“The introduction of new object-oriented programming features in PHP V5 has significantly raised the level of functionality in this programming language. Not only can you have private, protected, and public member variables and functions – just as you would in the Java, C++, or C# programming languages – but you can also create objects that bend at runtime, creating new methods and member variables on the fly. You can’t do that with the Java, C++, or C# languages. This kind of functionality makes super-rapid application development systems, such as Ruby on Rails, possible.”
I’ve been playing with PHP for about 2 or 3 years now. In comparison to the other big boys out there, I find PHP just too, too loose! For example, declaring variables. PHP allows you to create variables almost everywhere inside the code. For me, this is a no-no, force people to declare their variables and specify a type. Makes poor programmers.
Anyone else?
I want to know what scripting language doesn’t have these problems? Pretty much all semi-commonly used scripting languages allow these things.
I do agree with you that this is one of the reasons that scripting languages are frowned on in larger projects with many developers because the language doesn’t inforce good coding practices and strong type checking like Java for instance.
>For me, this is a no-no, force people to declare their
>variables and specify a type. Makes poor programmers.
Hmm.. what are you talking about. Even in C you declare variables where you need them. It’s common in many languages to do this. In fact I think it makes the code cleaner beacuse you are not reading code thinking “where the hell did that variable come from” because its declared right there and you know that it is, what type it is and what it is for.
C Example:
int count = 1;
while (count <= 100)
{
printf(“%d
“,count);
count += 1;
}
Your just bitching for no reason.
Even in C you declare variables where you need them. It’s common in many languages to do this.
I don’t think he was so much talking about where you declare variables, so much as whether or not you actually have to declare and strongly type them. Sure, you can easily argue in favour of php’s looser model, but both approaches are quite valid. The interesting thing is deciding when to use each one.
“Even in C you declare variables where you need them.”
Wrong. You must declare variables at start of functions / loops in good ol’ C AFAIK some compiler allow the extension of declaring anywhere tho.
“Your just bitching for no reason.”
Watch that language.
Yeah, C99 allows anywhere. Any that’s what.. 4 years old now?
I only coded php4 but I think what he meant is this:
class Person {
var $name;
…
public function setName($name) {
//
// not sure if both “compile” without errors
//
$this->name = $namee; // yes a typo…
// or
$this->namee = $name; // yes a typo…
}
…
Edited 2006-02-20 19:59
You miss his point entirely.
In C, C++, Java, etc you have to declare a variable before you use (give it a name, a type, etc).
In PHP, you just use the variable. If it doesn’t exist at the time you first use it, the parser creates it for you. Which means if you mispell one of your variables, you have suddenly created a new one. Which leads to all kinds of silly little errors that take way too long to track down.
It is also much easier to create tools to help you write the correct variable names in a typed language. E.g. if you write java code in Eclipse or any other modern java tool pressing the dot after an object name will present you with a popup with all methods and variables available on that object so that you easily can do auto complete.
In some cases (like in Eclipse) it even shows whatever documentation you made for that method.
Another problem with languages like php is that the lack of typed variables, makes testing much more complex if you want to make sure that the program really does what it is supposed to do. In a large project the work of writing such tests takes much more time than declaring variables.
As for the example in the article, there are other ways to do things like this. The article assumes that you mapps the fields in the database to fields in PHP objects.
Why not put more functionality into the database using stored procedures. That way the application will be much faster, if done right you will also have a natural way to get separation between function in the database and presentation written in PHP. By using template systems such as PHPTal, the separation could be even clearer.
The downside is of course that you will get hard ties to whatever database engine you are using. This is usually not a big problem unless you are making some kind of product in PHP, that you intend to sell to others to use as you then would like the same code to run on as many databases as possible. However if you do some coding for your own organization, it is highly likely that the database infrastructure will last a lot longer than the look of the website.
“If it doesn’t exist at the time you first use it, the parser creates it for you. Which means if you mispell one of your variables, you have suddenly created a new one. Which leads to all kinds of silly little errors that take way too long to track down.”
You can easely change the error warning level in PHP configuration (or at runtime) and PHP will display Notice for each undeclared variable in your code.
Actually there used to be days, when it was taught to be a good design decision to have explicite variable declaration on top of the algorithm and a clean interface and implementation separation.
And given the fact that I constantly have to switch between non declarative and declartive languages, I at least agree with the declaration part, it makes the code way more readable once the stuff gets bigger.
As for the interface implementation separation, that stuff fortunately can be covered better by autodoc tools.
“Even in C you declare variables where you need them.”
That’s just been possible since the ’99 revision of the standard (C99), which not every compiler implements fully (I think gcc if compliant).
