tsunami

log in
history

PHP pros and cons

Luke Breuer
2015-02-05 01:40 UTC

links
preface
It is possible to write good [enough] code in PHP. It is possible to write good code in most languages, and bad code in all languages. However, the amount of effort required, training, and materials for writing good code is also important. Succinct, clear syntax and good libraries do make things easier.
pros
  • PHP is very popular (some would say ubiquitous)
    • the documentation is good
    • there are many examples
    • it is supported by the vast majority of web hosts
      • note that support for other languages/frameworks is on the rise
  • PHP 5 and 6 fix a lot of the bad code issues with PHP 4
  • finding PHP developers is very easy
  • learning how to do basic operations in PHP is very easy
    • historically, the alternative was the much-more-opaque Perl
  • there are some very good frameworks, such as CodeIgniter
  • it's easy to quickly create a small, dynamic web page with PHP
cons
  • this extensive article
  • there is a lot of bad* code
    • it could be argued that PHP makes it very easy to write bad code
    • this includes tutorials
  • there are a lot of bad developers who never learned to do much more than search the internet for examples and stitch them together haphazardly (see above point: a lot of the examples used are bad code)
  • a lot of PHP was written before versions 5 and 6, and the bad habits developed do not seem to be disappearing expediently
  • PHP 4 encourages, or at least makes it very easy to, generate bad code
  • PHP 4 is the latest version of PHP installed by many web hosts
  • return values and argument order of PHP's many functions are inconsistent
    • see strpos:
      This function may return Boolean FALSE, but may also return a non-Boolean value which evaluates to FALSE, such as 0 or "". Please read the section on Booleans for more information. Use the === operator for testing the return value of this function.
  • PHP has over 3000 core functions (contrast this to Perl's ~200)
    • there is no overarching, consistent vision
    • separate functions for case-insensitivity, named inconsistently
      • str_replace vs. str_ireplace
      • 'ereg_replace vs. eregi_replace`
    • underscores are sometimes used and sometimes not
      • stream_get_line vs. readline
      • base64_encode vs. urlencode
  • no mixins
  • limited metaprogramming (compare to Python and Ruby)
  • backslash is the namespace separator
  • the design team refuses to introduce syntactic sugar like [] for array creation instead of array()
  • the free version is intentionally crippled performance-wise, to make room for a commercial license
  • there have been some horrible security fixes, such as attempting to evaluate the comparison size > INT_MAX, where size is an int (this will never evaluate to true)
  • explode(...)[0] is invalid syntax
  • PHP does not help prevent cross-site scripting (XSS), cross site request forgery (CSRF), and SQL injection (contrasted to other languages)
    • this was attempted with magic quotes, which has many problems (documented in the linked Wikipedia page)
  • include and require are both slower than they should be
  • PHP makes it more difficult to separate business logic (or any non-presentation code) from presentation code than other languages/frameworks
  • PHP's object "model" is lacking
  • register_globals encouraged extremely bad practices and resulted in many exploits
    • it is now discouraged, but it is still used
  • error handling, especially in PHP 4, is quite lacking
  • Unicode support is lacking; UTF-8 alone is somewhat supported
  • oci_bind_by_name, used for parametrized SQL with Oracle, trims trailing whitespace

* bad includes code with lots of duplication, insecure code (particularly SQL injection), and general spaghetti code
implicit type conversion/juggling
It is claimed that the lack of transitivity below is bad, but it's a bit of a suspect argument; any change would result in having less powerful implicit type conversion (some call it juggling).
"0" == false == "" != "0" /* therefore: */ "0" != "0"
Then again, the following is a bit questionable:
<?
echo 11 + "25 elephants"; // outputs 36
?> 
Stockholm Syndrome
a disorder causing a programmer to defend an indefensible language because he has to go to work every day and use it

The fact that PHP is better* than some other programming language does not, in and of itself, mean that it is a good language. There are plenty of completely crappy languages out there.

* for some definition of better