A blend of programming and seo

5 sins of PHP

by Roy (rawseo)

PHP is a great language. However, there are a few problems with the language that need to be fixed.

1) register_globals (this will be removed in php 6)

The idea behind register_globals is simple: to make it easier to access POST, GET, and session variables within a PHP script.

Here is an example of why it is bad:

(in login.php)

<?php
if ($_POST['password'] == "password") {
    $is_admin = true;
}
?>

if register_globals is enabled, someone could go to the following url: login.php?is_admin=true, and the variable will get overwritten. This essentially allows any user to dynamically generate variables in your php scripts.

2) goto

This one, I just don’t understand. Goto was never in the PHP language and now it is being added to version 5.3 (more information here).

Here is an example of usage:

<?php
goto a;
echo 'test';
 
a:
echo 'goto';
?>

Goto makes it very easy to create unmaintainable and messy code.

3) magic_quotes (removed in php 6)

Magic quotes was designed to escape $_POST and $_GET variables automagically…to prevent sql injection attacks.

Here are the problems:

  • Not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient
  • Not all data needs escaping, it’s often annoying to see escaped data where it shouldn’t be. For example, emailing from a form, and seeing a bunch of \’ within the email. To fix, this may require excessive use of stripslashes().
  • Many novice programmers assumed that magic_quotes was enabled on all PHP installations and released php scripts that were vulnerable to SQL injection attacks

4) Recursion

PHP 4 and 5 uses the stack for intensive data, rather than using the heap. That means that recursive functions is significantly limited (because the stack is usually a very small amount of memory). Every nested (recursive or otherwise) function call counts towards a limit of 2000 nested calls. PHP will die if that count is ever reached.

5) 64-bit integer support

PHP is not able to handle unsigned integers, and converts values over 2^31 to signed. So if your IDs go slightly over 2 billion, and PHP decides to treat them as integers, you will have a problem.

However, the people over at the mysqlperformance blog have come up with a solution

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Blogplay
  • Reddit
  • Twitter
  • HackerNews
  • StumbleUpon
  • Technorati

11 comments

1 Shelly { 04.16.09 at 12:11 pm }

“goto” looks like old DOS command code. I used to have to program in that forever ago. Actually, I *like* that – and I dont’ believe it would make for messier code. In fact, I could see how it would make for cleaner code – if, indeed it *is* a callback to the old DOS command days. Instead of writing functions and having to recall them in other areas, you could just write a piece of code and basically (in a smaller – codewise – method, just say “go here and do this”.

Of course, my understanding of how it works in PHP could be wrong, but to me, it looks just like the old DOS command method, and I can definitely see it’s uses.

2 Justin (rawseo) { 04.16.09 at 12:25 pm }

@Shelly:

You are correct. Goto was in old DOS command code, however has been around much longer than that (there is a wikipedia article on it here).

Goto statements become difficult to maintain when you have large projects with hundreds of script files.

3 Giorgio Sironi { 04.16.09 at 1:26 pm }

“Goto considered harmful”…
However, goto is in php only for the purpose of simplifying breaking of complicate loops. It’s not assembler where you have only jumps to implement a for.

4 Andrew { 04.16.09 at 2:20 pm }

I’ve been developing with PHP for some time and the issue of register globals and magic quotes is not worth considering. I can’t remember the last time I even had to think about either of those yet they keep popping up in criticisms of PHP. No one actively developing with PHP has to realistically spend more than 5 seconds dealing with neutralizing those anymore so give them a rest already.

5 Justin (rawseo) { 04.16.09 at 3:36 pm }

@andrew,

It does matter. I deal with custom versions of a few well known open source projects daily and they all were built using register_globals. I had to write custom code to remove the reliance on this.

Magic_quotes is also an issues (more than register_globals). Wordpress had an issue with magic_quotes up until the most recent versions.

PHP is a great language. This article was just pointing out some issues that need to be fixed. They also need to be mentioned because people starting out in programming might not know about these issues and write insecure code.

6 Joshua Ross { 04.16.09 at 4:53 pm }

@giorgio goto should not be used to break/continue complex loops either imo, the continue n or break n syntax should be used instead

7 abcphp.com { 04.17.09 at 1:52 am }

5 sins of PHP | A blend of programming and seo…

PHP is a great language. However, there are a few problems with the language that need to be fixed….

8 Rob Desbois { 04.17.09 at 3:13 am }

@Giorgio, Joshua: if you have some nested loops then trying to break out of multiple levels isn’t directly possible with ‘break’, although more than 2 levels of nested looping often points to poor design.
I’ve found goto very useful in C++ to be able to break out of ‘if’ statements in which the ‘break’ keyword cannot be used. Useful for error handling.

9 Greg Wright { 04.17.09 at 2:06 pm }

Lack of support for threads is also a major problem and performance hog.

10 Chris { 04.17.09 at 3:41 pm }

goto, to me, makes some sense when you apply it to CLI-based scripts. Most of us forget about CLI PHP because we use it to churn out HTML, and having a goto helps make the language more like other CLI languages. Though, I’ll never use it myself for the reasons you pointed out ;-)

11 FooBar { 04.18.09 at 12:50 pm }

6) superfluous $ for variable names

PHP requires to press shift+4 every time you want to use a variable. Horrible as it is totally superfluous. If the implicit cast from a misspelling to a string

echo iForgotTheDollarOrTheParenthesis . $someVar;

is removed, we can make the use of $ characters at least optional in variable names.

7) direct access to returned array

This should work, but it doesn’t.

http://bugs.php.net/bug.php?id=23022
The bug is older than 6! years old, still not solved.

I’m quite familiar with php with a lot of php programming experience . I more and more come to hate all the bad habits of php.
Seriously, php devs should listen a little more to there user base.

Python, some of the most beautiful and well crafted programming languages has been even more perfected with the release of 3.0.

php devs, please have the courage to break some code. Python did it too, and provided automated upgrade tools. And yes, Python is used in serious business.
Clean up your language please, before it is too late.

Goto is bad, not only because it is assembly and there is no good use for it, but also because it requires a special syntax which we could have used for more useful features. This is so much wtf, why wasn’t there a poll or similar for feedback? We don’t need it, it could do even quite some evil, so why? big why?

Leave a Comment