[camus2]

@Killswitch

Problem is PHP is a templating language, not a generic purpose one. Other languages use frameworks for webdevs that usually provide basic security features like auto escaping output,orms by default(so no sql strings),csrf on forms...

PHP doesnt ,so it's easier to shoot yourself in the foot.

[mikegirouard]

You've almost got a point there except PHP has quite a few frameworks to choose from. Mainstream ones all include, as you put it, "basic security features like auto escaping output,orms by default(so no sql strings),csrf on forms".

Symfony2's form component is one of the best I've ever seen. It has many sane defaults and is locked down out of the box. Read up on their use of data transformers and how they protect users against XSS without any extra effort by the user. Validating automatically looks for a CSRF token.

Whats more is that these are (for the most part) stand-alone components. You don't need to commit entirely to the full Symfony stack - you can just opt into using the components you need -- even the smallest project that only uses PHP as a "templating language".

[jimlei]

You mean like Symfony, Laravel, etc? Frameworks that a lot of PHP developers use these days...

[camus2]

You dont need a framework to do PHP webdev, in every other languages,you do.That's my point, PHP IS a templating language,no Symfony,Zend or Laravel can change that. If i write "print" in Python it wont output the result back to HTTP like PHP does. Ruby or Java dont have <?ruby or <?java tags, you get my point.

[smacktoward]

> Ruby or Java dont have <?ruby or <?java tags

I dunno about Ruby, but Java certainly does: http://en.wikipedia.org/wiki/JavaServer_Pages

[core1024]

With PHP, unlike other languages, you have not two but three options - you can either run it as a web server module (That's your "templating" opinion and the most common use of PHP), you can run it trough the Common Gateway Interface (where even in Python or Ruby print DOES outputs to the HTTP) and in the end you can roll out your own HTTP server. In the last option, just like the common use of Python and Ruby, you have full control of what's going on with your code and you decide what to send over the socket and what (if anything) to print on the console.

[mschuster91]

If you use them in CGI mode, you very well have a "start" tag in form of a shebang first line like #!/usr/bin/env python.

Also, shellscripts and perl are considered programming languages, and these too need a shebang line. Your point is invalid.

[pushrax]

Well, many Ruby webapps use erb, which is basically the same thing.