PHP in 2022: No, It's Not Dead
PHP isn't going anywhere and will not for years to come. Just because you don't like it doesn't mean it's dying/dead.
If you've gone into the web development scene, you decide what language and/or framework you want to use. A roaring vocal group in the community tells you that PHP is "dead" and that you should avoid it at all costs. It's insecure, slow, messy, unscalable, and painful overall. If you ask a forum or other assorted places for help learning PHP, you'll often be given the runaround of "just use another language, PHP is dying/dead." What if I told you that PHP is not a dead language? As a matter of fact, it is growing more than it ever has.
PHP has been my primary choice for backend applications since starting my web development journey over 7 years ago. It's an extremely easy language to work with and is non-judgmental. I was curious about how to create a social-style site with a forum and assets/character customization at the time, and I looked at a few projects which used PHP. Now granted, at this time, I was a total noob to web dev and didn't know a single line, so it's pretty obvious I had no idea what the hell I was doing. So I decided to get the basics down, which was connecting to a MySQL database and showing some text. And it worked.
Some Background
PHP is widely seen as the old dog of the web development scene, first conceived in 1994 by Rasmus Lerdorf as "Personal Home Page," but now it's called "PHP: Hypertext Processor" (still a pretty garbage name) to sound more friendly I guess.
PHP was designed to be extremely flexible and easy since Rasmus was looking for something easier to manage his home page (hence the name Personal Home Page). It was never intended to be a fully-fledged programming language but went on to be the dominating force of the internet for years to come after the release of PHP 3. The syntax of PHP mainly resembles Perl but has remnants of C.
<?php
$text = "PHP is alive!";
echo "Hello World! " . $text;
?>
Output: Hello World! PHP is alive!Now don't get me wrong, the simplicity of PHP may not have led to the most beautiful-looking code in the world; it was certainly not winning any awards. But it worked.
PHP's interpreter, Zend, was highly portable and versatile, which led to easy deployment on many servers regardless of architecture or operating system. This jack-of-all-trades style is why PHP is so popular. You can develop anywhere and run anywhere with little to no learning or server knowledge required.
The Statistics
At first glance, you may see that PHP is used by nearly 80% of the web, according to W3Techs. That means PHP isn't dead! Well.... not so fast. While it's true PHP isn't dead, these stats are pretty inflated, thanks to a specific content management system that deserves all the credit for these numbers:
WordPress. This powerhouse (and the Achilles heel of many PHP developers) of a CMS is used EVERYWHERE. With all of the plugins developers have made, you can make a fully-fledged website with barely any code. To this day, there are over 455 million websites powered by WordPress. That's over 60% of the market share for CMS systems and 30% of the global known web. Personally, I never had any interest in WordPress. Still, I've spoken with many people who use it rather extensively and do have to log into it occasionally at work.
There's also another CMS, Drupal. Drupal is used by approximately 1 million websites. Functionality-wise they are similar to WordPress but offer quite a bit, but I won't sit here all day about CMSs. I just wanted to get out of the way that PHP is not alive because of WordPress and Drupal.
These numbers would be lower without WordPress, but PHP would still be in the top popular languages.
The following is more of a realistic measurement from the TIOBE Index:
PHP sits at around #8, with Python taking the top spot. However, you'll quickly notice that some of the languages above it are not web-oriented. Let's eliminate C and Visual Basic. PHP would become #6 (#5 if you eliminate C++ too, but the Drogon framework exists) with a close edge on JavaScript. So really, PHP is not all that less popular than other languages.
There are also big companies that use PHP or a derivative of it. Facebook/Meta is the biggest name that comes to mind, but many others use it, such as Twitch, Disney, The New York Times, Wikipedia, Slack, MailChimp, Tumblr, Etsy, Spotify, and the list goes on and on. PHP is widely used in the enterprise, even when people say that PHP doesn't scale (I will touch on this later.)
"Issues" with PHP
I'm not saying that PHP is a perfect language because it is nowhere near perfect. Some glaring issues need to be highlighted. I'll go through every one of them and discuss the impact and what can be done.
Security
The big one is security. You will never hear the end of how PHP is this widely insecure language, and if you make an application in it, you're asking to get hacked. Yes, PHP does not provide much security out of the box, but neither do the alternatives really. I will keep frameworks out of the scope since frameworks such as Laravel and Symfony do a good job with security (but it's not foolproof.)
SQL injection is the most common form of attack against PHP applications. Let's take the following code, for example, which will get a user by ID and print if the user is active or not.
