PHP, a three letter acronym to describe a large, old language. It is unknown to many on the internet, and what it does even a greater mystery. This blog will attempt to shed some light by exploring PHP’s basic concepts, history, security, and its surrounding viewpoints.
What is it, and how does it work?
A quick note – the file extension for a PHP file does not have to be .php . It can be .phtml, or any other extension that is set in the configuration of the web server. Additionally, the ugly .php file extension (or whatever file extension you use) does not need to be shown. Proper server configuration can see it vanish entirely. Well configured pages can show example.com/login instead of example.com/login.php?gibberishcodehere if they wish. Granted, some websites don’t mask content in the title bar, such as the Google Accounts login service. This can make for a messy title bar.
PHP is not universal. While a majority of popular web servers support it , it is not supported by everyone. It enjoys fairly widespread support, but it faces competition from other sources, such as Microsoft’s open-source ASP.NET framework. ASP.NET is a potent competitor. W3schools.com, for example, makes heavy use of ASP in its pages over PHP.
This server side scripting language was originally designed by a developer called RasmusLerdorf in 1994 to track visits to his online resume . PHP has had many names, and it is in its beginnings that it has had the most names. It was originally called “Personal Home Page Tools”, aka “PHP Tools” when opened for public use. PHP steadily became popular, driving Ramses to revise the original code to include database interaction as well as more capabilities for users to create true applications (such as guestbooks). In 1995, the source code was released to be used by developers as they wished. This allowed for the community to detect and fix bugs that arose as it grew. At the time, it was not quite a full language. It was designed for Unix systems, not Windows.
Late that year, Ramses revised PHP again and renamed it to “FI” (Forms Interpreter), named such due to the fancy new features it contained. Some of them, including the variable syntax and embedded HTML functions, are still used today. The variables were “Perl-like”  and quite dynamic for their time. However, there was one interesting quirk about this revision of PHP. To embed it, the code had to be placed in HTML comments. Naturally, that wasn’t the most popular decision.
Despite the strange placement of code, PHP (or FI, at the time) continued to grow and become more widespread. Ramses rebuilt the code from ground up to allow easy access for C and Perl developers. He brought the PHP name back, with PHP now meaning “Personal Home Page Construction Kit”. It was the first truly powerful release, and one that could expand beyond being hosted on Unix. Its proverbial eyes were set on Windows NT. Finally, it was powerful enough and relevant enough to give it a shot. While it grew by leaps and bounds, it wasn’t a full language just yet.
PHP achieved its dream in 1996 and became a true language under the name PHP/FI – PHP 2.0. It included advanced features such as built in support for popular databases, cookies, and user-defined functions. Again, tools in widespread use today. However, its era was short lived. While popularity rose after its release, it was swiftly rebuilt and replaced after leaving beta status in 1997. By then, it was present on thousands of domains.
In late 1997, PHP was still primarily the work of a single developer. Two developers, Andi Gutmans and ZeevSuraski, required more features to complete an eCommerce application. They began to rewrite the processor and create something new entirely alongside Rasmus. The 3.0 version that rose not long after PHP 2 left beta. The language was renamed to its modern name, PHP: Hypertext Preprocessor. The primary appeal of this version was its flexibility – it allowed extensions that went far beyond its base code. It also included object-oriented programming support and a more organized language structure. It became 2.0’s official successor in 1998.
By the development of PHP 4, PHP had expanded beyond 70,000  domains and was widespread on windows servers. It was very powerful and widely used. However, PHP 3 lasted only until mid 1999. Gutmans and Suraski rewrite the base code again, this time to improve PHP’s competence with complex programs. 3.0 was powerful, but not powerful enough to approach projects at a massive scale. 4.0 was released as complete by 2000 and, along with many new features, included far superior performance.
