

    The sad part is that PHP's probably the best language for use on the web out there, although I've never looked at real CGI libraries so I'm not sure.

    spits up coffee Are you for FUCKING REAL?

    C#/ASP.net? Python? Ruby?

    node.js? Ok I think node.js has issues, but you can't say it's worse than PHP.

    Fuck, I'd even say JSP is better than PHP, at least Java's organized and spitting out HTML on a server makes most of its disadvantages less of an issue. Yes, I would rather use Java than PHP.

    Miff doesn't have a history of trolling does he? Man. If I just got trolled, good one.



  • BTW my favorite bit is how PHP has parameterized queries as part of the PDO library, and yet their official documentation on SQL injection doesn't recommend using PDO!



  • @blakeyrat said:

    You pull out the pliers, but they don’t have those serrated surfaces; it’s flat and smooth. That’s less useful, but it still turns bolts well enough, so whatever.

    Who wrote this, Primitive Pete?



  • @blakeyrat said:

    @MiffTheFox said:
    The sad part is that
    PHP's probably the best language for use on the web out there, although
    I've never looked at real CGI libraries so I'm not sure.

    spits up coffee Are you for FUCKING REAL?

    C#/ASP.net? Python? Ruby?

    node.js? Ok I think node.js has issues, but you can't say it's worse than PHP.

    Fuck, I'd even say JSP is better than PHP, at least Java's organized and spitting out HTML on a server makes most of its disadvantages less of an issue. Yes, I would rather use Java than PHP.

    Miff doesn't have a history of trolling does he? Man. If I just got trolled, good one.

     

    JSP is... meh.  There are certainly better ways even in Java to do things.  I should note that dealing with JSPs other devs have written is part of my day job.

    @blakeyrat said:

    BTW my favorite bit is how PHP has parameterized queries as part of the PDO library, and yet their official documentation on SQL injection doesn't recommend using PDO!
     

    Whole chapters of PHP documentation never get updated.

    PHP also shows that home-grown feeling.  It started as a wrapper for C code, then expanded out from there... adding database support, object-oriented programming, etc...

    The scary part?  PHP 4+'s OO support is still more sane than Perl's OO support.



  • @blakeyrat said:

    Full article is worth a read.

    Meh, not really. Skimming it I found numerous factual errors, plenty of misconceptions and lots of silly bullshit. PHP has some annoyingly inconsistent shit in it, but so has every language I've ever worked with. This guy's complaint seems to be "This doesn't work exactly like Java/C# and that makes me mad!" Every language has its share of haters, so the fact that PHP has some is meaningless to me.



  • @powerlord said:

    It started as a wrapper for C code, then expanded out from there...

    No, it started out as a series of Perl scripts, as can easily be verified. Here's a tip: when you find yourself about to state something you really are clueless about, do a quick Google search and see if you are about to make a fool of yourself.



  • Is there any way you can use, say, Python inline with HTML just like you can with PHP? Something that vaguely sort of looked similar to this?

     <html>
      <head>
        <title> Welcome, <? POST["name"] ?>! </title>
      </head>
      <body>
        <p>
        <?python
    if int(POST["age"]) < 18:
        print("Sorry, you are not allowed to come in")
    else: 
        print('Please proceed to <a href="page"> our super page</a>')
        ?> </p>
       </body>
    </html>
    

    It might look ugly at first, but I think it's the best solution when you have static pages and need to add a few dynamic details (and might at least drive a few people away from PHP).



  • @morbiuswilters said:

    @powerlord said:
    It started as a wrapper for C code, then expanded out from there...
    No, it started out as a series of Perl scripts, as can easily be verified. Here's a tip: when you find yourself about to state something you really are clueless about, do a quick Google search and see if you are about to make a fool of yourself.

    But then he wouldn't make a fool of himself and you wouldn't be able to point it out.  We do this all for you Morby!



  • @Strolskon said:

    Is there any way you can use, say, Python inline with HTML just like you can with PHP? Something that vaguely sort of looked similar to this?

     <html>
      <head>
        <title> Welcome, <? POST["name"] ?>! </title>
      </head>
      <body>
        <p>
        <?python
    if int(POST["age"]) < 18:
        print("Sorry, you are not allowed to come in")
    else: 
        print('Please proceed to <a href="page"> our super page</a>')
        ?> </p>
       </body>
    </html>
    

    It might look ugly at first, but I think it's the best solution when you have static pages and need to add a few dynamic details (and might at least drive a few people away from PHP).

    Not that I'm aware of, but you can actually do that with Delphi, and even generate the JavaScript that way.



  • @blakeyrat said:

    In case you ever wondered why PHP is so hated. Full article is worth a read.
     

    thank you, now i hate my job of maintaining a mess of an app even more when i have larger insight into what mess the language itself is.



