Print Page - A PHP fork?

Public area => The Pub => Off-topic => Topic started by: Arantor on June 15th, 2011, 07:29 PM

Title: A PHP fork?
Post by: Arantor on June 15th, 2011, 07:29 PM

http://www.xarg.org/2011/06/php-hacking/

I'm staring at this and quietly thinking 'why in god's name weren't some of these implemented in PHP itself?'

I mean, [] syntax for arrays, various string/array enhancements and optimisations. Plus he really took some brave moments with forcibly kicking out register-globals and magic quoting instead of them being deprecated. And, for the love of all things holy, he's made UTF-8 the default! (About fucking time. ISO-8859-1, or CP1251, or other character sets... not default.)

I'm not sure about this being really deployed (I think PHP is perhaps too entrenched at the moment) but it does feel like he's doing it because he's frustrated with the way PHP is being developed - and doesn't that sound familiar? ;)

Title: Re: A PHP fork?
Post by: Eros on June 15th, 2011, 07:45 PM

It does sound familiar but by the same token...

I'm not sure I'd use it simply because I'm not sure I trust him to maintain it yet and PHP really needs a complete rebuild for PHP 6, which is not where he is going.

Title: Re: A PHP fork?
Post by: Arantor on June 15th, 2011, 07:53 PM

If you read what he has to say, though, he'd love to contribute this stuff to 5.3/5.4 but the powers that be are kicking stuff back - if I contribute a patch to something, I don't expect to have to wait a year for it to be evaluated. This did, unfortunately, happen with SMF (though it was more like 6 months rather than a year)

Yes, PHP 6 needs a fresh build and that's not where he's going, but he acknowledges that fact - it is more about raising awareness right now.

Title: Re: A PHP fork?
Post by: Eros on June 15th, 2011, 09:01 PM

Quote from Arantor on June 15th, 2011, 07:53 PM

If you read what he has to say, though, he'd love to contribute this stuff to 5.3/5.4 but the powers that be are kicking stuff back - if I contribute a patch to something, I don't expect to have to wait a year for it to be evaluated. This did, unfortunately, happen with SMF (though it was more like 6 months rather than a year)

I understand that. However, a single developer, sometimes has RL issues or loses interest or whatever. If you take advantage of some of the non-compatible changes and something happens to kill development, you'll either need to take over or go back to the main PHP branch.

If he had a core group of 2-3 people, I'd be more willing to switch since if someone gets hit by car I don't have to switch back. Maybe that is just me tho. I'm lazy.

Quote

Yes, PHP 6 needs a fresh build and that's not where he's going, but he acknowledges that fact - it is more about raising awareness right now.

I know. I'm just saying I'm not sure it is worth the hassle if in a couple of years, PHP 6 will be what is adopted anyway.

Title: Re: A PHP fork?
Post by: DoctorMalboro on June 15th, 2011, 11:37 PM

Wow, I've been reading an it has lots of cool stuff. I'm gonna give it a go in localhost...

Title: Re: A PHP fork?
Post by: live627 on June 16th, 2011, 01:24 AM

It looks as if $_REQUEST is disabled by default which might cause problems with "SMF since it uses that. But deep inside its bowels it declares $_REQUEST = $_GET + $_POST

Title: Re: A PHP fork?
Post by: Arantor on June 16th, 2011, 01:32 AM

And that's something I think is quite good ;)

Title: Re: A PHP fork?
Post by: live627 on June 16th, 2011, 01:40 AM

Yeah. I have always used $_GET and $_POST prior to SMF.

Title: Re: A PHP fork?
Post by: Arantor on June 16th, 2011, 01:43 AM

Oh, well, I came from ASP Classic prior to PHP, so the REQUEST concept was nothing new. What I like is that SMF explicitly sanitises REQUEST regardless of anything else, so it honestly makes no difference for SMF or Wedge for this fork.

Title: Re: A PHP fork?
Post by: snoopy-virtual on June 16th, 2011, 11:13 AM

And what happen with SESSION?

