Out of Puberty
|
Author | Content |
---|---|
tuxtom Feb 26, 2008 10:09 PM EDT |
Quoting:When the internet bubble burst a few years ago, we learned an important lesson. Investing millions in the development of a website, only to discover that nobody wants to use your service after months and months of hard work, does simply not work in the internet age. So time to market is everything. And PHP, despite some of its flaws, gets the job done quickly.This summarizes my experience very eloquently. Good interview. |
tuxchick Feb 27, 2008 8:00 AM EDT |
Hmmm... given PHP's notorious weaknesses and security flaws, I don't see where 'speed to market' is a good thing, especially when it results in 'speed to being pwned.' Developers who are skilled in Perl, Python, or Ruby are going to have plenty of 'speed to market', and they're going to have stronger, maintainable sites. The supposed speed advantage of PHP is only for novices who want to fling something up quickly, with minimal study. After that initial fling-up, PHP loses all advantages- it's harder to maintain and scale, and trying to keep the beast secure is nearly impossible. This details some of its problems:
http://www.enterprisenetworkingplanet.com/netsecur/article.p... **edit** oops, I just noticed the OP is tuxtom. I'm not picking on you, honest! |
tuxtom Feb 27, 2008 8:39 AM EDT |
@tuxchick: Is that your article? I've heard folks areound here call you Carla. In any event, "Developers who are skilled in Perl, Python, or Ruby are going to have plenty of 'speed to market', and they're going to have stronger, maintainable sites" is true of any language, for the most part. And competent systems administration and runtime configuration is the first step to running any app reliably and securely. This is the root of the majority of negative observations. Are you going to tell me that it is easier to maintain and scale a project in Perl that PHP5? This tells me that you haven't done it and you are just spreading FUD. Python and Ruby are nice languages, but it is a small market. Maintaining those is going to prove troublesome just finding the talent to do so (not being a devloper in either I can't comment on their scalability). For all the hype, Ruby really just introduced the MVC model to the amateur programming world who doesn't even know what Gang of Four means. We were coding that stuff from scratch in Java before Struts. |
tuxchick Feb 27, 2008 9:02 AM EDT |
Sure, more sites are coded in PHP, because almost any monkey can (and does) fling something up fast. More market share doesn't equal better technology, as Windows demonstrates. The initial PHP learning curve is short, but then you're spending the rest of your life mitigating its defects. That hardly seems like a sensible long-term strategy or use of one's skills, especially when higher-quality scripting languages aren't that hard to learn. |
tuxtom Feb 27, 2008 9:59 AM EDT |
@tuxchick: Well, I'm not disagreeing with the numbers, and any monkey can write something that they thinks is good is factual, but this is true for any language at the end of the day. PHP happens to be the most accessible. "Higher-quality scripting languages" is a subjective statement. Also, "scripting" is frequently used to denigrate a language, implying that a compiled language is superior. This is old-timer's syndrome and FUD. Interpreters are just as fast, for all practical purposes, as most native or intermediately complied technologies these days. On the issue of scalability, that is a FUD invested myth that all platforms try to propegate. What is scalability? In the coming world of Grid Computing interpreted languages will be King. Java, etc., have so much overhead and configuration...app servers, etc., that they don't scale. Larger projects require exponentially more resources. Scalability and maintainability have more to do with solid software engineering and architectural skills than any particular technology. A poorly designed Java, Perl or Ruby app is going to be far worse than a well designed PHP app. Look at SugarCRM. It's scalable and secure enough for H&R Block. Nuf Sed. As for security, how many PHP security holes have caused worldwide havoc and alarm? C and C++ apps have caused very serious security violations on a massive scale. Is the technology to blame, like you blame PHP? Or is it the practices of developers and administrators..or just the statistical fact that all software has bugs... that are to blame? VB macros and other Microsoft technologies have done the same, though they are certainly flawed technology when it comes to security. All technologies have their flaws and bumps in the road during their growth. The collective attitude here at LXer seems to be one of making Linux available for the unskilled masses. Do you want a future of point and click Linux administrators that any monkey can become? You want to make it accessible to them. It is going to lead to its own problems? Yet, you criticize PHP for being exactly the same thing. Will you be so opinionated when people begin saying the same thing about Linux as the world of incompetent administrators grows? Most people criticizing PHP rarely provide examples of how other technologies are superior in the areas of claimed flaws. Not to mention the perspective is usually 1999. It's certainly not perfect, but nothing else is perfect either. |