Years went by; PHP seemed to come to the peak of its development. PHP 5 was released in 2004 to include slightly revised and brand new features. This was then updated for a long time until PHP 7 came out recently. Overall, the development of PHP did not include massive rewrites of the base code again. The development team is now dozens of developers larger than the three-man team it had in the past.
This language that is arguably easy to use, but becomes a new beast when looking at security. Namely, there are ways for users to place actual code statements into forms, followed by having those statements pull out data that shouldn’t have been accessed. This is caused by poor validation and unrestricted access to table data. The motives for doing this are vast, and the means are fairly common as well.
One of the greatest issues is unvalidated input from users . Sitepoint suggests that a PHP developer treat every single user that accesses the web form as a potential threat. The key idea: never trust user input, even the ones who aren’t actively trying to hack the system. Some users simply attempt to put gibberish into forms and submit them for fun.
One common issue, sometimes lying slightly outside of regular PHP yet critical for PHP developers, is access flaws. A compromised session ID has been noted above. An access flaw is when a user is able to enter directories or pages that they’ve no right to. A policy for proper access must be maintained at all times. Important information should never be set in a directory that is visible on the web. Part of this does lie directly on the PHP developer. Some forms allow a user to enter a page and then go to it. The syntax ../ means to go up one directory. Using poor PHP code, a person could potentially use ../ to navigate outside the web directory. That could move into, say, the host operating system files.
One effective counter to this is using an unpredictable directory structure. For example, hostpc/twwir/wbthing/host/sitecontents/ instead of hostpc/host/sitecontents/. Then again, the most effective counter is to have the right policies in place so that this does not happen at all.
While it may seem paranoid, a PHP developer should always anticipate users to attempt to break the system. PHP is powerful and very secure in the right hands. It is useless when it lets an angered former employee delete System32.
What’s Wrong with PHP
A strange title, perhaps, but this is something that should be noted as this blog draws to a close. Reasons cited to actually hate PHP include rampant vulnerabilities, terrible syntax, insecure code policies, and poor documentation. Others are inconsistent coding, and the frequency of terrible PHP coders [7,8,9]. One source states “php references will damage your brain” …
To be fair – yes, PHP is a quirky language. There are redundant pieces (Two built in functions, “exit” and “die”, do virtually the same thing). There are parts here and there that don’t work logically. PHP and prior revisions are built on compressing many functions into a single location and making them work. Some of the aforementioned “problems with PHP” such as terrible coders can be fixed simply by learning PHP properly. Yes, it is very easy to make insecure code. A coder must learn to know and check off every point that can go wrong. Otherwise, something will inevitably go wrong. It is simple enough to code insecurely. It’s quite another matter to make it (almost) completely secure.
You’ve read a lot about PHP, and this page didn’t even cover specific coding examples in detail at all. There is much to know about PHP; in order to use it properly, it must be extremely well known. One could argue it is one of the simpler languages to pick up. That is true, the core syntax is fairly simple to get. However, PHP is more than just coding the application, as noted above – it’s also about coding as securely as possible. Nonetheless, if this post hasn’t “damaged your brain” by now, there may still be hope for it.
1] http://php.net/manual/en/intro-whatis.phphttps://www.w3schools.com/php/ http://www.nusphere.com/php/php_history.htm http://www.dummies.com/programming/php/how-php-works/ http://php.net/manual/en/history.php.php https://www.sitepoint.com/php-security-blunders/ https://www.quora.com/Why-is-PHP-hated-by-so-many-developers http://phpsadness.com/ https://adambard.com/blog/you-write-php-because-you-dont-know-better/
- Adopt best practices in Animation
- Educate our clients in basic web design 101 and the process.
- Securing websites, and effectively creating the correct robots
- We also configure email and spam filters and help reduce and even stop spam!
- Our expertise in SEO is not just kept to us, we also have resources and SEO tutorials for our clients.
Contact us for a quick quote, you'd be glad you do and understand why we believe we have mastered the science of web design. Interested in reading more? Refer below: