PHP tends to get a lot of flak, but mostly it is for something that isn't really the fault of PHP. Things like "there is so much bad PHP code out there" may be true but you can write bad code in any language. You shouldn't be mixing PHP, SQL and HTML, and you should be escaping/parameterizing variables for queries. (Thankfully this is less prevalent nowadays.) So do many PHP criticisms actually hold true today, now we have namespaces and we have buried crap like magic quotes at the bottom of the ocean?

Other comments cover things like

• PHP's namespace implementation
• poor web services support
• Less code audits, more "roll-your-own fever"
• Function naming and parameter order
• weak OOP functionality

Check out the full post for lots more opinions and add yours too!

Conflict is not a bad thing. That is, if it leads eventually towards clarity and understanding rather than confusion and misunderstanding. [...] A debate about a technical matter may be conducted in parallel with an altercation that addresses the relationship between the participants. This is confusing in itself. Keeping these discussion apart will help maintain clarity.

Using this tact, he responds to the criticism made on the previous post, specifically one that points to this article as to why "considered harmful" articles should only be seen as fodder for argument and should be "considered harmful" themselves.

Before we begin our exploration of the architecture of the Zend Framework (ZF), it is important to discuss how a typical MVC application is built. Examining and understanding the architecture of an MVC Web application allows you to make more contextually sound choices when building your application.

He starts with a look at a three-tier architecture (presentation, application, data) and compares that to the MVC used in the Zend Framework. He talks about how ZF is a hybrid component and infrastructure framework and the coupling that it provides between its components. He also has a few criticisms namely some performance issues from this style and the lack of a module to handle model/controller dependencies.

Andrew van der Stock has written a strong criticism of PHP's insecurity. Andrew is a seasoned security expert and a major contributor to OWASP, and he states:

"After writing PHP forum software for three years now, I've come to the conclusion that it is basically impossible for normal programmers to write secure PHP code. It takes far too much effort."

He continues, citing specific areas where he thinks PHP is weak and asserting that "PHP must now mature and take on a proper security architecture."

Chris also mentions that some of the reasons Andrew mentions include register_globals, magic_quotes_gpc, and safe_mode - all due to be removed in the latest PHP version (6). Also, be sure to check out the comments on the post for a good bit more information and discussion...]]> Tue, 24 Jan 2006 06:34:00 -0600