Rasmus Lerdorf, the creator of PHP, tells us (here), that the web is broken and “we” had damaged it. But there would be PHP, which can fix all the issues. Ok, let’s see what Rasmus has to tell us.
“You don’t know that you have to filter user input” … ohm, which programming language was it, who made the user input from web available in the global namespace without further action? Which programming language was it, who triggered myriads of bugs in any kind of web application because of this “feature” in the past, the present and even in the future although the
register_globals option is disabled in recent PHP versions? It is clear that no beginner knows about filtering of user input, if PHP makes any input available without further checking.
“The Web is pretty much broken, we can all go home now” … oh, and who broke the web? Which programming language cannot accept points in variable names in the web input and instead does rewrite every point to a underscore? No way and no intention to fix such a behaviour in current releases. Look here for more details, the part about “Dots in incoming variable names”. Surely this happened because of the ugly
register_globals “feature”, but variables like
$_REQUEST are a good place to hold the original input name.
“PHP5 includes all manner of functionality to help developers filter requests, to help prevent the broken Web.” … so it took 5 major releases and 11 years to create a software with adequate functionality? Beside this, the documentation part about User Submitted Data in the security section does ask you (the developer) 5 questions about the security of your program. But there is no further explanation, how PHP may help you to secure your application. No links, almost no comments, nothing. You have to go and learn the answers somewhere else.
“If you can fit your problem into what MySQL can handle it’s very fast,” Lerdorf said. “You can gain quite a bit of performance.” … of course, if I need a filesystem with a more structured access method than fopen/fread/fwrite/fclose, MySQL comes into my mind. If I need a real SQL database which stores my critical business data, than a standard MySQL is not an answer. If Rasmus talks about performance, he surely does not mean performance and integrity of your data. Or could you tell my, why PHP does not even support transactions in the feature-rich set of database functions?
If you switch from the standard (My)Isam tables to tables with transactions (like Innodb) to gain some safety for your data, then your performance advantage is gone and the timing results are comparable with the PostgreSQL database which is blamed here by Rasmus. But of course, full ACID support is available in the latter.
I could continue speaking about the problems PHP brought to the web, the security holes PHP brought to the average developer and administrator, the uneloquent approaches PHP brought with quick and dirty solutions and the excuses Rasmus brought to defend real problems out there, but the list could run almost endless.