It never should have, the treatment php gets mostly feels like people finding it "not cool enough", seldomly I've seen someone have a real reason to avoid it
PHP fans don't do themselves any favors by dismissing the criticisms in this sort of non-substantive way. The "fractal of bad design" paper has a lot of good criticisms, and the standard library is still a horror show of poor API design, in my opinion.
The first embarrassment I could think of off the top of my head is still there, for example:
Completely ignoring the fact that that function is a misnomer because it encodes XML special chars, not HTML, the "double_encode" parameter is pants-on-head ridiculous and basically a concession to people who can't be bothered to keep track of whether their string is already escaped or not and want to be able to pass it through this function again "just in case."
This is a bug waiting to happen (or more like a bug that's already happened all over the web), and the type of stuff that makes seasoned programmers who appreciate a well-designed ecosystem dismiss the entire thing as amateur hour.
When I used the language (around PHP 5) in the past it felt very inconsistent, and many functions were nearly 1:1 PHP interfaces to C functions. The type coercion also was bad, or the stupid idea of having form variables appear as variables in the language (I believe the defaults were changed to disable it in 5).
Learning the history of the language (and that initially PHP was not supposed to even be a language) explains why things were the way they were.
Anyway the language worked, it wasn't specifically bad, and if you didn't use other languages (excluding JS which has similar issues) you might not even see any problems with it.
Anyway, later they started fixing many of these issues and looks like the language is becoming more consistent (note I don't know if this is entirely true, since I haven't have chance of using newer versions, but that's how it feels from outside.)
TLDR: checking passwords in php used to rely on using the correct comparison operator. Using the'==' operator would introduce subtle flaws. Using '===', you're fine.
Yeah; PHP and Javascript are in the same general category of completely insane languages. As was (pre-.NET) Visual Basic, though for slightly different reasons.
You should never have been doing that in the first place, checking password hashes should use a constant time equality check to prevent timing attacks.
Just so happens there is now one in PHP - hash_equals, but even before that you could do a constant time equality check trivially by hand.
Documented insanity is still insanity. A very clear example that was luckily removed quite quickly: php_check_syntax.[1]
> Check the PHP syntax of (and execute) the specified file
This function's name and its documentation suggest completely different use-cases. In fact, it apparently does the one thing I wouldn't expect it to do based on the name. It's insane, and it cannot be excused just because the insanity is documented.
The example given by GP is a lot more subtle, but this is not a good argument to make.
I accept that, but I still don't really understand the issue, which programming language can I pick where I don't need to read about what does what, I don't feel any language is intuitive per se?
Seriously, I've worked with coders where English is a second language, they literally had no idea that the combination of letters making up words we recognise were anything but symbolic of the function.
The first embarrassment I could think of off the top of my head is still there, for example:
https://www.php.net/manual/en/function.htmlspecialchars.php
Completely ignoring the fact that that function is a misnomer because it encodes XML special chars, not HTML, the "double_encode" parameter is pants-on-head ridiculous and basically a concession to people who can't be bothered to keep track of whether their string is already escaped or not and want to be able to pass it through this function again "just in case."
This is a bug waiting to happen (or more like a bug that's already happened all over the web), and the type of stuff that makes seasoned programmers who appreciate a well-designed ecosystem dismiss the entire thing as amateur hour.