[uriel]

Except that building a "properly written PHP app" is way harder than in almost every other language in widespread use.

The number of pitfalls and traps you can fall into almost surpasses the 'safe' parts of the language (and its environment).

[FuzzyDunlop]

I think the major problem is PHP's 'noob friendliness'. To achieve that it goes out of its way to mitigate and recover from bad code and thus doesn't have a decent set of well known good practices to code against.

The huge vulnerability that opens up is that of data validation, and you can tighten up your server config all you want, but it won't mean shit without any of that.

Of course, since PHP is such a comparatively simple language, everyone thinks they're an expert once they know how to open a mysql connection (through the now deprecated bindings, of course) and code a simple blog script with basic CRUD functionality.

As a result, there's a 'simple/complicated' dichotomy when it comes to online documentation and tutorials, where the beginner developer ignores the complicated (and typically well thought-out) stuff, and goes for what they can easily copy and paste or get their head around.

Typically none of that code has any sort of validation or sanitisation. Half of it might go on about `magic_quotes_gpc` and `mysql_real_escape_string` and other PHP4-tastic curios, and the rest won't even mention that because checking user input is seemingly only related to db communication.

I feel pretty strongly about it because I've seen people post code snippets for PHP, trying to be helpful, but the code is dangerous. They serve better as examples of exactly what you shouldn't do.

And the one thing PHP beginners (and intermediates) need is better, simpler explanations of responsible coding practices, and how it isn't hard to do at all (it's only tedious); because the sooner they know, the better.

I should write a book or something.

[jasonlotito]

I know you aren't saying otherwise, I just wanted to add a bit to your "well known good practices" part. The fact is, in the professional PHP community, there are very much well established best practices (granted, not all our universal), but most are well established. The problem is, the leap from the beginning community to that professional community isn't natural. This is mostly a result of php.net catering to the beginner. It opens the doors to everyone.

Honestly, I feel there are a large number of quality sources for writing good PHP code. The problem is that isn't not all focused on PHP.

"everyone thinks they're an expert once they know how to open a mysql connection"

How true.

PHP is deceptively easy. It's akin to C, in that it will allow you to shoot your own foot if you ask it.

[FuzzyDunlop]

Yeah. I've also found that some well-known good practices might be well-known in an abstract concept but when it comes down to pure implementation it's a lot more murky.

Like you say though, that leap from beginner to experienced is so large as to make practical code examples rather scary, and you can't get anywhere if you're not confident with experimentation.*

The other problem is that there are many ways to skin a cat and one brilliant solution might be unworkable for another person. But that's just a characteristic inherent of any creative pursuit.

This thread's inspired me to try making a nice HTML5 presentation or something that outlines some of these practices as a beginner's aid. Like how Dive Into HTML5 really helps you learn what you can actually do with the new additions.

*It's surprising how many people won't experiment because they're worried about breaking something or blowing up their computer, and that irrational risk aversion just makes it difficult to learn what you can and can't get away with; and difficult to jump into the unknown.

[maratd]

Some of us need a language to hold our hand. Some of us don't. Some of us enjoy the freedom of coding the way we want to code, without a language shoving some perceived notion of correctness down our throat.

> Except that building a "properly written PHP app" is way harder than in almost every other language in widespread use.

This makes no sense. PHP doesn't force you to do things the right way, but it doesn't force you to do things the wrong way either. It just doesn't force you either way.

Those of us who know what we're doing can make intelligent decisions ... and those of us who can't, shouldn't be writing in PHP.

[FuzzyDunlop]

No one can make an intelligent decision until they know what an intelligent decision is. And everyone starts off at the beginning when they're picking up a new language (or want to start learning).

To be dismissive of those who 'don't know what they're doing' doesn't necessarily help make those intelligent decisions better known and easier to understand, or why they're the intelligent decisions in the first place.

[maratd]

> No one can make an intelligent decision until they know what an intelligent decision is.

Yup.

> And everyone starts off at the beginning when they're picking up a new language (or want to start learning).

Yup. PHP is a terrible language to be your first. Its loose nature, which allows an expert to sculpt beautiful code, is a noose upon which to hang oneself as a novice. Before I started on PHP (more than a decade ago), I already knew BASIC, C, and Java. Contrary to popular opinion, PHP is not a starter language, even though it is very easy to start.

[FuzzyDunlop]

Can't disagree with any of that (other than that I don't think PHP is necessarily conducive to creating truly beautiful code). I think it goes the other way too: starting off with PHP doesn't give you a good idea of what other programming languages are like, and you'll find many things you grow accustomed to (or rely on) turned upside-down.

Maybe it's like learning to break the rules before you even know what they are?

* although to counter that, you can do some crazy things with it if you know how to. I abstracted Drupal's path finding method (drupal_get_path) into a magic static class. It's probably got a performance hit but it's bloody nice to look at:

    Module::module_name('css', 'example.css');
    // vs.
    drupal_add_css(drupal_get_path('module, 'module_name').'/css/'.$file_name);