herzeleid Feb 27, 2008 10:46 AM EDT |
@ tuxtom - I'm with you. php is easy to get started with, but that doesn't make it unsuitable for advanced applications, by any means. People love to compare the php of 1999 with the java of tomorrow! |
tuxchick Feb 27, 2008 12:45 PM EDT |
Wow tuxtom, you sure throw in a lot of irrelevant stuff that doesn't even come close to addressing the point, which is that PHP is inherently fatally flawed, and that there are superior alternatives that are not much more difficult to learn. In fact I think they're easier over the long run, because they're sane and architecturally consistent. Which PHP is not. |
ColonelPanik Feb 27, 2008 1:01 PM EDT |
Anyone want to buy a huge Learning PHP4 book? Cheap? |
herzeleid Feb 27, 2008 2:02 PM EDT |
> Anyone want to buy a huge Learning PHP4 book? Cheap? Nah, I got one already - I think I'll want to brush on on php5 though, especially the new OO architecture. Have you seen the cool things people do with php nowdays? Just about any of the interesting CRM, CMS etc systems that come to mind are all LAMP based. Some people don't like php, and most of those same people don't like c or perl either. No accounting for taste.The thing is, if you are comfortable with c or perl, you'll feel right at home with php, and that's why I liked it right from the start. |
Sander_Marechal Feb 27, 2008 3:20 PM EDT |
Quoting:especially when higher-quality scripting languages aren't that hard to learn. Such as? Python has it's fair share of idiosyncrasies and gotchas too. Ruby is a niche. It's main area is Rails which is aimed at the web 2.0 crowd. Perl is hard. And let's not dreg up C#/Mono again in this thread. |
tuxtom Feb 27, 2008 4:59 PM EDT |
@tuxchick: Your statements are biased and subjective. It is clear that you don't like PHP, which is your prerogative. But FUD is FUD. I threw in all that stuff to make the exact point that PHP is no more imperfect than any other technology and that it is indeed a viable development platform outside the world of "monkeys". In fact, it is a staple of many of the Big Boys. Is it different? Yes. They all are different. Does it have warts in different places? Yes. They all do. All those other points were to illustrate that most "fatal flaws" are Pilot Error.Quoting:I think they're easier over the long run, because they're sane and architecturally consistent. Which PHP is not.Again, that's a subjective and purely academic argument. Have you taken a look at the Java API lately? It's like looking through Encyclopedia Britannica. Perl? My first Love, but it lives up to its reputation as a write-only language. I'm not sure about Python or Ruby as I've only given them a cursory overview, but if their popularity were as widespread they would become a bit bloated, overwhelming and disorganized, too. PHP has excellent, easily accessible documentation despite its "architectual inconsistencies". Quoting:...PHP is inherently fatally flawed...Then we're all doomed and more than half the Internet is going to suddenly crash without notice. Commerce will screech to a halt. And I can't prove it, but I'd venture to bet LXer would cease to exist...or at the very least 90% of the story links would R.I.P. |
pat Feb 28, 2008 4:42 PM EDT |
Typical Tuxchick argument, php is bad and here's an article written by "Carla S." with why it is bad. What is not said is that Tuxchick is Carla S. alter ego, her secret identity, with the super power to trash talk what she doesn't like. And like any super hero, they only seek to fight what they are against, not make it better or solve the problem. Spoon! |
gus3 Feb 28, 2008 9:10 PM EDT |
Nice ad hominem, Pat. And, uh, how many books have you published lately? |
Sander_Marechal Feb 28, 2008 9:51 PM EDT |
Quoting:What is not said is that Tuxchick is Carla S. alter ego, her secret identity, with the super power to trash talk what she doesn't like. Tone it down, pat. Everyone here knows that tuxchick is Carla. She simply links to an article to avoid repeating herself. Why make the same point twice? |
pat Feb 29, 2008 4:48 AM EDT |
Avoid repeating herself? Typically one doesn't reference your own writing when trying to support your own arguments. I just wonder why you, Sander, an editor on this site, aren't doing anything about it. It makes this site look bad. The fact is that someone just reading the site won't know who is who. What Carla did is clearly wrong and I called her out on it. I will continue to point these things out as long as it continues to occur. I don't kill trees, so I don't publish books. I've found man pages more useful, fWIW. |
gus3 Feb 29, 2008 8:03 AM EDT |
@pat: I've done the same thing. I know exactly why she does it, Sander is right, and if that isn't good enough for you (and since when do YOU run this site?), go whine up a tree. |
herzeleid Feb 29, 2008 9:20 AM EDT |
@pat - > Typical Tuxchick argument, php is bad and here's an article written by "Carla S." with why it is bad. What is not said is that Tuxchick is Carla S. alter ego, her secret identity, That's no secret, all the regulars know that carla is tc. But if you have a gripe with her, why not pm her directly instead of broadcasting on the forum? |
