(acronym) PHP Hypertext Preprocessor

Essentially, PHP is a very flexible, very useful web development tool, designed to take on the tasks of serving up dynamic content. Capable of running on IIS, Apache, and probably a slew of other web servers, PHP is readily and freely availible to all those interested.

A frequent gripe had against PHP is security -- Since PHP is so simple that relatively inexperienced computer users can still effectively employ it, PHP code has a bit of a bad reputation for having more holes than swiss cheese. Heading the crowd of these security complaints is PHP's behavior of automatically registering global variables for anything passed by the browser. Although this behavior can be changed in the configuration file with the line "register_globals=off", it is on by default.

In other words, if I request:
http://site/file.php?some_var=blah
Then as soon as file.php starts executing, there's a global variable waiting for me called $some_var, whose contents are "blah." While incredibly handy when you just want to whip up a quick little something, this gets to be a bit troublesome when you have code like this example:

<?php
if($userPasswd==$sitePasswd)
 $logged_in=1;
[...]
if($logged_in==1)
 something_secure();
?>

Our attacker need only put ?logged_in=1 on the URL, and he automatically qualifies as logged in. While this simple example is so bone-headed that no one in their right minds would be likely to fall for it, more subtle variants of it may well -- and generally do -- come back to haunt the unsuspectiing programmer.

Another critical point many Perl advocates have against PHP is bloat and speed -- By default, PHP has out-of-the-box support for a myriad of protocols, features, and functions -- some of which further reinforce the argument against PHP's security. While I haven't run any serious tests, my general feeling has been that PHP is not as fast as Perl. This may be quite wrong, and I have only measured this through scripts which perform millions of operations. However, I have seen many arguments against PHP which mention this performance difference. It would definitely be interesting to see a more scientific exploration of the matter.

PHP has a very simplistic approach to arrays, hashes, and objects which may well be useful for teaching beginning programming. Much like Perl, in which the line between integers and strings becomes blurred, PHP has a rather context-driven approach to the interpretation of a value. Unlike Perl, where hashes, arrays, and scalars have seperate identifiers (%, @, and $, respectively), PHP variables all start with a $. All PHP arrays are hashes, regardless of how you refer to them. The following construct is perfectly legal in PHP:

$arr[0]=0
$arr[1]=1
$arr[2]=2
$arr[3]=3
$arr[4]=4
[...]
$arr["ten"]="TEN";

PHP adequately supports classes, although its lack of destructors gets a bit annoying from time to time. PHP is exceptionally well-documented -- The PHP web site (http://www.php.net) maintains a complete searchable list of built-in functions, with parameters, more detailed discussion, user comments, and an surprisingly useful list of related functions. All-in-all, it puts Man pages to shame. Additionally, the PHP manual is a wealth of information, and comes in a variety of formats (including, as I found out to my glee, iSilo for PDAs).

Despite its intimidating security problems, I love PHP. It takes some discipline and know-how to really tighten security with it, but I find that you can take care of the global variable problem while still easily maintaining the swift development times, compact code, and readability that make PHP so attractive.