SitePoint Sponsor

User Tag List

Page 1 of 4 1234 LastLast
Results 1 to 25 of 90

Hybrid View

  1. #1
    SitePoint Addict
    Join Date
    Feb 2006
    Posts
    281
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is PHP going a bit over the top?

    Does any one think things are going over the top in terms of adding new OOP functionality in PHP?

    When PHP started with OOP it was great, but now there are to many new features. The features i'm talking about are static methods, late static bindings etc..

    I can see where autoloading and namespaces are useful, but some of the latest stuff seems like they are being lazy and instead of trying to work out a solution using true OOP they are just adding new features to the core.

    Are the PHP developers getting the feature ideas from other languages like JAVA or are they just making new things up.

    Whats wrong with just having basic OOP?

  2. #2
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by blueyon View Post
    ... and instead of trying to work out a solution using true OOP
    I cringe when I hear that wording. There is no commonly accepted definition of which features of a language that makes it object oriented. Thus there is no "true" OOP and no "false" OOP.

    Besides, static members was inherited from Java, along with the entire class-based object model. Not that I'm advocating it or anything, but it's fairly consistent with the strategy so far.

    Anyway - and to address your main point - PHP has always been a very inclusive language. It started out as a template engine and over time more and more features have been bolted on. This means that there is no grand plan (Except perhaps in Rasmus' head).

    The danger of this is, that it's a lot easier to add something than to take it away, but if we keep adding, without removing features, we'll end up with a huge language. Another problem is that some times two features are mutually exclusive, so by picking one, the other is abandoned. If there is no clear direction, it's impossible to figure out which of two such features to pick.

    I think this has become more and more of a problem lately, and unless we either slow down or begin dropping/changing existing features, it can end up very messy.

  3. #3
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Which is why I've been suggesting a complete library rewrite for a long time now.

    It's a case of backwards compatibility. That's the kind of thing that leaves Windows slow in Vista, because it has a backlog of a decade or two of backwards compatibility.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  4. #4
    We're from teh basements.
    Join Date
    Apr 2007
    Posts
    1,205
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think autoloading and static methods rather complement each other. I put miscellaneous static methods in a Utility class (versus libraries of standalone functions) for the express purpose of having that class autoloaded when I call one of the methods. I will probably never hear the end of how that is "wrong", but if I can skip an include or require call, I will gladly do so.

  5. #5
    SitePoint Zealot
    Join Date
    Sep 2008
    Posts
    199
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    right. php sucks. Old php was simple. But not well suited for big projects.
    These new features make php to look more like java. BUt it is not a java.

    If you need a big project with clear code then php will never compare with java and java ides with code refactoring and generation.

    Better they created a java implementation of php under good license.
    Quercus gpl license make it impossible to use it directly in non caucho, non gpl servlet code.

  6. #6
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    php sucks
    I really hope for your sake you don't mean that.

    Yes, PHP is a bit bloated and some parts are outdated because of old versions. I get that.

    But PHP is unrivaled when it comes to web development.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  7. #7
    SitePoint Zealot
    Join Date
    Sep 2008
    Posts
    199
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP is very bad language. It is popular but it is very bad.

    #1 what make me hate PHP is settings in PHP.INI

    register_globals on or off
    magic_quotes on or off
    etc

    These make development much harder.

    register_globals on - is bad design. It was mistake to make it
    magic_quotes_gpc on - is crazy idea. Why some designed to escape this variables when each DB has it is own escape function. e.g. mysql_escape_string

    uninitialized variables created many unobvious bugs for XSS hacking.

    DB query style like mysql_query is base for SQL injections.

    ------------

    In Java we do not have most of these bugs from beginning. ASP.NET is clone of Java and it went even further.

    Java and .NET were designed by professionals and php was designed by n00bs.

    -------------

    Cpanel PHP hosting is very easy to hack. Cpanel server usually has 100-1000 accounts.

    10% of these accounts are hacked by public scanners.