It should be $_REQUEST = $_GET + $_POST + $_SESSION

Or maybe he is doing it on purpose to get rid of the SESSION inside the REQUEST, but why? (thinking out loud)

Title: Re: A PHP fork?
Post by: Arantor on June 16th, 2011, 11:40 AM

Um, no it shouldn't. REQUEST out of the box would normally be GET, POST and COOKIE. And therein is the reason why REQUEST is unsafe without pre filtering like SMF does.

Title: Re: A PHP fork?
Post by: snoopy-virtual on June 16th, 2011, 01:09 PM

Sorry.

You are right.

I was sorting something else involving sessions and somehow I wrote it instead of cookies. Must be the Alzheimer.

A couple of days ago, for example, playing chess with my 14 years old son, I was too concentrate defending a pawn and forgot completely to defend the queen. Lost the game, of course. :lol:

Posted: June 16th, 2011, 01:04 PM

Anyway, what I meant is why he want to get rid of the $_COOKIE inside $_REQUEST instead of sanitize it?

Even leaving only GET and POST he would need to filter it as well to avoid some attacks.

Posted: June 16th, 2011, 01:07 PM

Treat the cookies in a completely separate way?

Title: Re: A PHP fork?
Post by: Arantor on June 16th, 2011, 01:26 PM

SMF ditches COOKIE from REQUEST. With good reason: minimising data taint. People who are not tech savvy invariably use REQUEST for everything. I know I did when I first came to PHP.

Consider, for a moment, the implications of using REQUEST for everything. You cannot verify the source of anything, the very first line of defence against CSRF is gone, and if you're using REQUEST rather than COOKIE you even risk adding session fixation to your vulnerability list, just for starters.

Forcing users to use GET and POST, rather than an ambiguous source is a nice step, though honestly I'd love to see a proper taint detection method such as in Perl, where you explicitly can't do anything to input without some kind of sanity check first.

Title: Re: A PHP fork?
Post by: CJ Jackson on June 16th, 2011, 05:41 PM

Quote from live627 on June 16th, 2011, 01:24 AM

$_REQUEST = $_GET + $_POST

I did that with my plugin, except I called it $param, because I'm used to the word param. ($param = array_merge($_GET,$_POST)).

Title: Re: A PHP fork?
Post by: Arantor on June 16th, 2011, 05:48 PM

And you're explicitly distrusting the original contents in favour of something more reliable. ;)

Title: Re: A PHP fork?
Post by: Eros on June 16th, 2011, 09:27 PM

Ya $_Request is something to be avoided. Its unnecessary and evil.

Title: Re: A PHP fork?
Post by: Dragooon on June 16th, 2011, 09:56 PM

I use $_REQUEST all the time :P.

Its nice PHP fork with a few nifty feature but I don't see myself switching it or giving it a shot honestly.

Title: Re: A PHP fork?
Post by: Arantor on June 16th, 2011, 10:00 PM

No, neither do I but it's certainly interesting. It is mostly about whether this emerges into a more serious fork, and also whether any of this gets merged into 5.4/5.5/6.

Title: Re: A PHP fork?
Post by: DoctorMalboro on June 17th, 2011, 12:52 AM

What happened to PHP6? It was so promising :(

Title: Re: A PHP fork?
Post by: live627 on June 17th, 2011, 01:35 AM

Professional Hippies People?

/meruns away

Title: Re: A PHP fork?
Post by: Eros on June 17th, 2011, 02:34 AM

Quote from DoctorMalboro on June 17th, 2011, 12:52 AM

What happened to PHP6? It was so promising :(

It basically stalled in Spring 2010.

http://schlueters.de/blog/archives/128-Future-of-PHP-6.html

After that, the PHP crew seems to have gone deathly quiet.

So if someone forks it and does a complete rebuild to bring out 'PHP 6', they'd have a decent chance. Otherwise, I'm not sure what the point of forking PHP is.

Title: Re: A PHP fork?
Post by: Nao on June 17th, 2011, 08:45 AM

@Pete> In any case, it'll be years before we could safely use some of his improvements...

