PHP, where do you go?

Couple of days ago my colleagues and me were discussing the future of programming languages – PHP was also a topic and we were trying to find arguments for our decision should we stick to it or switch to Python. Therefore I am appriciating the hackernews link from today: Frank Karlitschek wrote a very good post on his side concerning the pros and cons of PHP, have a look at it. I like the listings for shortcomings and possible improvements:

A few of the obvious shortcomings are:

  • Security. PHP in itself is not insecure and it is obviously possible to write perfectly fine and secure applications with PHP. But PHP decided to implement an quite naive approach about security and doesn´t support the developer too much in writing secure code. To be fair everybody was naive about web security in the 90s. So there are a not a lot of features available in PHP that actively support you with writing secure code. The database situation is a mess so a lot of people still don´t use prepared statement which leads to possible SQL injection. And filtering incoming data for XSS and other problems has to be done relatively manually. There are extensions and libraries available to help with all this problems but they are not part of the language/runtime core or are incomplete.
  • compile time / runtime configuration. Just for fun call the ./configure script to compile php yourself and look at all the compile options. And now look at all the options that can be set in php.ini by the server admin. On one side this is cool because an admin can enable and disable a ton for core features in PHP in a very fine granular way. But as a developer of an PHP application that should run on all available PHP servers this is a nightmare. You never know which feature is enabled and available. In ownCloud we have a lot of code that checks the environment and the runtime to see if everything works as expected and adapts to it as needed. This is unfortunately not what you call a stable platform and a good OS abstraction.
  • There are some inconsistencies in the function and class namings. Sometimes unerscores are used and sometimes camel-case. Some features are available in a procedural style and some have an OO API and some even have both. There is a lot that should be cleaned up.
  • Static typing. This is totally a question of taste but sometimes I would really love to have a bit more static typing in PHP. Guess what this following code does if you have a file named “1” in your directory: while ( ($filename = readdir($dh)) == true) $files[] = $filename;

Here are a few ideas for improvements that I would love to see:

  • Security. Kill the _GET and _POST and _SERVER arrays and introduce a proper API that can be used to filter all incoming data.
  • Database. PHP support a ton of different database API. Some of them are very old but they are inconsistent to use. Everything should be standardized so that only one OO interface exists. I personally would use PDO as a starting-point here.
  • 32bit / 64bit. Anyone who ever tried to write a PHP application that runs on 32bit or 64bit operating-systems will recognize that variables especially integers behave differently. I understand that this is a reminiszense to C/C++ but this is seriously a bad idea. I don´t want to have different code paths which have to be tested independently.
  • kill save_mode, open_basedir and other acient concepts
  • Remove most of the compile and runtime config options. All PHPNEXT runtime environments should be as similar and stable as possible.
  • Typing. It would be cool if PHP would introduce optional static typing. So that a variable can be declared as, for example, bool or int. An exception should be thrown if used otherwise.
  • Always use unicode strings

 

Leave a Reply

Your email address will not be published. Required fields are marked *