funkatron.com

Joshua May says...

yeah, I agree. It’s just a cat-fight, though. Not everyone would be happy, and that was obvious, but it’d kind of sad to see someone in that position reacting that way.

That said, I completely understand where he’s coming from. But I still think it’s much better to embrace progress. Early adoption is key.

Consider me still not a Wordpress user or advocate.

Ronald van den Heetkamp says...

I don’t agree with your arguments, and it’s almost like you are saying that everyone MUST comply to PHP5 fanboys.

And if you talk about the security features, you still rely on the PHP5 backend, which hardly anyone inspects for flaws. Ever saw the PHP5 security buglist? it’s almost as large as PHP4 to PHP4.6 combined. More features, more stuff to attack, more unknown and potential holes.

I praise the effort of PHP5 but I don’t need it, hence I could get away free with using php3 if I wanted and still be secure, cause it still depends on how you handle data as a programmer. No short cuts while relying on the PHP5 backend to solve your problems. It can supplement, but It poses a danger if one trusts upon it blindly.

And the Apache 1.337 => Apache 2.00 discussion is a wise lesson, newer doesn’t mean more secure, It maybe easier to do stuff than before, but it isn’t “more” secure.

Matt says...

Thanks for the thoughtful entry! This is just the kind of thing I was hoping people would post. Just a few notes:

1. We now have parameterized SQL in core.
2. We’re not concerned with databases besides MySQL.
3. We have fine HTML filtering with KSES. The filtering has never been a problem, it’s just places where it’s been not applied.
4. While it would be nice to get a little more performance by using prepared statements, SQL is generally less than 5% of execution time.
5. OOP - In our experience strict OO can be fairly intimidating to casual coders, who are the people who have created the countless plugins for WP that make it as popular as it is today and, as you note, we’d like to maintain backward compatibility for. However internal APIs and code has embraced OO methods where appropiate.

While significant efforts have been made in auditing WP’s code, and we will continue to do so, I’m operating under the assumption that someday someone will find something, so our focus is on notification and ease of upgrading. Since people are using WP as a platform we need to make it upgrade like one.

Patrick Lee says...

I’m on the fence with this one.  While I love all the advantages that PHP 5.2 has over PHP 4.4, I can understand Matt’s argument about the legions of plugin developers who don’t grok OOP.  However, Josh has some great points about enforcing security by default using PDO, Filter, and other features only available in PHP 5+.

The great thing about open source software is that people who are not happy with the status quo have the freedom to fork the project and go their own way.  There’s nothing to stop somebody from creating “wOOrdpress”.  Get it?  OO?

Would this be a good thing for the Wordpress community as a whole?  Hard to say, but my guess is probably not.  Will the whole GoPHP5 movement really result in a mass upgrade?  I hope so, but I don’t know that either.  I just know that Wordpress is arguably the most popular and most extensible PHP app in existence today and we should probably think twice before we really rock the boat.

Does something need to be done to finally squelch the lingering code issues that WP has?  Absolutely.  Is a complete rewrite using PHP5-only features the answer we’re looking for?  Magic 8 Ball says… “Ask again later.”

Patrick Lee says...

Sorry, where I said Josh in the first paragraph, I should have said Ed.  Oops.

Nate Klaiber says...

Just as there are developers who don’t get PHP5 and its OO features, there are other developers who don’t want to traverse through a procedural mess. I am one of those people. Sure, I would love to extend a few things about my WP installation, but the codebase beneath is simply functions strung together, PHP/HTML intermixed at many different levels.

So because there are hack developers who know little PHP and can work with the procedural mess, that is what keeps you from moving to a cleaner OO system?

I hope as someone else pointed out, that someone will extend it to be OO. For now, I have found the best option is to simply move away from WordPress as it can’t do the things I need my site to do (without me hacking the procedural mess, no thanks). This doesn’t make Wordpress bad, I am just on the other side of the fence in that I prefer clean code and standards within.

I think the real issue is that people try to stretch Wordpress into something it isn’t. Again, nothing against WP - it is a great blogging system. Some people try and make it do things it simply wasn’t created for.

Then again, maybe I should upgrade and check out the recent changes that Matt listed above before I speak any more.

Sean says...

Like you, I’ve spend a lot of time digging through the core WordPress code, and it is an ungodly, unmanageable mess.

I can only roll my eyes when I read Matt’s “expert” opinions on PHP.

Matt says...

Then write a better app, and make it popular.

Jacob Santos says...

Um, procedural code isn’t a bad thing. The WordPress code is very easy to extend and that in my opinion is worth more than anything. I believe more applications should duplicate the plugin (hook, action, event) model of WordPress.

