Ask HN: What is your reason for not choosing to use PHP for your next project?
11 comments
It's hard to code secure PHP. When starting, I was like: 'So I can just pass a query parameter with <script>alert(1)</script> and do trivial XSS on random sites if I wanted to?' Smart PHP coders always sanitize, but for PHP newbies, it's easy to introduce some vulnerabilities if you don't do defensive coding practices.
There's things like directory traversal attacks too (putting ../../ in requests etc) which you have to prevent. PHP doesn't do it for you, you have to be very defensive with it. Which is why I use PHP sparingly and use Python and Perl more. Those languages even still have potential vulns, but not nearly as bad as the ones you can introduce in PHP IMHO.
There's things like directory traversal attacks too (putting ../../ in requests etc) which you have to prevent. PHP doesn't do it for you, you have to be very defensive with it. Which is why I use PHP sparingly and use Python and Perl more. Those languages even still have potential vulns, but not nearly as bad as the ones you can introduce in PHP IMHO.
Both of those problems sound language-agnostic. Wouldn't Python/Perl enable the same vulnerabilities if unsanitized inputs are provided?
None of these are true of modern PHP, which is fairly old by now. It’s possible to write bad and insecure code in PHP, but that’s true of every web-oriented language and framework.
PHP in production runs behind Apache or Nginx, so directory traversal and similar attacks should get stopped there. In 20 years of working on PHP code I have never seen this particular vulnerability, though I can imagine how it might happen.
PHP has a bad reputation mainly because inexperienced programmers and even non-programmers choose it as the path of least resistance. Python code suffers from the same problem, though Python is not nearly as popular for developing web sites as PHP.
PHP in production runs behind Apache or Nginx, so directory traversal and similar attacks should get stopped there. In 20 years of working on PHP code I have never seen this particular vulnerability, though I can imagine how it might happen.
PHP has a bad reputation mainly because inexperienced programmers and even non-programmers choose it as the path of least resistance. Python code suffers from the same problem, though Python is not nearly as popular for developing web sites as PHP.
PHP suffers from being old, like JavaScript and C. All of those have gained the capabilities to make them perfectly useable but retain approaches we would not build into a new language. Some developers consider that a smell they don't want to be associated with.
Those who develop code will care, those who develop function will not.
Those who develop code will care, those who develop function will not.
I have done some PHP in the context of modern WordPress before (Bedrock/Sage/Trellis). Meh. It's sufferable but it did not give me immense joy.
I am mostly doing frontend but I want to find a productive full stack framework, I am still hesitating between Rails and Laravel. Still thinking of using Rails though.
I am mostly doing frontend but I want to find a productive full stack framework, I am still hesitating between Rails and Laravel. Still thinking of using Rails though.
It’s not cool. Even people who use PHP every day don’t want to admit it because it’s not considered leading edge. It’s a workhorse language with a mature ecosystem, good documentation, and huge community, great for putting web sites together. It also gets used by a lot of newbs who write bad code, and the language gets blamed for that.
Maybe they just need a rebrand... to PHP.js or something
Php is simple and easy to learn i prefer php than any other backend language
It is ugly.
So what is your reason for not using PHP?