tuxtom Feb 29, 2008 10:03 AM EDT |
For the record, my argument with tuxchick was argument in the Socratic sense, as imperfect as my attempt at that may have been. In no way was it intended to be a personal attack on her or her credentials. In fact, I went through and read many of her references for that article which made some very good and valid points. However, there were no side-by-side dissections of the alternate technologies proclaimed as "superior". |
tuxchick Feb 29, 2008 10:05 AM EDT |
Wow, that sure brought out the trolls. But not a single word refuting my assertion that PHP is unsafe at any speed. tuxtom and pat, all the smoke and mirrors in the world won't fool anyone- it just proves you have no knowledge of the subject. |
tuxtom Feb 29, 2008 10:15 AM EDT |
...as she posts on a PHP board... |
tuxchick Feb 29, 2008 12:12 PM EDT |
Poor tuxtom, you think that ranting about anything and everything, rather than directly addressing the subject, will fool people into thinking you have a point. There is nothing subjective about my claims that PHP is inherently unsafe, and you have said nothing to counter that, but instead dredge up goofy things like elitism and the Internet crashing to a halt and every scripting language has flaws and yadda yadda. I linked to some specific descriptions of PHP's weaknesses and problems, and a number of articles that spell out a lot of reasons why it's fatally flawed. You haven't answered any of those, but just gone on your usual tangential rampages. It's possible that I'm wrong, and that PHP is not less safe than the alternatives. But you haven't presented anything to show that. The OWASP site is full of great information on Web security. Here is yet another informative page on PHP problems, which persist in version 5: http://www.owasp.org/index.php/PHP_Top_5 There is a lot at stake in Web security. Your blaming the messenger doesn't disprove anything I've said. |
tuxtom Feb 29, 2008 3:12 PM EDT |
Quoting:I linked to some specific descriptions of PHP's weaknesses and problems, and a number of articles that spell out a lot of reasons why it's fatally flawed.I have openly acknowledged those. How about you put those in context by applying the same scrutiny to the alternative technologies that you are recommending rather than just going off on a unilateral "rampage" against PHP? After all, it is you who are arguing that there are "superior alternatives". Prove it! Chopping down an oak tree doesn't make the other species in the forest inherently better. Quoting:You haven't answered any of those, but just gone on your usual tangential rampages.Ditto. Your modis operandi seems to be to send links referring to the analyses of other people rather than formulate an argument of you own in the context of the discussion. Referring to and paraphrasing other peoples texts is hardly noteworthy. Quoting:Poor tuxtom, you think that ranting about anything and everything, rather than directly addressing the subject, will fool people into thinking you have a point.Right back at ya, babe. I'm not trying to fool anybody. You are smugly discounting PHP without a similar critique of the weaknesses of any of your proposed alternatives. Are we just to take your word for it? Personally, I think you should vote with your feet and refuse to use any site that runs PHP. That would present a stronger case to the rest of us. You talk the talk. Are you willing to walk the walk? (Don't worry, PHP will still be here en force should you decide to return.) |
Sander_Marechal Feb 29, 2008 3:47 PM EDT |
Quoting:But not a single word refuting my assertion that PHP is [inherently] unsafe. Fine. I'll counter. Let's start with http://www.enterprisenetworkingplanet.com/netsecur/article.p... in which your first point is: Quoting:When you peek under the hood of PHP, it's not a pretty sight. It's full of cruft and chaos [...] this is an obvious recipe for programmer errors. One of the most common security holes is unvalidated input- all user input must be mistrusted, but PHP doesn't have much in the way of tools to help with this, so you have to write your own validation routines. This doesn't make PHP inherently unsafe. It just makes it harder to write bug-free PHP applications. It's a matter of programming skill, not inherent flaws in the implementation of PHP itself. You can argue that it's harder than it should be, given the large amount of newbie programmers attracted to the language. That would be a valid point. But there aren't flaws in PHP itself that prevent you from writing secure code in it. By the way, there are excellent PHP tools for input validation. Check out the PEAR repository, specifically http://pear.php.net/packages.php?catpid=50&catname=Validate Quoting:When you run PHP as an Apache module by using Apache's mod_php, PHP inherits all the credentials of the Apache process. That's not a PHP issue but a server configuration issue. As you pointed out yourself shared hosters should use suEXEC or CGIWrap. Professional sysadmins should be aware of this issue. There's no excuse. The same goes for hosters not keeping their PHP updated. If your sysadmin is crap, Ruby, Python or Perl won't save you. |