Unless you work with WordPress and other OO applications, you can’t really appreciate the ease. Also, reading WordPress code is a lot cleaner than some other applications.

Sometime, look at the horror that is Coppermine and you’ll be impress by that of WordPress. However, the Gallery 2 code is solid.

I actually started an OO fork of WordPress Yesterday, but I’m not sure how far I’ll get with it. Probably abandon it after a couple of weeks, after I realize it is a waste of time and WordPress code is good enough Procedural.

funkatron says...

@Ronald van den Heetkamp: I am not implying anything I did not say.

@sean: I think Matt’s a smart guy, and his opinions are as valid as any.  I happen to disagree with him in this case.

@Matt: Popularity has many potential fathers, and quality is all too infrequently one of them.

Thomas Lee says...

On the topic of parameterized queries and prepared statements with PDO, you might want to check out the successor to PEAR DB - MDB2:

http://pear.php.net/MDB2

You’ll likely want to load the “Extended” module too:

$db =& MDB2::connect($dsn);
$db->setFetchMode(MDB2_FETCHMODE_ASSOC);
$db->loadModule("Extended", NULL, FALSE);

MDB2 works in PHP4 too if you’re feeling sinful. :)

funkatron says...

@Thomas: Thanks for the info!

Sean says...

@funkatron - WordPress wouldn’t dominate the blogging software “market” if Matt wasn’t a smart guy. We all know he’s smart.

Another intelligent man who used his smarts to dominate a market is Bill Gates. However Bill’s poor coding skills are legendary. The success of Windows is a testament to his marketing skills, not his coding abilities.

The same holds true for Matt. The WordPress code is proof enough that he’s not the greatest programmer. It breaks dozens of fundamental coding practices—Poor abstraction, reusability, no inline documentation, etc. If you don’t even understand and use the fundamentals of programming, how can you say with authority that PHP4 is just fine, and PHP5 has nothing to offer?

So yes, he’s a smart guy. He’s been a great marketer. But he’s no programmer, which is why I couldn’t care less what he has to say on the subject.

Alex says...

I think there’s a fundamental point being missed here. I’ve watched Matt work for several years and argued against him on numerous points during that time. While I don’t always agree with him or his arguments, like most smart people Matt is willing to be convinced by good arguments on the other side.

The real issue that I see is that for many PHP5 is still lacking a “OMG I have to upgrade right now because I want *that*” feature. That will drive upgrades much more than an pro PHP5 campaigns, etc.

You may not agree with Matt’s opinions on this topic, but I can’t imagine it’s the first time you’ve heard them. Think about that for a little bit. Certainly we can all agree that compelling features make for quicker adoption of upgrades.

Sean says...

@Alex - I think this is where we start getting into a cylindrical stale-mate. Web hosts aren’t looking for “OMG” features. They’re only looking for demand to upgrade.

There’s no demand on web hosts to upgrade when insanely huge, popular applications like WP still work with dusty ol’ PHP 4.3.

Matt isn’t going to push forward, partially because web hosts still support 4.3, so there’s no demand for him to leave PHP4 behind.

And around and around we go. Web hosts and application developers are both staring at each other, waiting for the other one to make the first move.

So what’s the other reason Matt won’t leave PHP4 behind? It’s possibly because he doesn’t think PHP5 has any “OMG” features, and that’s what funkatron’s post is all about.

He’s trying to point out that PHP5 has some serious OMG features that could benefit WP in so many ways. But Matt either doesn’t understand, or doesn’t care.

All the code Matt creates (or code written by others that he manages) is written in PHP4 (that I know of), so I have to wonder if he’s even tried using PHP5 in a serious real world way. You can’t say you don’t like something, or say you don’t see the value of it until you’ve tried it, right?

funkatron says...

@alex: “Certainly we can all agree that compelling features make for quicker adoption of upgrades.”

True, yes, but… let’s look at something matt said in his post:

“What was it that made PHP 4 so successful? What are we doing to emphasize those strengths? Why wasn’t PHP 5 compelling to that same audience? “

I think a lot of what made PHP4 so successful was simply timing, good integration with Apache, and a shallow learning curve.  All of these things are also present in PHP3.  A couple features in PHP4 aided things a bit, like native sessions (although pure PHP solutions existed, which Matt seems to prefer), but I don’t think it’s the case that particular PHP4-only features dramatically increased adoption. PHP4 had a fully rewritten engine, but feature-wise 4 was very much an *evolutionary* change, just like PHP5 and just like PHP6 seems to be. Things that have been present in *all* PHP versions since 3 were, imho, what led to PHP’s dominance.