  • @Strolskon said:

    Is there any way you can use, say, Python inline with HTML just like you can with PHP?
     

    Yes.

     



  • @Sir Twist said:

    @Strolskon said:

    Is there any way you can use, say, Python inline with HTML just like you can with PHP?
     

    Yes.

     

    Specifically, you want to read [url=http://modpython.org/live/current/doc-html/pyapi-psp.html]this part of the documentation[/url].

    And thank you, Sir Twist, for pointing us to Mod_python — it looks like the solution to something I'll likely be working on in the near future.



  • @Rhywden said:

    @nexekho said:
    Shouldn't they be working with size_t in the first place if it's an allocation size

    That's what the current version looks like:

    int charsize = sizeof(char);
    /* still the same float-based calculation here */
    if ((size > INT_MAX || size <= 0) || ((size * charsize) > INT_MAX || (size * charsize) <= 0)) {
    return NULL;
    }

    Yeah, I'm also not quite sure what those guys are smoking.

     


    From the original link I'm not sure where this code belongs to. Is it part of the official PHP implementation or some 3rd party add-on?

    Anyways, this code is so insanely stupid, the WTF per line ratio might be in the double digits already.

    Alex should stop accepting WTF submissions and just have two front page categories:
    - Code from PHP's implementation
    - The day at snoofle's work place

     



  • PHP is just classic ASP for people that like vaguely-C-like syntax.



  • @Strolskon said:

    Is there any way you can use, say, Python inline with HTML just like you can with PHP? Something that vaguely sort of looked similar to this?
     <html>
    <head>
    <title> Welcome, <? POST["name"] ?>! </title>
    </head>
    <body>
    <p>
    <?python
    if int(POST["age"]) < 18:
    print("Sorry, you are not allowed to come in")
    else:
    print('Please proceed to <a href="page"> our super page</a>')
    ?> </p>
    </body>
    </html>

    It might look ugly at first, but I think it's the best solution when you have static pages and need to add a few dynamic details (and might at least drive a few people away from PHP).
    Wait, what?  How is this a static page?...


  • @db2 said:

    PHP is just classic ASP for people that like vaguely-C-like syntax.
     

    Unless you're  using ASP/JScript, which is decidedly more sane than PHP will ever be.

     

    Only dicks use ASP/VB.



  • @Sutherlands said:

    Wait, what?  How is this a static page?...
     

    It's one of the few dynamic details added, mentioned exactly 5 words after "static pages" in the post you quoted.



  • @Strolskon said:

    Is there any way you can use, say, Python inline with HTML just like you can with PHP? Something that vaguely sort of looked similar to this?
     <html>
    <head>
    <title> Welcome, <? POST["name"] ?>! </title>
    </head>
    <body>
    <p>
    <?python
    if int(POST["age"]) < 18:
    print("Sorry, you are not allowed to come in")
    else:
    print('Please proceed to <a href="page"> our super page</a>')
    ?> </p>
    </body>
    </html>

    It might look ugly at first, but I think it's the best solution when you have static pages and need to add a few dynamic details (and might at least drive a few people away from PHP).
    Why? The world already has enough frameworks that jam scripting into markup.


  • @dhromed said:

    @Sutherlands said:

    Wait, what?  How is this a static page?...
     

    It's one of the few dynamic details added, mentioned exactly 5 words after "static pages" in the post you quoted.

    Hmmm... but... um... ok.

    Then I counter the original post with the extremely difficult <asp:TextBox> that inserts into the page in C#.



  • @Gurth said:

    @Sir Twist said:

    @Strolskon said:

    Is there any way you can use, say, Python inline with HTML just like you can with PHP?
     

    Yes.

     

    Specifically, you want to read this part of the documentation.

    Ooh, neat, thanks.

    @Jaime said:

    Why? The world already has enough frameworks that jam scripting into markup.


    To make transitioning from php slightly easier, and to not have to wrap the entire page in quotes when all you want is to add the current time at the bottom or something.





  • @morbiuswilters said:

    @blakeyrat said:
    Full article is worth a read.

    Meh, [...] lots of silly bullshit.

    @random self-important twit posting something on the nets said:

    There are, in general, a whole lot of functions that blur the line between text and variables. compact and extract are just the tip of the iceberg.



  • @Lorne Kates said:

    @MiffTheFox said:

    The sad part is that PHP's probably the best language for use on the web out there
     

    Huh?

    Have you ever used .Net? I'm not saying it's perfect, but having used both PHP and .Net for an extended period of time, I know for sure that PHP is not the best.

     

    ASP.NET is nice, if only it were easier to convince Powers That Be to run a Microsoft software stack.

    Also I'd like it a lot more if Webforms was never released. "You want ASP.NET? Use MVC."