pat Feb 29, 2008 3:56 PM EDT |
Carla, your doom and gloom about php does a HUGE disservice to FOSS. Just more FUD that the Microsoft sales people can show there clients, "See, even the FOSS people don't like PHP, .NET is much better.". LXer is^H^H has becoming a very good source of FOSS on FOSS FUD. This place is more like a high school clique then an open community of people interested in FOSS. |
tuxchick Feb 29, 2008 5:13 PM EDT |
Sander, you make some good points, especially the one about mod_php. However, the real meat is in the links at the end of the article. They've been there all along for anyone to read. Here are some highlights- this is just a small sampling: ==== -Poor security, and poor response to security issues. This is a large and detailed topic, but regardless of whether it's caused by inexperienced programmers or by PHP itself, the amount of PHP-related exploits http://milw0rm.com/webapps.php is rather high. And according to a PHP security insider http://www.heise-security.co.uk/news/82500 , the effort is [url=futilehttp://blog.php-security.org/archives/61-Retired-from-securityphp.net.html]futilehttp://blog.php-security.org/archives/61-Retired-from-...[/url] . -There are thousands of symbols in the PHP namespace. Cleaner languages only have a few dozen. "Everything is built in" just means it has way too many functions in its core, especially since many are minor variations of each other. -No consistent naming convention is used. Some functions are verb_noun() and others are noun_verb(). Some are underscore_separated, while others are CamelCase or runtogether. Some are prefixed_byModuleName, and others use a module_suffix_scheme. Some use "to" and others use "2". And if you take a random set of ten library functions, chances are half a dozen different conventions will be included. -Many parts of PHP either deviate from standards, or otherwise don't do what users would expect. For example, exec() returns the last line of text output from a program. Why not return the program's return value, like every other language does? And further, when would it ever be useful to get only the last line of output? Another example: PHP uses non-standard date format characters. -The documentation... ... is often incorrect or incomplete, and finding relevant information tends to require reading pages and pages of disorganized user-contributed notes (which are incorrect even more often) to find the details the documentation left out. Sometimes really important details are left out, such as "this function is deprecated -- use foo() instead". ... is (as of PHP 5.1.2) not included with the source, nor typically installed along with the binary packages. Downloadable documentation is available, but does not match the docs on PHP.net. Specifically, it leaves out all the user-contributed notes, which are important because of reasons mentioned above. ... is not built in. You can't just point an introspection tool at a PHP module and get usage information from it. -Magic quotes (and related mis-features) make data input needlessly complex and error-prone. Instead of fixing vulnerabilities (such as malformed SQL query exploits), PHP tries to mangle your data to avoid triggering known flaws. The server-wide settings in PHP's configuration add a lot of complexity to app code, requiring all sorts of checks and workarounds. Instead of simplifying or shortening code (which the features are supposed to do), they actually make the code longer and more complex, since it must check to make sure each setting has the right value and handle situations when the expected values aren't there. PHP's database libraries are among the worst in any language. This is partially due to a lack of any consistent API for different databases, but mostly because the database interaction model in PHP is broken. The SQL injection issues in PHP deserve particular attention. This amusing exchange http://it.slashdot.org/comments.pl?sid=191584&cid=15742484 explains a bit better... ==== In a nutshell- unsafe at any speed. |
tuxtom Feb 29, 2008 6:07 PM EDT |
We'll pull over for you to get out. |
pat Mar 01, 2008 4:18 AM EDT |
Thats funny, I read the php.net home page and I see security addressed in every release, just like every other FOSS project. Just more FUD from the lxer department of FUD. |
rijelkentaurus Mar 01, 2008 5:05 AM EDT |
Quoting: Just more FUD from the lxer department of FUD. I may not agree with all of Carla's opinions, but she is no spreader of FUD. That's out of line and dead wrong. |
tuxchick Mar 01, 2008 11:06 AM EDT |
This page has some useful comparisons to Perl:
http://tnx.nl/php More detailed analysis of PHP: http://thwartedefforts.org/problems-with-php/ Which were all linked to from my article. |
herzeleid Mar 01, 2008 11:22 AM EDT |
@tc - those are some valid points in your links, but a lot of them come down to taste, and some I'm doubtful of (e.g. "perl is faster than php" - in what context, how measured?) Sure, php is messy, sort of like perl to the extreme, but you can do a lot of cool stuff with it. Keep in mind that a disciplined programmer will write better code than a beginner. and php is evolving and improving, so in time, all the major objections will likely be addressed. |