The difference between the jump from 3 to 4 and 4 to 5 is that PHP has a far, far larger audience to deal with, and a MUCH larger group of applications which may have bc issues (although I think those are fairly minor in most cases).  I suspect that is why adoption of PHP5 is slower, and not because of anything inherent to PHP4 that’s not there in PHP5.

Michal Migurski says...

Use or non-use of OOP is unrelated to the garbled mess inside WP (it makes me shudder, too). If anything, bad OOP is significantly harder to follow than bad functional/procedural code, because it adds a full extra dimension of inheritance to the what-the-heck-is-this-program-doing search space.

The other arguments offered in this post boil down saving users from themselves: if we could just force everyone to move to a language version that limited their actions in some crucial way (enforced prepared statements, input filtering), there would be no security problems. Aside from being unrealistic, you deny the ease of use and approach that made PHP4 and WordPress catch on as strongly as they did. This is Matt’s core point: messiness supports and allows popularity.

Jeff Eaton says...

And around and around we go. Web hosts and application developers are both staring at each other, waiting for the other one to make the first move.

...And that’s precisely the reason a number of OSS projects formed the GoPHP5 group. To collectively take the first step and get the ball rolling with hosting, application, and other upgrades. It’s baffled me that some people talk about that move as a ‘political move,’ or ‘playing power games with users,’ and so on. It’s all about breaking the stalemate that locks apps out of useful new work that the PHP development team is producing.

On a completely unrelated site note, Ed, I was very amused to see your name pop up in my news. I was a big Cult of Jester fan back in the day. ;)

funkatron says...

@michal

Agreed, badly organized code is a challenge to follow, no matter if it’s procedural or no.  I do tend to find OOP easier to grok out of the box, but that may just be me.

I think you mis-characterize my post, though.  I’m pointing out features that PHP5 provides which would, I believe, improve Wordpress.  When I do talk about enforcement of certain coding styles, those are things that would be done on a *project* level. The context is the Wordpress project, not *all* PHP development.

I’d have to see a much more fleshed-out argument that “messiness” supports and allows popularity on a per-project level.  I do think that PHP’s popularity owes a lot, not so much to being messy, but to being *accessible* (maybe we mean the same thing, though).  However, I don’t think the feature set changes between 3 and 4 were any more significant than from 4 and 5, and I don’t believe they contributed significantly to PHP’s rise in popularity.  I’d certainly like to head arguments to the contrary, though.

funkatron says...

@Jeff: rock on!  I’m still doing music, and you can buy the old COJ stuff online and directly from me.

Check out http://cultofjester.com

0x000000 says...

@funkatron

I sure applaud the new features, but I also say it isn’t smart to rely on it solely. I rather would see a very stripped version of PHP, cleaned from all those functions, which all do more or less the same.

I started OO scripting in 2004 and in the end I dropped it because it didn’t save me any time, and it did not made my apps run any better. No one has ever convinced me of the benefits after that because I still think it’s a useless concept.

For what it’s worth;
My scripting mantra is simple, I don’t make it anymore complex than it already is.

jharr says...

If PHP5 were so compelling people would be using it.  If it’s ‘features’ need this much effort to expose/build-up/market then something is really missing, regardless of how valuable it may truly be to developers.  Just because an initiative is open-source vs commercial doesn’t mean it won’t suffer the same pitfalls, marketing woes and customer push-back.

I find humor in the fact that you dismiss Matt as an elitist in your post then go on to support the opinion that PHP4’s popularity and appeal to less sophisticated developers make it a mess and play up the OOP snobbery.  Glass houses and whatnot.

Nate Klaiber says...

@jharr
OOP snobbery? That has to be one of the funniest things I have heard all day long.

funkatron says...

@jharr:"If PHP5 were so compelling people would be using it.”

I think you’re oversimplifying the issue and underestimating the challenge of dealing with an enormous user base in an open-source project.  Indeed, I’m not even trying to argue that everyone *should* be using PHP5—I do, and I enjoy many of its features, but anyone can feel free to continue to use PHP4 if they wish.  I simply was addressing the idea that PHP5 had little to offer Wordpress—I don’t feel that’s true, and made a post about that. You’re inferring things that aren’t there.

“I find humor in the fact that you dismiss Matt as an elitist in your post...”

I did no such thing. If I were to dismiss him, I wouldn’t have addressed his points in detail.  I did, however, point out that he could make his argument without ad-hominem attacks.  Matt’s an intelligent guy, and he doesn’t need to do that.

funkatron says...