    You can get DB passwords from other accounts, upload files, etc

    These all is possible because of bad php design concepts.

  8. #8
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by max7 View Post
    Cpanel PHP hosting is very easy to hack. Cpanel server usually has 100-1000 accounts.

    10% of these accounts are hacked by public scanners.

    You can get DB passwords from other accounts, upload files, etc

    These all is possible because of bad php design concepts.
    That has nothing to do with PHP you do realize that don't you? I mean no one could be that stupid to think that PHP is the cause.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  9. #9
    SitePoint Zealot
    Join Date
    Sep 2008
    Posts
    199
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    That has nothing to do with PHP you do realize that don't you? I mean no one could be that stupid to think that PHP is the cause.
    Why?

  10. #10
    We're from teh basements.
    Join Date
    Apr 2007
    Posts
    1,205
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    That has nothing to do with PHP you do realize that don't you? I mean no one could be that stupid to think that PHP is the cause.
    Unfortunately, there are many people out there all too willing to spread this misconception. At one company I worked for, an outside SEO "expert" whose HTML skills were stuck in 1997 and who knew nothing about programming put a bug in my boss's ear that PHP was unreliable. And since she was the one who was driving traffic to the company Web sites, he was all too willing to take her word for anything, no matter how misinformed.

  11. #11
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  12. #12
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    ^^^ Lol I gotta remember that.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  13. #13
    Coding and Breathing CoderMaya's Avatar
    Join Date
    Feb 2008
    Location
    Atlit, Israel
    Posts
    470
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Because it depends on the programmer that built cPanel. PHP has more than enough ways to enable you to perfectly secure your script. My guess is that you just don't know much about PHP, which is why you threw that off the top of your head.
    Learn about the new Retro Framework
    Code PHP the way it was meant to be coded!

  14. #14
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Because the PHP creators didn't write CPanel or PHPMyAdmin.

    They wrote the language - it's upto the developer to be good at it. You can't blame the piano if a newbie can't play it, right?

    Serious PHP developers make strong applications. Generally if you learn the advanced stuff and think about how your app works, your app will be foolproof.

    Look at facebook, youtube etc. That's all PHP.

    My guess is that you just don't know much about PHP, which is why you threw that off the top of your head.
    I second that.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  15. #15
    SitePoint Zealot
    Join Date
    Sep 2008
    Posts
    199
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not only CPanel but other common hosting environments has similar problems. I was able to read db password on directadmin host.

    I know not only php to compare it with other languages.

    PHP has no way to control file access in its modules. If you enable safe mode then it does not secure file system like java sandbox or .NET application domain does.

    I am critical to php as it has very big market share but it is not secure or well designed enough.

  16. #16
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    You are talking about it's enviroment, not the language. You can control the enviroment.

    I suggest you talk about something you actually know about, if you want to add real value to this convo.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  17. #17
    SitePoint Zealot
    Join Date
    Sep 2008
    Posts
    199
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why do not you comment magic_quote and register_globals.

    I marked php.ini "flexibility" as #1 problem.

    BUT PHP is responsible for environments.

    When I talk about PHP it is not just language. It is glue to links tons of different libraries. PHP glues together a ball of relatively insecure libraries.

    When I think about PHP I see a dirty ball made of various libraries.

    It is not secure to have that ball on millions of servers

    From other side we have secure java with sandbox and other virtual machines.
    In fact it was possible to move PHP on some virtual machine to create sandbox around common libraries.

    Instead of making php secure, php developer dream to make php ready for big apps. That is why they add namespaces and OOP.

  18. #18
    SitePoint Zealot
    Join Date
    Sep 2008
    Posts
    199
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://quercus.caucho.com/ - PHP implementation in Java
    http://quercus.caucho.com/quercus-3....ule-status.xtp - see how many libraries were implemented by one company in java.

    Imagine if all php community went in right direction. We already had a secure language.