Title: Re: A PHP fork?
Post by: Arantor on June 17th, 2011, 08:50 AM

Oh, I'm well aware it'll be a long time before anything here goes mainstream. I'm just intrigued that he actually forked it - because it's about pointing out how slow core PHP dev is, and more importantly how reluctant they are to look in new directions.

Title: Re: A PHP fork?
Post by: live627 on June 17th, 2011, 10:00 AM

It's a conspiracy! Or not. :P Sounds awfully familiar, eheh. SM, anybody?

Title: Re: A PHP fork?
Post by: Arantor on June 17th, 2011, 11:42 AM

;) I made that point in the first post :P

Title: Re: A PHP fork?
Post by: CJ Jackson on June 17th, 2011, 05:04 PM

Quote from Arantor on June 16th, 2011, 05:48 PM

And you're explicitly distrusting the original contents in favour of something more reliable. ;)

I wasn't too sure about jQuery.getJSON(), does it rely on HTTP POST or GET? (I notice postJSON() doesn't exist.)

Title: Re: A PHP fork?
Post by: Arantor on June 17th, 2011, 05:12 PM

I don't know which off the top of my head, but if it works how I think it works, it'll be GET - because what it can do is inject a <script> tag into the DOM for the browser to fetch the contents dynamically - and it'll be JSON when it comes in, presumably.

Title: Re: A PHP fork?
Post by: Eros on June 17th, 2011, 05:21 PM

Quote from CJ Jackson on June 17th, 2011, 05:04 PM

Quote from Arantor on June 16th, 2011, 05:48 PM
And you're explicitly distrusting the original contents in favour of something more reliable. ;)
I wasn't too sure about jQuery.getJSON(), does it rely on HTTP POST or GET? (I notice postJSON() doesn't exist.)

http://api.jquery.com/jQuery.getJSON/

Quote

As of jQuery 1.5, the success callback function receives a "jqXHR" object (in jQuery 1.4, it received the XMLHttpRequest object). However, since JSONP and cross-domain GET requests ...

The API says its a GET request. I has faith in jQuery's documentation. xD

Title: Re: A PHP fork?
Post by: hadesflames on June 17th, 2011, 07:23 PM

I wouldn't even bother touching it until a proper IDE is created for it =P

Assuming they went on with the fork of course.

Title: Re: A PHP fork?
Post by: Eros on June 18th, 2011, 02:37 AM

Quote from hadesflames on June 17th, 2011, 07:23 PM

I wouldn't even bother touching it until a proper IDE is created for it =P

Assuming they went on with the fork of course.

....I wouldn't call the POS IDEs for PHP proper IDE's either. Then again, the only thing I think Microsoft ever did right was Visual Studio so....:/

Title: Re: A PHP fork?
Post by: [Unknown] on June 19th, 2011, 11:35 AM

I find it very interesting. Honestly, I wish I had the time to sink my teeth into something like this. These are some good improvements, and if things like this are getting rejected, I wonder how much good a fork could do in the world...

Quote from Arantor on June 16th, 2011, 01:26 PM

Forcing users to use GET and POST, rather than an ambiguous source is a nice step, though honestly I'd love to see a proper taint detection method such as in Perl, where you explicitly can't do anything to input without some kind of sanity check first.

Yes, although annoying, I agree.

Quote from Arantor on June 17th, 2011, 05:12 PM

I don't know which off the top of my head, but if it works how I think it works, it'll be GET - because what it can do is inject a <script> tag into the DOM for the browser to fetch the contents dynamically - and it'll be JSON when it comes in, presumably.

This is called jsonp and has problems with > 4k of data. Some of the "easy" things jQuery does don't necessarily encourage best practice (I know this from having to do code review at work.)

Quote from Eros on June 18th, 2011, 02:37 AM

....I wouldn't call the POS IDEs for PHP proper IDE's either. Then again, the only thing I think Microsoft ever did right was Visual Studio so....:/
/quote]

Indeed. I use Phalanger myself for PHP and it works great. I bet it could be hacked relatively easily into supporting a JSON-like array syntax.

-[Unknown]