  • The WTF in using ASP.NET is using a stack which actually [i]charges you monies[/i] for a license. This is how much a LAMP license costs you: $0. This is how much ASP.NET costs you: >$1. Probably also more then $10. Per core. Or per box. Or per 500 http sessions per 100 vhosts. Fuck if I know. Then you need to scale and have to move your data to MS SQL Server. At that point you can't afford an extra dedicated db server.



  • @epicfail said:

    The WTF in using ASP.NET is using a stack which actually charges you monies for a license. This is how much a LAMP license costs you: $0. This is how much ASP.NET costs you: >$1. Probably also more then $10. Per core. Or per box. Or per 500 http sessions per 100 vhosts. Fuck if I know. Then you need to scale and have to move your data to MS SQL Server. At that point you can't afford an extra dedicated db server.

    Not only is this a stupid argument, you admit that you have no idea what you're talking about.  What does ASP.NET have to do with MS SQL?  You don't know, you're an idiot. 



  • @epicfail said:

    The WTF in using ASP.NET is using a stack which actually charges you monies for a license. This is how much a LAMP license costs you: $0. This is how much ASP.NET costs you: >$1

    How much does the time wasted dealing with PHP quirks and bugs cost you?

    @epicfail said:

    Probably also more then $10. Per core. Or per box. Or per 500 http sessions per 100 vhosts. Fuck if I know.

    Oh so you literally do not know the answer to your own question. You could have looked it up in seconds on, say, Amazon's AWS pricing calculator, but you decided it's better to be dumb.

    @epicfail said:

    Then you need to scale and have to move your data to MS SQL Server.

    As opposed to MySQL where, when you outgrow it, you scale up to-- wait, Oracle? Or just hiring 6-digit experts to come in and tweak it until it kind of works most of the time? Either way is a fuckload more expensive than a copy of SQL Server.

    @epicfail said:

    At that point you can't afford an extra dedicated db server.

    If you're really a startup with budget issues, you should be using cloud computers.



  • I'm going to go out on a limb here and admit to putting up a website this week using PHP even though I am aware of the stupid quirks that PHP has (you just have to read enough Stack Overflow questions on why A doesn't equal B in PHP to know that something is written under the covers). In my case it was a simple site that really only throws up some static pages, but I used a very lightweight PHP framework (Slim) to have better control over RESTful URI generation. It got the job done quickly and simply and I didn't have to think too much about it even though I had never used that framework before.

    I picked a PHP based system as my hosting provider provides PHP and does not support mod_python, or .net for shared hosting. I could have gone perl .. but that would be a crazy for me to do as I am fluent in several C based languages and haven't written any perl for years and years and years. So PHP was the only way to go for me.



  • @epicfail said:

    The WTF in using ASP.NET is using a stack which actually charges you monies for a license. This is how much a LAMP license costs you: $0. This is how much ASP.NET costs you: >$1. Probably also more then $10. Per core. Or per box. Or per 500 http sessions per 100 vhosts. Fuck if I know. Then you need to scale and have to move your data to MS SQL Server. At that point you can't afford an extra dedicated db server.

    Anyone actually trying to do something serious doesn't mind spending some money to do it.  That doesn't mean that ASP.NET is great, but it a "free" solution is often worth exactly what you paid for it.

     



  • @Strolskon said:

    to not have to wrap the entire page in quotes when all you want is to add the current time at the bottom or something.

    Click



  • @Gurth said:

    @Sir Twist said:

    @Strolskon said:

    Is there any way you can use, say, Python inline with HTML just like you can with PHP?
     

    Yes.

     

    Specifically, you want to read this part of the documentation.

    And thank you, Sir Twist, for pointing us to Mod_python — it looks like the solution to something I'll likely be working on in the near future.

     

     

    mod_python has been dead since 2010.

    mod_wsgi is what you should likely look at. For templating I prefer jinja2, but mako can do arbitrary python anywhere in it's templates (which I believe will get messy without care).



  • @toothrot said:

    (which I believe will get messy without care).
     

    True for just about anything, really.



  • @MiffTheFox said:

    The sad part is that PHP's probably the best language for use on the web out there, although I've never looked at real CGI libraries so I'm not sure.

    I suppose you never looked at any other templating (CGI is easy, interpolating into the template is the important part) libraries, because most of them are better than PHP. PHP can't do even such common thing like interpolate a piece of template repeatedly, so to generate a table in PHP you have to use echo. Any other template systems I've ever heard of like embperl (perl), HTML::Mason (perl), Genshi (python), Velocity (java) or whatever can repeat templates. Plus they allow separating the code from the template, which you generally want for anything nontrivial. And they obviously have the benefit of using a language that was actually designed.

    @MiffTheFox said:

    PROTIP: HTML is not a graphics language, and developers should be trusted to write JavaScript.