tuxchick Mar 01, 2008 11:46 AM EDT |
It's true herzeleid, that a skilled person with crummy tools will often outperform an inexperienced person who has great tools. OTOH, someone who clings to inferior tools when there are all kinds of excellent free alternatives might be considered, what...blindly stubborn? Foolish? My points are very basic: -PHP is too inherently flawed to trust. How many exploits is it going to take to get people's attention? It can't work both ways- it can't be both inviting and wonderful for noobs, and then all the fault of these poor noobs for its defects. -This whole discussion, with few exceptions, is like being on a Windows forum- "PHP is too secuar and totally awesome! It's dumb lusers who cause the problems!" LAMP security is tricky enough, with data validation and cross-site scripting exploits being two of the biggest chronic headaches. I don't see why any responsible developer would cling to flawed tools (don't forget the upgrading and version sync problems, which makes routine maintenance a total nightmare) when there are several excellent, superior alternatives. To me it's typical short-term microsoftian thinking: make it pretty and sort-of easy, don't look under the hood, and don't think of the long-term consquences. I'm done supplying links and references, as it's a waste of time. The only reason I'm still posting is trolling and deliberate dimwittery offend me. (No, not you!) I don't care what other people use. Anyone who is honest enough to face the facts knows what's what. I haven't seen one single item in this whole thread to counter what I've been saying. I've done my homework, and I've dug into PHP guts and seen it for myself. Some informed debate, rather than emotion and trolling, would be awesome, but I'm not holding my breath. |
tuxtom Mar 01, 2008 12:26 PM EDT |
Quoting:Developers who are skilled in Perl, Python, or Ruby are going to have plenty of 'speed to market', and they're going to have stronger, maintainable sites. The supposed speed advantage of PHP is only for novices who want to fling something up quickly, with minimal study. After that initial fling-up, PHP loses all advantages- it's harder to maintain and scale, and trying to keep the beast secure is nearly impossible.These are your original points which you claim are very basic. You have provided many examples of where you claim PHP is "fatally flawed"...most well known and avoidable and aren't being contested. However, you have failed to show any evidence that the other language platforms are stronger, more maintainable, just as fast to market, more scalable or more secure than PHP. Your fundamental premise isn't that PHP has so many weaknesses, it's that these other technologies are so superior in these areas. Quoting: The only reason I'm still posting is trolling and deliberate dimwittery offend me.Some might observe that continuing to post negative commentary about the subject without backing up your original claims (reiterated in the last paragraph) on a board powered by the very technology you hold contempt for is trolling. You have really been trying to bait us into arguing over minute details which are well-known and have not been contested, yet you still refuse to look outside those encapsulated points and address the breadth of your original statements. |
Sander_Marechal Mar 01, 2008 2:04 PM EDT |
Quoting:PHP is too inherently flawed to trust. It's not inherently flawed. If it were, it would be impossible to write a non-trivial secure application in PHP. It's not impossible. Harder that it should be pethaps, but far from impossible. Calling PHP inherently flawed is like calling C inherently flawed. Both languages are easy to learn and hard to master. Both are difficult to write secure code in. The main difference between C and PHP from a language point of view is that there are a lot of newbies promoting PHP to other newbies. Of all the links and references you provided, none discussed security issues in the language itself and one referenced it (month of the PHP bugs). Everything else is about configuration (which has drastically improved out-of-thebox. register_globals has been off for ages. The URL wrappers are off. Even magic quotes is off) or about applications written in PHP. You're free to argue that writing secure PHP code is harder than it should be. That there are many inconsistencies in the core. I'd agree with you. I'd support any effort to make writing secure code easier even if it breaks existing applications. But all that does not make PHP *inherently* insecure, which is what you've been claiming this entire thread and which I find a baseless claim. Quoting:The only reason I'm still posting is trolling and deliberate dimwittery offend me. [...] Anyone who is honest enough to face the facts knows what's what. I haven't seen one single item in this whole thread to counter what I've been saying. [...] Some informed debate, rather than emotion and trolling, would be awesome, but I'm not holding my breath. I take offense at those statements. Keep your ad hominem attacks to yourself if you really want an informed debate. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!