@0x000000: OOP is certainly no magic bullet, and the gain (or loss) of productivity will likely vary dramatically from coder to coder, and from project to project.  I do think that OOP has the *potential* to help a lot in larger projects with several developers.

Sean says...

I’m really enjoying this thread, but I hope it doesn’t turn into a OOP vs. Procedure war. That’s been raging on the net for a decade or more, and it’s pointless to start it up here.

If PHP5 were so compelling people would be using it.

Lots of PHP developers would *love* to use PHP5 exclusively. I talk to them all the time. And many that do start using PHP5 never want to go back to PHP4.

But they can’t use PHP5 because it’s still not wildly supported among web hosts. If you want wide adoption of your application, you need to write it for PHP4, because many web hosts still aren’t using PHP5 yet.

The features *are* there, and developers *do want* to use them. I disagree fully with your point, and agree with funkatron by saying you’re oversimplifying the issue.

On a side note, I’d use PHP5 for SimpleXML alone.

Richard Davey says...

I’m with Sean on this one - the problem for the vast majority of developers out there isn’t that they don’t want to move to PHP5, it is that they *cannot* because their host doesn’t support it.

When the PHP developers broke all chance web hosts had of making a painless upgrade from 4 to 5, they broke with it all chance of quick adoption. Sadly I believe ultimately the blame must lay with them and no-one else. It was an internals design decision that caused this mess beyond anything else.

If they do the same from PHP 5 to 6 then quite frankly most of us can kiss our beloved language goodbye within a very short period of time (which, as a full-time professional PHP developer, scares me greatly).

0x000000 says...

@funkatron

Yep, in larger projects with multiple programmers OOP is a blessing. That is quite true. But like above stated, a new OOP vs Procedure war is a bit too much and I won’t join it. ^^

If any, my point was actually that PHP5 doesn’t make it anymore secure persee, it’s not like: I install PHP5 and I’m safe. That is giving developers the wrong example.

Most PHP scripters think they are safe, I guess it’s a good start by changing attitudes of PHP scripters by convincing them it’s okay to upgrade to PHP5, but it doesn’t mean you back sit back and relax now.

Ray says...

Finally, someone else sees that he’s an elitist, narcissistic prick.

funkatron says...

@0x000000 I hope no one gets the impression I think PHP5 is somehow a magic security bullet.  The context of other posts on this blog and my projects would hopefully indicate otherwise.

James Asher says...

Maybe it’s just me, but how is it that webhosts don’t offer php5?  I’ve been with Dreamhost for years now and they’ve had a PHP5 offering since 2005.

Sean says...

@James Asher - I agree. It’s possible that in same circumstances it’s a matter of stability, and in others it’s just laziness.

Richard Davey says...

And we all know how reliable Dreamhost are ;)

Sarcasm aside I don’t believe it’s as simple as that. In order to offer both flavours you have to have one of them running as CGI, or split them out across different servers, both of which are quite messy solutions. If you host a number of high traffic PHP 4 sites and then swap them all to the CGI vrsion just so you can get PHP 5 on there, you are going to notice the hit on your servers.

If you are a decently sized host then you replicate this across thousands of servers, it is no trivial matter.

If PHP 6 will not work with PHP 5 (which I highly suspect) then web hosts are shit-out of luck - at the moment they can at least juggle 4 and 5 via CGI and Module, but which one gets the elbow when 6 comes along?

funkatron says...

@Richard

FWIW, I have generally been happy with Dreamhost, and despite the fact that they’ve had some pretty dramatic issues over the last year, I think that they do a lot comparatively to provide a more secure PHP environment than most large hosts in their cost range.

I do think that the PHP group would be well-advised to consult a lot more with large web hosting teams on issues like the ones you’ve highlighted.

funkatron says...

Although I should say that I don’t use DH as my primary hosting anymore.

Owen says...

It comes as no surprise to me that WordPress isn’t interested in these modern coding techniques, after seeing - in only one of many examples - the revision process to the Widget plugin, which is now just a shadow of its formerly entirely OO self.  It’s simultaneously ironic that they’re convinced that they’re user-centered in design when the contributing developers (core and plugin) that made the product popular are the users they’re alienating by dragging their feet with their dedication to PHP4.  WordPress, for reasons I haven’t been able to understand, has the power to affect positive change, but doesn’t bother.

For anyone interested in a PHP5-based, object-oriented project - to follow through on matt’s brazen yet tired refrain of “if you think you can do better” - please check out Habari where we’ve got a bunch of developers (including many prior WP contributors) working within a truly open-source contribution model where contributor opinion on the technology used actually factors into the decision-making.