[steakejjs]

This looks awesome. PHP doesn't get a lot of love but it is really improving a lot and obviously still dominates the web... Glad the turkish bug is finally done with.

Would be really nice to see security augmentations to the language. The vast majority (maybe 9/10) sites I look at where no framework was used, the site is missing have no CSRF tokens, very poor XSS protections, and RCEs are pretty common too. I think this would really improve the language.

[krapp]

I find it odd that a language whose entire purpose is mixing code in with html doesn't come with the ability to automatically escape any echoed string by default. If you're not using something like Twig you have to wrap each variable in htmlspecialchars or something.

The argument that 'PHP is a framework' may be valid, but as a framework, raw PHP kind of sucks.

[goykasi]

PHP is simply a scripting language. It has numerous other uses besides just "mixing code in with html"; it wouldn't make sense to have something like enabled by default. For example, all console scripts would need to disable it.

[krapp]

Yes, it's a general purpose language and can be used for many different things, but as its name once indicated, PHP's primary use case is preprocessing hypertext. I think it would make sense since that's what almost all the PHP in the wild is involved with. Although i'm sure escaping could also be disabled by default when running from the command line.

[frozenport]

There is something to be said about security by obscurity. I don't want to see any security implementation because is means shared vulnerabilit.

[steakejjs]

What? I don't understand what you mean. PHP is not any more insecure than other languages. Some extremely secure sites run PHP....so security augmentations would not be obscurity.

An example would be built in CSRF protections through something like a form builder

[meowface]

>PHP is not any more insecure than other languages.

This is debatable. It's not if you know to avoid many awful components of the language that are pushed in tutorials (like extract, or mysql_query, or register_globals, or loose comparisons).

[jtreminio]

register_globals was removed several years ago;

mysql_* functions all have a big red warning at the top of the docs pages warning users not to use it;

extract has a big red warning about using it on untrusted data.

PHP shouldn't hold developer's hands, but it does enough to warn them away from the Here There Be Dragons.

[meowface]

You're right about register_globals.

However, the others require users to actually read the documentation, which unfortunately many do not. A new user of PHP reading a tutorial does not necessarily know these functions are unsafe. They type the functions into their program and they still work, even on the latest versions of PHP. They don't see a visible deprecation warning on the page.