https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/<p>Until a few days ago, I hadn't touched PHP for nearly 10 years. I was surprised to see so many new things. There is no doubt that its ecosystem is still massive and will continue to be so for decades ahead. What I am wondering though, is whether some of the old "ghosts" plaguing the language have been removed or replaced with something better.
Anyone experienced enough to comment on that?
I’ve been developing in PHP and exploiting apps written in PHP for over ten years.<p>A lot of the insecure by default functionality and footgun functions have been deprecated or removed in the latest versions.<p>Most of the modern frameworks e.g Laravel et al also have abstractions that protect you around a lot of the functionality where long hanging vulnerabilities used to lie. It’s rarer to find things like XSS, SQL inj, file inclusion vulns.<p>Type comparison will still do crazy things if you aren’t strict, but they have introduced typed properties in php 7.4.<p>A double edged sword is that a lot of modern development relies on package managers like composer, which means you can be exposed to security issues through the sheer number of dependencies pulled in to some of these frameworks.
Many things have been deprecated formally. If not formally, they've been phased out culturally - as in I haven't seen a lot of this syntax complaints in 10 years.
The main issue with PHP is not PHP. But an army of bad coders pretending to be engineers.<p>You can’t solve this problem by improving the infra.<p>This is the reason why php is a dead end in the long run.