No, PHP Is Not Dead!
Last June, the PHP language celebrated its 20th anniversary. Entering into adulthood and very widely popular, PHP has a bad reputation. It is regularly accused of being too permissive, too slow or even being supported by a community which is not professional enough. The consequence is that PHP is often dismissed when planning large scale web projects. The complaints issued against PHP are often merited. But the changes made to this language since 2009, with the arrival of 5.3, should lead us to revise our judgement. This language has strongly contributed to the expansion of dynamic web sites and with the launch of version 7.0, scheduled for mid-November, is more than ever in the race.
PHP, a language too permissive?
In computer language, two choices exist: static type or dynamic type. Static languages dictate that developers define the format of the data that will be stored in variables (in memory). Dynamic type languages have the task of finding, on their own, the best format for storing data. This is the simplest method for the developer, but frequently memory usage is not optimal. For example, in the case where you need to manage a lot of data, you naturally chose a format that doesn’t consume a lot of resources. High level languages, including PHP, do not always make the best choice. Those who are unaware of how PHP operates can easily develop a program that monopolizes most of a server’s resources and come to the conclusion that PHP is too permissive. But this is not the case!
In fact, dynamic type languages require a certain rigor in writing code. It is also theoretically possible to mix the two different data formats, but the results are not necessarily as expected! Try adding a word from the dictionary with a number. How? You never did that? Yet, this is one of the most common causes of bugs in PHP. Despite this, the dynamic type is still of great interest. On the web, the major part of data is exchanged in text format (via the HTTP protocol). In certain cases, it’s not text data but other digital values which are expected. We’re going on 20 years of the web making it possible for us to exchange images and videos! The use of a dynamic type allows developers to simplify their code and to easily pass text as a digital value. The side effect increases the risk of bugs and maintenance problems for the developed applications ...
Fortunately, the community supporting PHP and web developers have changed a lot in the past ten years. Bad practices have been identified, documented and most importantly, many tools to eradicate them have been democratized. One of the best examples is OWASP which, each year, lists the most common security problems on the Internet. In this context, is it still possible to qualify PHP as a permissive language? A good knowledge of the dynamic type makes it easy to avoid traps. Developers don't have to be as permissive as the language that they use!
Praised by beginners and unfairly shunned by professionals
The popularity of PHP can be explained quite simply. The flexibility of the language makes it accessible to beginners and as a result, many have learned to develop with PHP. In computer science, first projects are often like a first kiss, a bit awkward. A few years later, there may be certain projects that a developer looks back on with a little shame! Many PHP applications, coded by inexperienced developers are catalogs of bad practices, sometimes with serious consequences in terms of security and performance (security problems with customer data, massive handling of data without optimization…). It’s easy to make PHP the scapegoat.
Furthermore, in the early 2000’s, with the democratization of the Internet, the communities of competing languages of PHP began to organize themselves. This was the time that platforms were created to share libraries (pieces of reusable code), contributing to the improvement of the quality of projects developed in Java for example. The PHP community has been slow to come together, compelling each development team to more or less create their own libraries. At work, PHP has built an image as a language for beginners, unsuitable for serious projects.
Yet we find PHP in large scale projects, like Facebook or Wikipedia, which claim millions of connections per day… and their teams are surely not beginner as mentioned above. Why? In 2009, the PHP community woke up and the language changed profoundly. Version 5.3, under the guise of a minor release, was the source of many changes, starting with the appearance of a crucial feature, the namespace mechanism. Namespaces greatly simplified the separation of code between different libraries, reducing side effects. This allowed the writing of libraries, which the PHP community encouraged with the creation of the Composer platform for sharing. The number of available libraries on Composer has seen a rapid explosion, allowing developers to concentrate on the more technical aspects of their businesses.
The Guzzle library is a perfect example: before its arrival on Composer, HTTP requests often relied on Curl. With this new language extension, it is simple to make HTTP requests, but numerous technical constraints weren’t necessarily considered (definition of timeout, data size limit, streaming usage…). The downloading of big files often led to exceeding memory limits. Guzzle arrived, bringing with it all the necessary logic to optimize Curl, making HTTP request simpler. This resulted in the adoption of best practices and the overall decrease in the memory footprint of PHP scripts making HTTP requests.
At the same time that PHP 5.3 launched, came the arrival of large development frameworks, like Symfony2, Zend Framework2 or even more recently Laravel which helped industrialize developments in PHP. These new frameworks have brought about rapid technical developments and have contributed to the dissemination of best practices by simplifying the implementation of caches, increasing security levels and accelerating code implementation. In short, for five years now, the tools, have been in place, to use PHP as a "professional language". PHP 5.3 has also marked the acceleration of language releases, with releases nearly on a yearly basis. Today, PHP 5.6 is available with only versions 5.5 and 5.6 still being supported by the community.
