Is it still fucked?

php is like a fat girlfriend...
Great in bed but you don't want your friends to find out that you are fucking her.

With Symfony 4 I actually find it very pleasant to work with desu.

It used to be incredibly shitty pre-7.0. It's also very permissive so you can get away with a lot of dumb shit if you write code like a Pajeet.

Attached: 1*rjPlYUiyN8IHjCu1s5v5ug.jpg (1141x502, 34K)

7 is pretty good

Yes. Don't believe the retards who think that copying a small part of C's ancient, broken type system in PHP 7 somehow unfucked this shit.
The standard library is still a horrible mess and everything that could be insecure by default IS.
SQL Injections, Cross-Site-Scripting, Cross-Site-Request-Forging... it honestly sometimes seems as if PHP was DESIGNED to make these as easy as possible to implement.

PHP is fine if you use something like Symfony. Then, it just turns into retarded Java.
Why would you use that over Java? Nobody can say.

so it's still worth to learn it? i'm genuinely asking, i don't know almost nothing about php. But if it will give me any choice of getting a job in some future...

> “create and destroy the universe for every request”
elaborate on this please.

Maybe because you can write things with a few lines, where in Java you'd need to write four times as much.
t. bored ex java developer
P.S. insecure shit can easily be avoided by decent writing and using things like input filters. There will always be tards that put variables straight from the post/get into a query, but that's their problem.

It's definitely not a bad language to start learning web development with. Especially if it's for hobby. It's incredibly easy and pretty much anything you may need is usually built in by default. So no shit with modules, gems, beans, includes, whatever. You'll get it up and running in no time. And for the foreseeable future there will be jobs too. Big languages don't die so easily.
It can be a bit of a mess when it comes to its functions. Quite inconsistent, and not exactly pretty, but then again quite powerful too. It's even underrated as a command line language..
The biggest downside is how easy it is to learn horrible habits and terrible coding style. It lets you get away with code murder by spaghetti strangulation.

>P.S. insecure shit can easily be avoided by decent writing and using things like input filters.

And you're part of the problem, congratulations.
SQL injections get avoided by using prepared statements, XSS gets avoided by escaping depend on output context (You best just use a proper templating engine which auto-escapes variables unless explicitly requested not to, since PHP, despite being a templating language, fucking SUCKS so much at its job that it needs to run other templating languages on top of itself!) and CSRF gets avoided by using and checking CSRF-Tokens.

This "Just santitize everything", "Just check if the input is evil" mentality that is so prominent in the PHP community is a cancer that needs to die. It's why we still have these super easy to avoid problems everywhere.
If you used any other language with a framework, you would be safe from all of those BY DEFAULT. PHP, the Language written explicitly to be "the language of the web" fails so much at its job, it's laughable.

I would NEVER let a junior developer use PHP because I can be SURE that all of their programs will have those vulnerabilities. If they viewed a somewhat recent tutorial written by a component person (a rarity in the PHP community, where the incompetent teach the incompetent), they may avoid SQL injections, but all the other issues still exist.

Even something as innocous-looking like the mail function is so shitfuckingly broken that an attacker can use it to execute arbitrary shell commands on your server and no amount of escaping can help there because of the half-assed, incorrect escaping the function itself already applies.

>"And you're part of the problem, congratulations."
>proceeds to write down the 101 rules of programming.
Man, I assumed I didn't even need to point that out.
You're miles behind, but you think you're ahead of the rest.

>If you used any other language with a framework, you would be safe from all of those BY DEFAULT.
I don't get it senpai. If you use PHP with a framework, you're safe from this shit as well.

He's also against sanitizing, then goes ahead and explains how to prevent things by sanitizing.
He's at that well known tip of curve.

Never expect frameworks to be guarantee your protection by default. You always need to use them well, and configure them well.

Yeah, but that's not exactly PHP exclusive thing, is it?

True.

$ for variables, __construct, messy bunch of magic consts and array utility functions, empty('0') === true, arrays passed by values, mixing html inside php code is just disgusting. It's a fucking mess of a language, every time I look at PHP code I want to throw up

this

You don't even understand the difference between sanitizing, aka "All user input is unclean, but this magic sanitize function will make it clean for all use cases!" vs escaping, aka "I need to output this as text in HTML, so I need to put it through the htmlspecialchars() function prior to outputting.
Weak.

>Man, I assumed I didn't even need to point that out.
If only. If only not every fucking PHP program out there kept implementing these same, so easily prevented vulnerabilities.
You suggested PHP as a good programming language for beginners, when it absolutely isn't. The intuitive way to do things in PHP, aka the ones a beginner is going to use, are a sure way to implement all of these vulnerabilities into your program. In the times of Chinese botnets trying out all combinations of malicious input against your webserver at any second, that is no longer an option.