    Imagine if php was properly designed from beginning. e.g. w/o register_globals and magic_quotes

  19. #19
    SitePoint Guru dbevfat's Avatar
    Join Date
    Dec 2004
    Location
    ljubljana, slovenia
    Posts
    684
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by max7
    Why?
    Because PHP is a tool, and a tool is not to be blamed when someone misuses it. You don't blame a hammer if a guy uses it to hit the other guy over the head. Virtually every security hole in a PHP application is because of ill-written code in the application, not in PHP. You can write very secure code in PHP, but you have to learn how.

    At the same time it's true that some of PHP's "features" don't exactly help programmers to avoid common mistakes. Because of PHP's low barrier-to-entry, it's a very good language to start programming in, and you usually don't exactly start with htmlspecialchars() and mysql_real_escape_string(), so your projects will be full of security holes. Given that, the magic_quotes directive can be considered as a nice try to solve the SQL injection attacks. It may even be more useful for beginners than pouring all the security procedures over their heads on day 1.

    But, as projects go public, everybody needs to understand the issues, there can be no relying on PHP magic, every variable must be quoted, and every output escaped. In order to achieve that, people need to learn and use proper tools. For example, I went from no escaping, over addslashes() and mysql_real_escape_string(), to prepared queries in PDO, where once more I don't have to escape anything that goes to DB. Wouldn't it be nice if beginners started with PDO, and spare themselves that path?

    The other reason for insecure PHP applications is that PHP was here at the dawn of web application development, and it was adopted quite fast. Lots of code was written before most fresh programmers even realized that there is such thing as SQL injection and XSS. Why? Because there were so few hackers that exploited the holes, and security wasn't a hot topic. When the era of hacking and exploiting blossomed, the security also started improving, but I'm afraid it always stays one step behind.

    regards

  20. #20
    Coding and Breathing CoderMaya's Avatar
    Join Date
    Feb 2008
    Location
    Atlit, Israel
    Posts
    470
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And by the way, (again) unless you just learned PHP last week, you would usually put files that contain passwords (and stuff like that) behind the actual web root and import them from the include path.

    Go try to hack Youtube. Can't? Well, that's simply because that site is just too simple to hack, right?.... no. PHP is a capable language, and security is one of its best subjects because of its popularity and easiness of use (and misuse). You just need to know where to look to know how to secure your code.
    Learn about the new Retro Framework
    Code PHP the way it was meant to be coded!

  21. #21
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    PHP Security, also covers issues one must face with improperly configured shared hosting.
    http://www.apress.com/book/view/9781590595084
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  22. #22
    Coding and Breathing CoderMaya's Avatar
    Join Date
    Feb 2008
    Location
    Atlit, Israel
    Posts
    470
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    magic quotes and register globals are disabled since PHP 5 (by default), and I'm pretty sure they will be deprecated in version 6.

    And PHP libraries are secure. like dbevfat said, you have to know to escape your input and output to remain on the safe side.
    Learn about the new Retro Framework
    Code PHP the way it was meant to be coded!

  23. #23
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by CoderMaya View Post
    ...and I'm pretty sure they will be deprecated in version 6.
    Not just deprecated but also removed completely.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  24. #24
    SitePoint Zealot
    Join Date
    Sep 2008
    Posts
    199
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Not just deprecated but also removed completely.
    You are right. But why they did not done it in php4 or php5 ?

    If they remove it then they understand that it is a bad feature but they have not understood it before when they created it. That is why I say that php was designed by n00bs.

  25. #25
    SitePoint Zealot
    Join Date
    Sep 2008
    Posts
    199
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Those who say that php is secure do not know about bugs in popular php scripts like phpbb or phpmyadmin.
    Almost every version of phpBB 2 had sql injection bugs.
    They could solve the problem only by rewriting phpBB 3
    I can say that phpBB team learned to program in php only after they released 3rd version of popular forum.
    If php was good language then most bugs were impossible.
    e.g. with prepared statements sql injections is much harder.
    If variables must initialized then then XSS is much harder to do.
    If language comes with good control based framework like asp.net then XSS is header to do.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •