Matt Mullenweg, the dude behind Wordpress, has posted something of a rant about PHP5 in the light of the upcoming drop of PHP4 support:
None of the most requested features for WordPress would be any easier (or harder) if they were written for PHP 4 or 5 or Python. They’d just be different. The hard part usually has little to do with the underlying server-side language.
Here’s a hint: don’t give the users what they say they want until you give them what they need. — even if they don’t realize what that is. Here’s some PHP5-only features that could be helping Wordpress users right now:
Parameterized SQL input to eliminate SQL injection attacks (security)
Strictly enforcing the use of parameterized SQL input in Wordpress development would dramatically reduce, and in all likelyhood eliminate, the possibility of SQL injection attacks against Wordpress. Using the PHP5-only PDO extension would allows this even with databases that don’t natively support this feature.
Filter extension to combat XSS, CSRF, etc. attacks (security)
The PHP5-only filter extension adds fast, built-in input filtering functions. Given the history of problems Wordpress has with handling user input properly, enforcing the use of this or another solid input filtering system would surely reduce the amount of input handling errors in the WP codebase.
Turning off remote file inclusion by default (security)
Remote file inclusion vulnerabilities account for approximately 40% of all security issues with PHP-based applications. The
allow_url_includeconfiguration setting, added in PHP 5.2.0, disables remote file inclusion by default.
Prepared statement/transaction support in PDO and MySQLi (performance)
Prepared statements not only provide the benefits of parameterized input mentioned above, but significant performance increases can be had with them. AFAIK, it’s not possible to support these features in MySQL under PHP4.
Improved OOP features and support (code quality, extensibility)
This would aid developers first, which in turn would benefit users, by making (in my opinion and based on anecdotal evidence) a large project like Wordpress easier to maintain. Code reusability is improved, quality is increased, and hackish approaches like global variables become unnecessary.
I’ve hacked the guts of Wordpress and written numerous plugins, and I’m still shocked at what a garbled mess the WP codebase is, and how much easier it is to write extensions for content management systems that embrace OOP. Of course, OOP is very possible in PHP4, but PHP5 adds a number of features that make a significant difference in team development (public/private/protected properties and methods, for example).
(A cynic might suggest that one reason to not clean up the WP architecture is because that would break backwards compatibility with the extensive library of plugins that has a lot to do with Wordpress’ success. There would be some irony in that, no?)
I think this line from Matt’s post might be telling:
Even hosted PHP-powered services who have no shared host compatibility concerns like 30boxes, Digg, Flickr, and WordPress.com, have been slow to move and when they do it will probably be because of speed or security, not features.
The thing is, support of PHP5-only features in WP would give it better speed and security right now. And especially in the case of security, Matt’s reliance on what users say they want is a critical error: users don’t ask about security until well after it becomes a serious issue. Wordpress has one of the worst security records of any PHP application, so I’ll go out on a limb and say that it’s a problem now. Even if WP users aren’t talking about it, WP’s core dev team should have addressed this already.
I’ve said before that web app developers are the stewards of their users’ data. Our users need and expect us to anticipate and address their security. If we don’t do that, and simply base our actions on popular opinion, we’re being irresponsible.
On a basically unrelated note, it really is disappointing to see Matt sink to ad-hominem attacks when making his argument:
In 2007, [the PHP site] still doesn’t have obvious permalinks. They do have a RSS 1.0 feed though, remember those?
Some app makers felt sorry for PHP 5 and decided to create the world’s ugliest advocacy site…
That’s bush league, Matt. Cut the elitism BS and stick to a proper, logically sound argument.