For the most part, yes. Prepared statements still need to be explained, but generally, output gets escaped by default, so if they ever get into the position where they need it to not be escaped, they can look up how to to use the raw value and they'll learn a thing or two about security. And before they knew about that, they were safe. And most frameworks also automatically add CSRF fields to forms and check them.

But most people, even in this thread, recommend beginners to stay away from Frameworks, thus guaranteeing they will implement all these vulnerabilities. Instead of being safe until they know what they're doing, they will be unsafe if they're doing this.

What's your issue with empty('0')? It's a numeric string. If you don't want that behaviour you can define your own comparisons

>How come PHP had such a bad reputation?
because: horrendously under-qualified code monkeys with zero programming abilities, that have the IQ of beach sand, just can't get away with writing terrible code. they're also too illiterate to pick up a manual and study.
>This "Just santitize everything", "Just check if the input is evil" mentality that is so prominent in the PHP community is a cancer that needs to die
have a guess how i can tell that you've never seen a single line of php code in your entire existence? shut the fuck up, you larping fucking moron.
>I would NEVER let a junior developer use PHP because I can be SURE that all of their programs will have those vulnerabilities
who the fuck in their right mind would put a junior dev anywhere near something that they're not experienced with? you are just one sad liar making shit up as you go. and yes, we're all well aware of SQL injections and XSS. it's great to see you're not too retarded and have an ability to use a search engine! good for you. and thanks for pointing out the obvious, captain fucking obvious.

>have a guess how i can tell that you've never seen a single line of php code in your entire existence? shut the fuck up, you larping fucking moron.

I'm a PHP developer. That's precisely why I know the language's minefield of vulnerabilities so well. And why I'm absolutely not recommending anyone else to use it.
If you're competent enough to realize how to step around every mine the PHP standard library puts in your way, then you're more than competent enough to use any other language - thus, the "PHP is great for beginners" argument falls flat on its face - when you aren't perfectly aware of all of these vulnerabilities, you can't be allowed to touch (especially non-framework) PHP code because you're sure to fuck up.
If you know how to avoid them, you are definitely no longer a beginner. Why not use a language that isn't a minefield that attempts to trick you into making mistakes every step of the way?

>who the fuck in their right mind would put a junior dev anywhere near something that they're not experienced with?
Every company in the world. That is how you gain experience, you "larping fucking moron".
But I'd prefer my junior developers to be SAFE BY DEFAULT while they practice and create their first programs. There are enough non-security related mistakes to be made.

> the larp continues
> it's even less convincing that before
my dog is a php developer. best in the world. it's great making up stories, isn't it? you are a larping moron. you already proved that in your earlier post with your extreme levels of absolute retardation.

>Every company in the world.
> every company in the world gives jobs to juniors that have no idea what they're doing
> allowing inexperienced coders to manage things involving security happens everywhere in the world!
> why did my servers get hacked??!
> why are my databases being traded on darknet forums?
> HOW COULD HAVE THIS HAPPENED?
nobody in the fucking world gives such jobs to people that are poorly qualified for that job.

If only.
And as long as PHP is the language your Company uses on its Webservers, you will attract these self-taught retards like shit attracts flies.
With companies so desperate for new developers - especially at low wages, which further attract shitters - you can't say no to all of them. So you will have to teach them and you will have to make sure the mischief their code can bring is limited in scope.

>But most people, even in this thread, recommend beginners to stay away from Frameworks
Which literally doesn't matter since beginners will be just doing their own toy projects and learning the language itself. I don't know any company where you would develop something without a framework.

>Which literally doesn't matter since beginners will be just doing their own toy projects and learning the language itself.

Oh yeah, I've totally seen all of you, and the shit guides on PHP in general, put huge disclaimers to ABSOLUTELY NOT put their code on the web until they understand what they're doing.
As if. Nobody even mentions what it is you need to understand before you can do that, without having to panic that your server will get CHINKED in 5 seconds.

because it's not empty? it's a string with a 1 char, 0x40h. i didn't ask php to convert my variables to booleans. if('0'){} will go inside in javascript, not in php

If every language had the exact same semantics, then we wouldn't have this many languages.
Don't expect one to be nigh indistinguishable from another.

It seems fine so far, like it better than python, better manual. Start with the manual and phptherightway.com thing.

>But I'd prefer my junior developers to be SAFE BY DEFAULT
Oh please tell us the language you recommend for junior developers developers developers. I need to know what the absolutely safe by default language is. My smirk is loaded and ready for deployment, Sir. Do the needful.

>Oh please tell us the language you recommend for junior developers developers developers. I need to know what the absolutely safe by default language is. My smirk is loaded and ready for deployment, Sir. Do the needful.

That's not a question of language, but of framework. Any web framework will work to at least prevent the classics. Even in PHP.
But I'd still recommend anything but PHP because then you don't have to deal with issues like even simple functions like mail() being an unfixable security risk and not even having a proper exec() wrapper, but having to manually escape shell strings and hope the system is configured to use bash so the escaping actually does anything.