PHP, it’s a slow language? It's all about interpretation…
Earlier I mentioned Facebook, as a project that uses PHP on a large scale.
Let’s be honest, Facebook does not use PHP like you and me. The company looked for ways to accelerate PHP code operation. After attempting, in 2010, to compile PHP using HipHop, a PHP transpiler, Mark Zuckerberg’s developers created a new platform for PHP execution, in 2013, called HHVM, resulting in a more restrictive language than PHP, named Hack. Should we deduce that PHP suffers from problems of chronic slowness?
PHP is an interpreted language. For this reason, it’s slower than compiled languages, that’s to say it’s transformed into autonomous executables (in the native language of the machine), like that of C or C++. Languages that are interpreted are “compiled” at run time, there by requiring additional time for computation. Some languages, such as Java or Python are sometimes “precompiled” into a language closer to machine language (bytecode), but execution still requires a second (and very fast) for interpretation. Some languages (PyPI, Java8, Lau…) are now able to directly compile into native machine language during execution, allowing applications to start very rapidly. This process is known as JIT (Just-In-Time compilation).
To get back to the supposed slowness of PHP, it is clear that it is not the only web interpreted language to be accused of this! However, PHP is unique because it is not persistent. When a web user connects to a PHP site, the PHP runtime environment is reset and then the code is recompiled. In contrast, languages like Java are compiled only when an application starts up which often coincides with the startup of the server. This design choice is proving to be an asset for the scalability of applications coded in PHP; each request benefits from having a new and secure environment to run on. For example, if there are memory leaks when using an application, they will not impact other users’ requests. In addition, there is a heightened security level as each request is isolated and above all, this provides more stability to applications. System administrators are saved from having to periodically restart the PHP server, contrary to what they are forced to do with Tomcat (Java server), which monopolizes all of the RAM after a certain period of activity (of course this only happens when applications are coded incorrectly).
So, yes it’s true that PHP is not persistent and could cause delays, compared to other languages. But, since 2012 and the launch of PHP 5.4, this is no longer the case. This version of PHP included, by default, a caching mechanism, OPcache**, allowing the retention of the compilation from the first use. Strictly speaking, some say that this not a novelty, since modules like eAccelerator, APC or Xcache have always been heavily relied upon to respond to issues concerning the “slowness” of PHP. Nevertheless, this caching mechanism has been built into the core of PHP and execution speed is, in general, quite comparable to that of other languages but with the additional advantage of scalability. For this reason, we recommend that users upgrade to a more recent version of PHP and enable the PHP-FPM engine to benefit from the improvements in performance!
Why is the reputation of being a slow language stuck to PHP? Although PHP is slightly less efficient than JIT languages, this is not the main reason for PHP being considered as a slow language. As stated earlier, due to the language being popular with beginners, the bigger reason for PHP’s lack of speed is due to developers. As PHP attracts a lot of beginning developer, the average skill of these developers is lower than the average skill of developers of other languages. Indeed, many PHP site are slow, not because of PHP code but because of the relationship between the application and its environment. For the most part, PHP sites use a database hosted on another server and do not optimize their SQL requests. Other contributing factors include network latency and latency writing to the disk. And this is without taking optimization flaws into account… There are countless sites that "hang" because of queries to databases without indexes! A common example: WordPress extensions coded in PHP. Many extensions are making requests to other servers or going to search data bases, for each user request. And this slows down websites, but not because of the performance of PHP! Incidentally, if you wish understand why your application is not performing optimally, I suggest that you check out the "Beyond PHP - it's not (just) about the code" conference, presented at the FOSDEM 2015 event.
In a couple of weeks PHP 7 will be released and prior to its release, we’ll offer this latest version of PHP for beta testing on our OVH.com web hosting. This seems like the appropriate time to dismantle some of the ideas about PHP, because the language is not dead! It even has serious advantages over the issues to which we are all, more or less, faced with today: scalability of applications and their infrastructures. PHP 7 will be covered in greater detail in an upcoming article. Until then, I hope that you will reconsider PHP with fresh look and without prejudice.
* SQL injections have long been one of the most significant problems concerning PHP applications: www.owasp.org/index.php/SQL_Injection
**If you wish to learn more about the technical aspects of OPcache, refer to the presentation by Julien Pauli, release manager of the last two versions of PHP. Watch the video Watch Slides