    (Speaking of which, has anyone ever done server-side JavaScript right?)

    The Node.js looks quite reasonable and there are some decent server-side applications written in it. But JavaScript is not really a good language either. It is actually designed and self-consistent, but it's intentionally very simplistic to keep the interpreters small and can't really evolve, because programs have to be written to run even on old interpreters (remember the IE6). Which makes it much more suitable as bytecode. Compilers targeting JavaScript are likely to become more and more popular in future.



  • @MiffTheFox said:

    ASP.NET is nice, if only it were easier to convince Powers That Be to run a Microsoft software stack.

    Also I'd like it a lot more if Webforms was never released. "You want ASP.NET? Use MVC."

    There are other stacks, that are much better than PHP and just as free. TurboGears (python), Django (python), Ruby On Rails (ruby), Flask (python), if you want something simpler. I am sure turbogears allows separating or mixing your code into templates as little or much as you wish and believe the others do as well (the Genshi template system used in TurboGears is especially nice in that it is built into the XML structure instead of parallel to it, so it guarantees to generate well-formed output).


  • @Bulb said:

    The Node.js looks quite reasonable and there are some decent server-side applications written in it. But JavaScript is not really a good language either. It is actually designed and self-consistent, but it's intentionally very simplistic to keep the interpreters small and can't really evolve, because programs have to be written to run even on old interpreters (remember the IE6). Which makes it much more suitable as bytecode. Compilers targeting JavaScript are likely to become more and more popular in future.

    Node.js isn't a problem because it uses JavaScript-- it uses the V8 engine, which is awesome and "running on IE6" (or IE7, or IE8-- the JS engine in 9 is on-par with V8) is a non-issue on the server side.

    The problem with node.js is that it's event-based instead of thread-based.



  • @toothrot said:

    mod_python has been dead since 2010.

    Damn.

    @toothrot said:

    mod_wsgi is what you should likely look at.

    Thanks for that :)



  • @Bulb said:

    @MiffTheFox said:

    ASP.NET is nice, if only it were easier to convince Powers That Be to run a Microsoft software stack.

    Also I'd like it a lot more if Webforms was never released. "You want ASP.NET? Use MVC."

    There are other stacks, that are much better than PHP and just as free. TurboGears (python), Django (python), Ruby On Rails (ruby), Flask (python), if you want something simpler. I am sure turbogears allows separating or mixing your code into templates as little or much as you wish and believe the others do as well (the Genshi template system used in TurboGears is especially nice in that it is built into the XML structure instead of parallel to it, so it guarantees to generate well-formed output).

    I'd like to mention Bottle (python), just because a friend of mine is the main developer ;)



  • @Bulb said:

    PHP can't do even such common thing like interpolate a piece of template repeatedly, so to generate a table in PHP you have to use echo.

    ... false.

    <table>
    <?php foreach ($rows as $row): ?>
    <tr><td><?= $row[0] ?></td><td><?= $row[1] ?></td><td><?= $row[2] ?></td></tr>
    <?php endforeach; ?>
    </table>

    @Bulb said:

    Plus they allow separating the code from the template, which you generally want for anything nontrivial.

    http://smarty.php.net/



  •  @Bulb said:

    PHP can't do even such common thing like interpolate a piece of template repeatedly, so to generate a table in PHP you have to use echo.

     

    Not sure if this is what you meant, but you can at least do something like this, where you only echo the part that actually varies.  I've done this in a couple personal projects that don't change enough to be worth the time and trouble (one of them is for a non-profit and I just have FTP access to their web server) to port to a new language.

     

    <table>

    <? for($i=0;$i<$m;++$i) { ?>

    <tr><td><? echo $a[$i]; ?></td></tr>

    <? } ?>

    </table>

     

    @Bulb said:

    Plus they allow separating the code from the template, which you generally want for anything nontrivial.

     

    No argument on this point.  I use .NET for some work projects; there's a bit of inline code, but mostly just Bind("SomeName") or Eval("SomeName") or occasionaly an IIF().  (And to address the "zomg but the license costs money!" argument: said cost is dwarfed by "all the devs are already up to speed on VB" and "the IT guy is already up to speed on maintaining a MS server with the required horsepower".  Oh, and "this is non-trivial enough that it'll take the devs a while, regardless of framework".  Now if you're dealing with a new company/division/project/etc. where the first two don't apply, then sure, it's worth spending a little time considering alternatives - but even if .NET isn't the best choice, it's probably at least better than PHP, as someone previously noted.)




  • @heterodox said:

    <?php foreach ($rows as $row): ?>
     

     

    Oh, right, foreach.  And I actually used it once (though this is the first time I've seen the colon version of the syntax). Shows you how often I actually write anything in PHP these days.

     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.