I wish PHP never killed Perl. Modern Perl is immeasurably better than modern PHP.

Unfortunately, they completely fucked up mod_perl. Not only did it take too long to develop, it was also so powerful that it couldn't be used on shared hosting.

What a shame.

The implementation of php code at my work place is super fucked. My next task is to implement a feature where a table only show 4 weeks worth of items under a certain condition.

The table is generated by a 400 line function. I said fuck this and went home early today. Tomorrow is going to suck.

continued

OP, I would say PHP is actually fun to work with if you're building a small project. It's rewarding how quickly you can prototype something, but it can quickly turn into a spaghetti clusterfuck if you're not structuring your code very well. There's a small benefit of having the client code and server code in a single file if it's something really small you're writing. It does not scale up well and it's a giant burden when you're mentally constantly switching context between client and server code.

Php completely spins up for every request and shuts down when the request is completed. There is no long running php process, only a management process like fpm or modphp. While this is great for some things, for others it’s a pain.

>This "Just santitize everything", "Just check if the input is evil" mentality that is so prominent in the PHP community is a cancer that needs to die.
Shouldn't this be the default attitude of anyone that works with potentially dangerous input in any language? Why would you automatically assume your shit is safe?

Attached: 1475728449857.png (505x431, 205K)

No, not really. You're thinking of CGI scripts. Most LAMP servers have Apache running a PHP interpreter in the background to quickly execute scripts and it has the ability to cache them for quicker execution in the future.

blog.layershift.com/which-php-mode-apache-vs-cgi-vs-fastcgi/

I don’t want my webserver handling scripts, so fuck mod_php, and you misunderstand me. What I mean is that unlike, for instance, a nodejs application that is persistently running, each request to a php server gets a brand new userland. This is good for some things, for instance you could very easily inadvertently share privileged information in a nodejs app via a static class or something similar, but it does create additional overhead.

>I don’t want my webserver handling scripts, so fuck mod_php

Having a node process doing the same thing isn't much different.

>you could very easily inadvertently share privileged information in a nodejs app

Sure, and that would be an advantage for node in some cases like building a chat application or a multiplayer game where you want your users to see the same dynamic data the users are manipulating.

I don't even know how you would implement that in PHP. You couldn't use a database like MySQL to hold state for a multiplayer game that needs to update users 30 times a second or more about the changing environment.

Maybe with websockets, but not without.

>Is it still fucked?
Nobody uses vanilla PHP except to maintain legacy code. The only way anyone would use PHP is with a framework. Is this thread honestly asking if its ok to use vanilla PHP again?

>If they viewed a somewhat recent tutorial written by a component person (a rarity in the PHP community, where the incompetent teach the incompetent)
You mean like phptherightway, the starting point of any PHP dev who lurks Jow Forums?, seems like you need to lurk more reddit-kun.

>That's not a question of language, but of framework.
So there's no safe by default anything, why lie about it?

>Is this thread honestly asking if its ok to use vanilla PHP again?
No one uses PHP without a framework.

Yes, you can't really patch fundamental design flaws of a language over time.

The semantics of PHP are illogical and undefendable.

>How come PHP had such a bad reputation?
It was made by non-programmers for non-programmers. But that was a long time ago and I assume the people who are behind it now actually know what they are doing.

I do

Php did nothing wrong.

And so do I, these people that use frameworks probably add on libraries like it's Node.JS with NPM

>most of the thread is some guy rambling about sql injections and mentioning mistakes of some people who probably just speed through the learning process because they want a site up fast

I swear, there's some kind of magic inside of every programming language that transforms people into cunts on account of that they know what a dependency injection, or an abstract class, or polymorphism is.

That "I do it the right way, but there are stupid people who do it the wrong way" attitude is so ridiculous that I feel ashamed that I need to call someone who's over 18 out because of it.

Just fucking write your code, if someone needs help, help him and shut the fuck up about the "state of the industry." It's not like any of us believes that you care about it. Holy fucking shit.

because with java you have to use a web framework while php can natively be embedded into html, and can work with html with a much smaller fingerprint

I work with a lot people who "just write their code", they never any want any help and have no will to improve. It's a complete nighmare to maintain the codebase and adding anything new takes way more time than it should.

>SQL Injections
How? Who in the CY manually constructs the statements with param. values instead of using placeholder and bind param? If this is your complaint, you can very easily fuck up like this in java too.

lol clean code cuck, I bet you earn about as much as they do.

Slightly more, but nothing really significant. Writing clean code is easier than writing shit code anyway if you're halfway competent.

Seems like a problem on your end, no language can save you from shit programmers.

I write shit code all day and have junior devs deal with it

Obviously, that wasn't really what we were discussing though.

HA. Best way to describe it. It gets the job done and can be used to write some good code but I still hesitate to tell people about it.

You know no one is forcing you to write html inside PHP code. You can use a templating engine like you would in every other language.