PHP an idiot's tool (was OT: Web page source code )

[Bill Campbell]

On Tue, Aug 12, 2008, Fairlight wrote:
>Is it just me, or did Jose Lerebours say:
>> >From little-dot-ville, Mark exploded and revealed:
>
>If I explode, you'll know it.  :)

I've been on the receiving of a Mark explosion :-).

>> >Actually, PHP's very model makes it worse-off than perl. The tighter
>> >binding to the web server -by nature- gives it more exposure in terms of
>> >risk and repercussions. Perl doesn't have that working against it unless
>> >you use mod_perl, which I refuse to do.
>>
>> So I guess you have figured out how to keep your perl apps secured but
>> this is not possible in PHP at all - Interesting
>
>I didn't say it was impossible, I said the nature of the platform, combined
>with the lack of proper community education, combined with the "idiots can
>use it" factor, all conspire to make it highly less probable.

One of my major issues with php is that I find a lot of PHP code
incomprehensible with the display and processing code intermixed.  I
currently use Zope and Plone where page templates handle the display side,
and processing is where it belongs behind the scened.  I have also used the
perl HTML::Template fairly successfully.

>> I do not read these as you do, but do not think you present a valid point
>> to rank PHP as a worthless development tool.  I am sure that the flaws,
>> however many, are related to specific extensions which you can include or
>> exclude just as you do with mod_perl.
>
>I don't use mod_perl.  I said as much in the last post, and in fact said
>that I -refuse- to use mod_perl.  My reasons are threefold:  1) it adds
>complexity integrating programs into mod_perl and apache, 2) it makes your
>code less portable, since to my knowledge there's no mod_perl for IIS and I
>need to support all platforms with a web server, and 3) for the exact same
>reason I think PHP is a higher security risk--you're rolling your
>application, with any and all of its faults, -directly- into the httpd
>daemon.  Thus, if your application gets cracked, or the engine upon which
>it's written gets cracked, the damage exposure is that much higher because
>it's become part of a trusted system.  Apache and mod_ssl flaws are far
>fewer between than PHP flaws.  And by flaws, I mean exploits that require
>patching.

Ditto -- particularly the part about going too deep into the apache engine.
This makes it entirely too easy for the web ``developer'' to muck about in
apache's internals.

>> >PHP is like AOL: So easy to use, any idiot can--and too many do. The
>> >fact that the community isn't even remotely as self-policing as the perl
>> >community (which has really stringent standards, despite the freeform
>> >nature Perl is capable of using) doesn't help matters.
>>
>> I happen to be one of those idiots, except that I never used AOL.  It
>> feels that you are very biased and one cannot argue with a person who has
>> locked himself in such a way.
>
>I didn't say you were an idiot.  Just like I've run into the occasional AOL
>user that isn't an idiot.  I implied it's more likely than not--especially
>given the relatively high percentages of idiots in the general populace and
>the high percentages of those idiots using PHP because it's "accessible"
>compared to Perl--at least it's more "accessible" in the perceptions of
>people that haven't bothered to look seriously at Perl's ease of use.  We
>won't even bring Python into this until Bill Campbell or Jay Ashworth bring
>it up.  :)

I don't see how PHP is more accessible than perl.  It appears to me to have
taken the worst features of perl (all the modem noise prefixes for variable
names), and added in-line html markup.  Kinda like BASIC, I already knew
FORTRAN when I first saw BASIC, and couldn't figure out why I should use a
Beginners language (the ``B'' in BASIC originally stood for Beginners).

>> One could argue that filePro is easier than PHP - So are there too many 
>> idiots in the filePro community?
>
>Do you want the honest answer to that, or the polite one?  Let's just say
>that the easier something is to use, the higher percentage of people you
>get using it that haven't a clue on how or why to do even the most basic
>things, much less do complex things properly.  That goes for -any- product
>that's easy to use.  That doesn't make everyone that uses it an idiot, it
>just means the likelyhood of a user of 'x' is higher that they're not
>competent to run a 4-function calculator, much less something as complex as
>a RAD toolkit or any other development language.

FilePro purports to be a database management system while PHP is supposed
to be a programming language.  FilePro could be described as BASIC with
screen handling routines.

>> I do not think that the tool defines the quality of the end-product;
>> this is the responsibility of the developer behind it.  If you are a
>> weak developer, your applications will be weak or at least show your
>> weaknesses.  Of course, an even weaker developer will drawn under the
>> tools inherent weaknesses.
>>
>> Take for example filePro itself, with all its weaknesses, lots of solid
>> applications have been written.  In the same token, there is a flood of
>> poorly written applications.  This is not the fault of filePro itself,
>> but the developers.
>
>The point is that certain aspects of a product's design lend themselves
>towards how attractive or not it is towards people of certain skill levels
>and dispositions.  Apple knows this -quite- well--they appeal (at least
>pre-OS/X, it's changing slowly) more to artists, writers, musicians...the
>creative types that don't want or can't be bothered to know what the hell
>they're doing.  They've parlayed that into a fortune, even if it took ages
>to recover from the shortsightedness of being a closed hardware
>architecture.  (Don't start me there, I go back to the Apple ][+ days.)
>
>If something is easier to "learn" on the surface, but harder or just plain
>unintuitive to learn the finer points of (and has p1$$-poor
>documentation!), you get crappy programs from the majority, and some really
>good stuff from the few that bother to learn it--but who probably bother to
>learn -anything- they do just as well.

It's easy to learn the basics of driving a car, even stick-shift, but put
the average 16-year old in an SS-396 Camaro or some such, and they stand a
great chance of killing themselves and others before they learn to really
drive it.

Computers on the Internet can do tremendous damage to a customer's data,
and to other systems on the Internet if one doesn't know what one is doing.

...
>What little I've bothered to look at of outside opinion besides my own
>investigations into PHP has not impressed me.  The security side is just
>plain daunting.  I've had the misfortune of having had to build it multiple
>times to fix glaring issues--and I've had a linux -kernel- developer tell
>me point blank that he'd rather reinstall the whole OS than patch or
>upgrade PHP.  This is a guy that hacks the kernel source code, ok?  What's
>that tell you about how well-engineered it isn't, if he doesn't think it's
>worth the hassle?  (Probably tells me more, since I know his
>personality...you might draw a different conclusion, but I know the guy
>personally and have done for years.)

I would say that a majority of the hacked Linux systems I've had to fix
were hacked through PHP.  Some were owned via webmin and/or usermin as well
which are written in (really ugly) perl where the authors don't bother to
check for reasonable $HOME directories before doing a ``rm -r $HOME''.

...
>Only reason I'm not looking at Python more seriously is because I have too
>much invested in Perl and I'm not looking to go through another migratory
>transitional period.  Bill Campbell's glowing recommendations alone are
>enough to make me second-guess that decision, but I'd rather stay focused
>and hang onto my time investment for now.

I had almost 20 years of perl as my primary language, and a large library
of routines I have developed over the years.  Rewriting them in python was
a large part of my learning curve.  Python uses perl regular expressions so
that part is easy.

I find python to be far easier to use when developing large systems, and
python's Object Oriented stuff is orders of magnitude easier to use than
perl's modules (not to mention that the syntax for using python class
instances is far cleaner than perl's).

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

One man's brain plus one other will produce one half as many ideas as one
man would have produced alone.  These two plus two more will produce half
again as many ideas.  These four plus four more begin to represent a
creative meeting, and the ratio changes to one quarter as many ...
		-- Anthony Chevins