Now, some folks might have a distorted view of C, since they really have been compiling stuff with a C++ compiler (which no, C isn’t a subset of C++ anymore).
you can also create objects that bend at runtime, creating new methods and member variables on the fly. You can’t do that with the Java, C++, or C# languages.
Not that I have a problem with people exploring this type of functionality, but I just want to point out that this is not a deficiency in the other languages. They’re aimed quite firmly at a different development model. It would be dead simple to put this sort of stuff into a virtual machine language and it can already be done to a degree with runtime bytecode engineering. It’s just not a native part of the language because it’s too easily abused.
I don’t know about Java or C++, but you absolutely can do this in C# using either Reflection.Emit or the System.CodeDom namespace, and this functionality has been in the CLR since v1.0. For an excellent high level primer on this, have a look at this article: http://msdn.microsoft.com/msdnmag/issues/05/12/CodeGeneration/defau….
Nicely written article! One to bookmark.
PHP is a great language and it just got better. Sure, it has its drawbacks, and the article is right to point them out.
“…but you can also create objects that bend at runtime, creating new methods and member variables on the fly…”
I can’t wait to see the interesting vulnerabilities this capability will foster when used in conjunction with badly written PHP code LOL.
The security community has it’s research cut out for them.
-Viz
Howdy
Javascript lets you do this kind of thing and it does not really have to lead to security problems.
Remember PHP code is ran on the server not on the client all the client sees is the result, so to add a new method or variable to a running instance would require hacking of the server then gaining access to the running container and instance in the container(container = zend engine etc).
Realistically you`d take over the server then run you own code or server.
Javascript lets you do this kind of thing and it does not really have to lead to security problems.
The idea of a security vulnerability due to sloppy javascript writing is kind of dumb. The language, by the nature of where it runs, is simply the least secure thing imaginable. The reason javascript mistakes don’t matter is because javascript should never (ever) be touching sensitive data anyways.
so to add a new method or variable to a running instance would require hacking of the server
No, the point is that a programmer can accidentally add stuff they didn’t mean to and this would allow a cracker to gain access.
> The idea of a security vulnerability due to sloppy
> javascript writing is kind of dumb. The language, by
> the nature of where it runs, is simply the least secure
> thing imaginable. The reason javascript mistakes don’t
> matter is because javascript should never (ever) be
> touching sensitive data anyways.
Right… It’s just a scripting language, the fact it started off at Netscape as a web-browser feature doesn’t mean it can only be used for that:
http://www.mozilla.org/js/spidermonkey/release-notes/
Comparing it to the Apache mod_php one may have a look at the old mod_js or more recently mod_whitebeam or something – http://www.whitebeam.org/
Right… It’s just a scripting language, the fact it started off at Netscape as a web-browser feature doesn’t mean it can only be used for that: …
Oh, granted. Along with vbscript, it was also the syntax for asp and I believe it can still be used interchangeably with vbs for general windows scripting.
In my post I was referring to javascript as the interpreters/object models that exist within web browsers. I just figured it was obvious enough that I din’t need to bother specifying :-p
> Along with vbscript, it was also the syntax for asp and
> I believe it can still be used interchangeably with vbs
> for general windows scripting.
Although i don’t use MS-Windows , i’m pretty sure you’re correct. However KDE[0] (kjscmd) and Gnome[1] (mjs) have similar functionality. AKA ECMAScript[2], its probably stock platform agnostic to a greater extent then PHP is.
[0]: http://xmelegance.org/kjsembed/
[1]: http://www.mono-project.com/JScript
[2]: http://www.ecma-international.org/publications/standards/Ecma-262.h…
its probably stock platform agnostic to a greater extent then PHP is.
What’s your point? As I said, I wasn’t talking about abstract javascript and all the places it can be applied. I was talking specifically (and only) about scripting within webpages in a browser. Stop trying to add irrelevant things to the discussion.
Sorry, but that PHP is a server-sided language IS the problem – if a PHP developer makes mistakes, it allows hackers (via GET or POST data) to run malicious code on the server like getting passwords or other sensitive data. This is called PHP or SQL Injection.
The idea of a security vulnerability due to sloppy javascript writing is kind of dumb.
Exactly!, although I`m not saying it might not ever happen but it does not need to be a security nightmare with enough thought on the implementation.
No, the point is that a programmer can accidentally add stuff they didn’t mean to and this would allow a cracker to gain access.
I fail to see why adding a method at runtime leads to this, bad programing is bad programing and if they cannot account for what they add and why then their static code would be questionable aswell.
The sheer amount of code may lead to risks but the idiom behind it does not need to.
Sorry, but that PHP is a server-sided language IS the problem – if a PHP developer makes mistakes, it allows hackers (via GET or POST data) to run malicious code on the server like getting passwords or other sensitive data. This is called PHP or SQL Injection.
