There's been an RFC that's recently made it through the voting process and was approved for inclusion in PHP6, the uniform variable syntax handling. When these changes are put into effect, some of the odd syntax you had to use for things like variable variables will be cleared up and standardized. However, Derick Rethans stood out as the only "no" vote, here's why...

As you might have heard, PHP developers voted on an RFC called "Uniform Variable Syntax". This RFC "proposes the introduction of an internally consistent and complete variable syntax". In general, this RFC argues for making PHP's parser more complete for all sorts of variable dereferences. [...] Thirty people voted for, and one against: Me. Does that mean that I am against a unified variable syntax? No, I am not. I am actually quite a fan of having a consistent language, but we need to be careful when this hits existing users.

He points out that there's known backwards compatibility breaks in the changes and this breaks the semantics of the language. While the BC breaks are understood, Derick suggests that this is one of the worst changes a language can make: "...and this is exactly why people whine that PHP breaks BC and does not care about its users".

David Goodwin has a suggestion for those developers that think storing objects in a database is a good idea - don't do it!

Short answer: DO NOT DO IT. Longer answer:....I hate seeing serialized PHP objects within a database.

Some of his reasons include:

• It's difficult to index/search - you'll probably need to use a regexp.
• PHP Specific - good luck doing much with the data in a.n.other language
• If the objects are large, you're likely to have a text or a blob field - this will suck from a performance point of view (at least in MySQL)
• Why bother storing serialized objects in a database - surely to the filesystem would be better?

Several opinions are expressed in the comments including some that agree with David and some that still defend the idea.

Chris Shiflett's latest post mentions this criticism of PHP's insecurity as made by Andrew van der Stock.

Andrew van der Stock has written a strong criticism of PHP's insecurity. Andrew is a seasoned security expert and a major contributor to OWASP, and he states:

"After writing PHP forum software for three years now, I've come to the conclusion that it is basically impossible for normal programmers to write secure PHP code. It takes far too much effort."

He continues, citing specific areas where he thinks PHP is weak and asserting that "PHP must now mature and take on a proper security architecture."

Chris also mentions that some of the reasons Andrew mentions include register_globals, magic_quotes_gpc, and safe_mode - all due to be removed in the latest PHP version (6). Also, be sure to check out the comments on the post for a good bit more information and discussion...

Chris Shiflett's latest post mentions this criticism of PHP's insecurity as made by Andrew van der Stock.

Andrew van der Stock has written a strong criticism of PHP's insecurity. Andrew is a seasoned security expert and a major contributor to OWASP, and he states:

"After writing PHP forum software for three years now, I've come to the conclusion that it is basically impossible for normal programmers to write secure PHP code. It takes far too much effort."

He continues, citing specific areas where he thinks PHP is weak and asserting that "PHP must now mature and take on a proper security architecture."

Chris also mentions that some of the reasons Andrew mentions include register_globals, magic_quotes_gpc, and safe_mode - all due to be removed in the latest PHP version (6). Also, be sure to check out the comments on the post for a good bit more information and discussion...