PHP - experiences.
rzwitserloot posted in programming on May 7th, 2006

Tipjar is progressing very nicely. Only been working at it in earnest for a week or so and it’s already quite far along - at least, the technical (non-webdesign) bit. Some experiences:

Many languages aren’t easy to learn right. That whole schtick about an experienced programmer picking up anything in 2 weeks time is a load of crock. You can probably make something sorta work with a spit and a prayer, but it will look downright UG-LY by the standards of the language’s gurus. The experience will either way be unproductive, and the result will be a hard to read, impossible to maintain mess. When I go and write python, I can do it, I can make whatever you like, but I’ll be inadvertently trying to do things in static-namespaces way so much, it’ll look silly.

That doesn’t really apply to PHP. For two reasons: 1) The crowd that usually passes for ‘PHP Guru’ is utterly clueless (no offense, PHP mainstayers amongst my readership) to what we in the real world consider programming, and thus your incompetence isn’t noticed, and 2) The language is utterly trivial. It tries no tricks, it gives you few shortcuts, and in that way you truely HAVE learned it quickly. The downside is fairly obvious, you can’t trick your way past interesting problems like you can in almost any other language for at least a subset of interesting programming problems.

In some ways this is actually a good thing, because I can read absolutely ANY PHP code without diving into books (presuming it’s small enough not to be a mess o’ spaghetti!). Something that absolutely positively never works with something like Ruby or Perl which both look like homer simpson swearing at you. A number of python constructs are difficult to follow as well. In java you can follow the language paradigms, but you’ll be clicking yourself silly on library calls (which in my book is far more feasible than the Ruby/Perl and to some extent Python approach, but that’s another story entirely). Reminds me a bit about my earlier observation regarding limitations.

The biggest problem is community. A real reason for liking or disliking a language (I positively love BOO, but it has no community to speak of) is the community. I had expected, from amongst other people Cris’s comments on the PHP community, that everything’s already been done. So if you have a problem, you google for it, and you get an instant walkthrough or code fragment and you can be on your merry way.

Crock of male cow excrement.

Any trivial problem I can solve by myself. Any complicated problem is usually something your average PHP programmer doesn’t even think of. Questions like: If PHP is stateless, and the random number generator has an empty initializer, where the heck is the seed coming from? If it’s coming from the timer, then my web apps security is officially FUBARed. Worse, the specs do NOT specify anything in particular, so even if I check that it works safely on one PHP implementation, it might not work on the other. Currently solved by reading /dev/urandom, though on windows machines that obviously won’t work.

Typical PHP: PHP tries its hardest to make you brainfart into a security headache.

Second example of this: slimstat is a PHP traffic analyser. I’m using it to track blog traffic. The default install instructions drop it in /slimstat off of your root dir, and anyone can look at it. If that isn’t bad enough, anyone can empty the database and clear out all your traffic data. I had to dive into apache’s settings and lock out everything except the local machine, then ssh proxy my way to the page. This process is not described, or even so much as hinted at, in the installation manuals for slimstat.

These are just 2 situations where PHP and the PHP community collectively prove that they couldn’t secure a lemonade stand. I’ve ran into many more. I’ve also had some non-security related problems, though far less, and far less pressing.

I have, however, merited PHP a little bit: It doesn’t neccessarily cause brain damage, only if you look too much at the community, and it is in fact quite useful for prototypes.