Confessions of a Guru....: Things that I hate about PHP

Ok so I've been back in the swing of development for a while now and I've reminded myself about the things that I hate about PHP. Overall I like it a lot but these are the things I hate.

magic_quotes

So the deal here is that when enabled, any posted information will have any quotes magically escaped, so if you were to post the text "Fish 'n' Chips" then your script would receive the text "Fish \'n\' Chips". This is useful because then you don't have to do anything to it to include it directly in a query for insertion into a table, but nowadays parameter binding and database abstraction layers take care of that. If you're starting from scratch, do yourself a favour and disable magic_quotes on your PHP installation. If you can't, use this to do it for you:


// If magic quotes are on, remove any slashes in the input.
// This allows us to operate on all inputs without having to addslashes().
if (!empty($_POST))
  if (get_magic_quotes_gpc())
    foreach ($_POST as $var=>$val)
      if (is_string($val))
        $_POST[$var] = stripslashes($val);

This will ensure that the contents of the $_POST variable will always be as it was posted when you first get your hands on it. What you do with the content is then up to you.

addslashes, stripslashes

Ok, I don't hate these functions as much as I hate how they are abused. The problem is that people don't seem to understand when and why they should be used. It is not correct to always addslashes() your content before inserting it into a database and stripslashes() when getting it back. It is correct to addslashes() the content as you're inserting it ONLY if the string hasn't been addslashes()ed before - remember that magic_quotes does this too. The result is that if you have magic_quotes enabled and you addslashes then our string "Fish 'n' Chips" ends up becoming "Fish \\\'n\\\' Chips", then it is inserted. A "fix" (ahem) is to stripslashes() when you get it out of the database but this is not correct, it is very much a bandage on a problem.

Automatic Typecasting

It's useful to be able to have a string with the value "10" and add an integer value of 2 to it and have the result as an integer of 12, but you cannot disable the automatic typecasting. This lends itself to bad programming practice, and confusion when it comes to how your application will behave when it casts an array to an integer for example. The PHP website lists the exact behaviours but it is annoying when "0", "", 0.0 (float), 0, false, NULL, Array() and an empty object (PHP4 only) are all treated as FALSE, but "0.00" is treated as true. This is alleviated somewhat by using the type equality operator (===) where the result is only true if the type on both sides of the operator is the same but it does annoy me. Hungarian notation may be of use to help set the standard in a project.

Variable Scope

The scope of a variable is the current function, method or global in the case of neither. It would be nice to have the scope of a variable be the current block as in perl (forgive me, it's been a long time since I had to write perl) where the variable only exists for the scope of the current block, for example:
for (var $i=0; $i<10; $i++)
{
// do something with $i
}
// $i no longer exists here

Prefixing variables with $

I heard one of the PHP guys on a podcast (a TWiT one I think) saying the reason that variables had to be prefixed with $ was that it was easier to write a parser that just knew that $ had to be a variable, rather than determining whether it was an operator. Ok, I agree but let me see how many lines with $'s I can find in my current project: 37375 out of 55925. I'm just annoyed, oh and switching between PHP and Javascript where you don't use $ as variable name prefixes is annoying (as is the fact that + is the concatenation operator in Javascript and it's . in PHP)

I miss something like pascal's "with" operator

Especially when you're dealing with data deep in an object, for example $foo->bar->baz->quz[] (and I use this object level often) it would be nice to be able to go:

with ($foo->bar->baz)
{
  .quz['element1']
  .quz['element2']
  .quz['element3']
  // etc
}

Can't do it :( VB has a similar construct but I can't recall what it's called.

Different Quoting Behaviours

The difference between a "string" and a 'string' irks me. "string" is parsed for variables, e.g. with $name = 'Bob', "My name is $name" would return "My name is Bob", but 'My name is $name' would return 'My name is $name'. I opt for the latter please, and just let us work out what we want to do.

Other than that ...

.. it's all good! As I said above I like PHP a lot and the fact that it's got such a huge following and is used on some pretty major products (Facebook for one, Yahoo for another) is a testament to how well it can work when implemented properly.

10 Comments:

You should never have to stripslashes any data retrieved from a database call. If you don't and you get extra backslashes in your strings it's because it was double escaped before it was put in there. In one case I saw a system where the number of slashes in a string would continually grow on save - the "fix" was to run stripslashes in a loop!

By Guru, at 20/6/08 14:47
Good post!

Given that PHP has builtin stuff for preventing SQL injection, does it have anything for XSS or is that just left up to developers to try and address?

Also, "with" exists in JavaScript, but it's looked down upon because it's not always obvious which scope is being used. One (better) approach is to use an anonymous function, like (function (baz) { /* do stuff with baz */})(foo.bar.baz). If PHP has closures/anonymous functions/lambdas you might be able to do something similar.

Aaaand, you're crazy for not liking string interpolation! I'd kill to have that in Java!

By Gareth Redman, at 23/6/08 23:05
Hey G...

I don't think there's anything native to prevent XSS but I suspect there'll be frameworks out there that will help with this. Framework equals learning curve and vendor lock in and don't lend themselves to existing applications. I haven't been brave enough to look too hard at any particular one yet.

PHP has anonymous functions but no enclosures. What I don't like about declaring the anonymous functions is that the function code must be specified as a string. This sucks because you have to go escaping quotes etc. Never had to use them. Makes me feel slightly warmer than cold to know they've got my back for some retarded situation.

How would string interpolation in Java make your life so much better that it would be worth provebially springing someone's mortal coil? it just feels like a convenience that is open to misunderstanding - remember that the "you must be this high to ride" sign for PHP is much lower than Java.

By Guru, at 23/6/08 23:30
Oh, and http://nz2.php.net/create_function ...

By Guru, at 23/6/08 23:31
I don't know, I just find interpolation easier to read.

That create_function looks pretty dirty! It's a shame because lambda functions make a lot of patterns way clearer. For example, Ruby uses blocks (which are *almost* lambdas) for iterators and resource management, JavaScript uses them for events, and Smalltalk even uses them for conditionals.

They make a lot of things possible without introducing new syntax to address every little thing. More importantly they empower developers instead of requiring changes to the language.

By Gareth Redman, at 25/6/08 18:25
So, uh, are you coming up or what?

By Gareth Redman, at 25/6/08 18:31
This is what I was drunkenly trying to explain to your mate tonight.

By Gareth Redman, at 26/6/08 22:19
I don't know WHAT you guys are on about.

By LoopyNZ, at 27/6/08 21:14
I know and they're still weird! ;-P

But whilst the post was interesting I'd say that you could do a very similar thing to any language. :)

Easy pickings! >;-)

Then again this comment is just the same!

By Anonymous, at 26/7/08 17:46
Umm ... ok.

By Guru, at 26/7/08 18:19