Failure to validate inputs is called stupidity, GET/POST buffer overflow is a little different but I seriously fail to see why the abilty to dynamicaly add a method suddenly makes this more easily happen if you can tell me an example of this I`ll happily listen.
if you can tell me an example of this I`ll happily listen.
You have some user input that you’re going to inject into a sql query, a search term or something. You have a function that validates the input and returns a boolean and you rely on this function to make sure the input isn’t malicious. But you accidentally pass $serach_term to the function, which somehow results in a pass while $search_term (what you really wanted to validate) is malicious. You then proceed to build the query using the correct but malicious search term.
Sure, it’s a contrived example and lots of common sense things could prevent this, but the point is that any time your code starts doing something you didn’t expect it to, you have zero guarantee that it’ll be safe.
And how is reflection at fault here?
And how is reflection at fault here?
Err, what did I miss? I don’t follow you. My example had nothing to do with reflection, it had to do with php not requiring you to declare variables.
I guess my example wasn’t too good because he was asking about functions/methods and I was talking about variables. I’m not going to try to invent an example for functions/methods because I don’t understand enough about how php handles them but I don’t think it’s too hard to come up with a scenario where you mistype or make a bad assumption and something unintended happens.
Anyways, this is getting too much into the semantics of strongly/weakly typed languages. As I said before, both have their advantages and places (I personally happen to be much more comfortable with strong typing).
Sorry, I assumed that you were saying that the ability to dynamically add methods was going to create security issues. The poster you replied to assumed the same thing, since he asked for an example relating to that.
As for declaring variables, it is not that big of an issue. On your development server, just configure PHP to give you a notice whenever it encounters an uninitialised variable.
No actually I`ve been saying it will NOT cause security issues and I asked for an example that would show an example of one.
To clarify I`m mainly talking about the adding of methods dynamically, SQL injection is another issue alltogether.
Hope this clears up the confusion as I know I`m confused about how you understood my reply the way you did
, maybe some sleep for me is on the cards.
I didn’t want to say anything against the dynamic of PHP,
just wanted to say you don’t really need to hack the (whole) server.
Additionaly it’s not that easy to avoid Injection, projects like phpBB have/had a lot of security problems because of Injetion.
P.S.: I’m not against PHP or something – in fact I like and use PHP but PHP has also it’s disadvantages
Can we get some love?
I was a PHP programmer for a few years, but now I just find it boring and tedious.
I converted to Ruby 6 months ago, its so delicious. Its like C++, Smalltalk & Perl rolled up into this candy bar that is almost perfect. (nothing is perfect)
The rails development just blew me away, and I think PHP will find it hard to mimick a similar framework based purely on their design of the OO methodology.
I won’t go into details as to why, you’ll just have to take a look and see why PHP is so old school.
Checkout http://www.rubyonrails.org/screencasts and view the 15 minute demo on building a weblog. It doesn’t teach you how powerful Ruby is, it will illustrate the power of rails which sits on top of Ruby.
PHP is not even close to this functionality and its what ultimately sold me to be a complete convert.
“I converted to Ruby 6 months ago, its so delicious. Its like C++, Smalltalk & Perl rolled up into this candy bar that is almost perfect. (nothing is perfect)”
I’m sorry, my brain is stuck in a infinite loop repeating “& Perl” intejected with the word “Perfect”. I guess it’s not used to seeing those two words in the same sentence. ๐
I’ll stop trolling/cracking lame jokes now, for this is about PHP, not Perl, although both languages do lend themselves to being horribly tortured by programmers (or are they torturing the programmers, I’m not sure).
FWIW, I wrote PHP & Perl for a number of years. I’m glad those years are far behind me.
Long live C# ๐ … at least until something better come along.
Which hosting providers provide these languages?
I found “dreamhost” for Ruby and PHP5.
I currently use GoDaddy and PHP4. I asked them about the availability of PHP5 and got the “I don’t know when” answer.
PHP4 is okay and I created a nice web architecture in it, but I wouldn’t mind investing either in PHP5 or a more powerful language.
I just need a place to host the websites for a newer PHP or alternative language.
I could just about predicted that a new RoR convert would have to post here in this thread and tell us all that RoR has changed their lives. Newsflash: yes, we’ve all heard about Rails by now. Some of us have also used it too. It’s getting a bit to the point of how much linux gets mentioned in threads about other OSes.
Since Rails *has* been mentioned though, I’ll suggest that people have a look at CakePHP (cakephp.org) if they want to have a similar framework, but one built on top of PHP. CakePHP was inspired by Rails, but the developers are evolving it separately. The framework is pretty young and things are still changing rapidly but I found that the framework is useable already.
There are other Rails-like PHP frameworks around, but I haven’t tried them yet. Maybe someone could give us a comparison?