<?php
$conn = new PDO("sqlite:/tmp/test.db");
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$id = $_GET['id'];
$user = $conn->exec("SELECT * FROM `users` WHERE `id`='".$id."');
if($user->active == 0){
echo "<b>This user is inactive.</b>"
}else{
echo "<b>This user is active.</b>";
}
?>See the problem here? We're not properly escaping the $id parameter and leaving it completely unfiltered. This opens up an attacker to run SQL commands in our database and exfiltrate data. No Bueno.
The good news is that this is extremely easy to fix! You just have to spend two extra lines to make it so.
<?php
$conn = new PDO("sqlite:/tmp/test.db");
$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$id = $_GET['id'];
$user = $conn->prepare("SELECT * FROM `users` WHERE `id`=:id");
$user->execute(['id' => $id]);
if($user->active == 0){
echo "<b>This user is inactive.</b>"
}else{
echo "<b>This user is active.</b>";
}
?>Done! We disabled emulated prepared statements (which gives real prepared statements to the database, which is very important) and changed our query to a prepared statement via PDO. This now gives an attacker zero chance to inject malicious SQL into the application. And the sad part is that many applications omit this and don't know these vulnerabilities exist.
Another one is stored XSS/HTML attacks. If you haven't seen it already, parameters such as $_GET and $_POST do not filter data. Therefore, it is possible to pass any data you want, such as SQL and HTML/JavaScript.
<?php
$body = $_POST['content'];
echo "New comment: " . $body;
?>This code would echo whatever is given to the content parameter. As said above, this is unfiltered, so I could inject anything of my choosing. However, there's a one-line fix!
<?php
$body = htmlspecialchars($_POST['content']);
echo "New comment: " . $body;
?>Done, no more XSS or HTML injection. We've converted special characters to HTML entities, so they do not get rendered in a browser. There is also another function called strip_tags that will just remove any reference of PHP and HTML tags from a string, giving it the same effect. Either one will work.
Last is remote code execution via "webshells" uploaded to the server. This is also another very common vector of attack, and unless you know about it beforehand, you may be caught off guard. This has a vast effect on shared hosting providers that execute PHP in any web directory by design or misconfigured web servers with folders that only have static content.
Shared hosting providers try to mitigate it by having "virus protection," or whatever they call it, generic BS that'll only catch it once it's too late. What happens here is an attacker abuses an upload form on your website, which is only meant for static content such as images/videos, and uploads a PHP file. Any file with the extension .php will be executed on the server; it gets passed through the PHP interpreter. "Webshells" are scripts that are the PHP equivalent of RATs (remote access trojans) that give an attacker complete control of the webserver's filesystem and, in some cases, execute shell commands.he webserver's filesystem and in some cases execute shell commands.
The simple fix here would be one of the following things:
- Have an extension allowlist which prevents PHP files from being uploaded
- Disable PHP execution in directories that you don't need it
- Disable certain PHP functions (shell_exec, etc.)
- Transfer the content to a static storage bucket such as S3
The lower 3 are highly recommended as it gives an attacker little to no chance to execute anything on your server. As for disabling it, you need to configure Apache/Nginx to do this, so I recommend that instead of going for shared hosting providers, get a cheap (or free from AWS or Oracle Cloud's Free Tier) VPS and configure the webserver yourself. It's not that hard, and you get much more control over your application.
There are also some other things, but this covers the top stuff for the most part. Most fixes also involve one-liners or simple server config changes.
Scalability
Another common one is "PHP doesn't scale" or "PHP is slow" but has very little evidence to back it up. In my own experiences, there have been some issues scaling an app I build at work, but it's more to do with the code than the language/infrastructure. Scalability and performance are determined based on the code you write and have little to do with the interpreter. If you write shitty unoptimized code, it's going to be slow.
PHP, when paired with something like Swoole/OpenSwoole can achieve over 259,000 requests per second and even 90,000 without it when using PHP-FPM.
PHP-FPM is the most popular tool for high-performance PHP applications and is highly configurable with custom pools/configuration/etc. To manage applications at scale. When configured right, your app will fly.
There's also the fact that this is not the days of PHP 5. The language has vastly improved since then with version 7. It has introduced many things such as the OPcache (RAM caching) and since PHP 8 just-in-time compilation, which when pairing all of this up, you can have a very robust and performant website. There are also custom servers, such as OpenSwoole and RoadRunner, which offer concurrency and/or other functionality, even serving as alternatives to the Nginx+PHP-FPM setup.
However, my biggest complaint with PHP is that it is not multi-threaded. It is a single process with PHP process management. Yes, when you use Swoole/OpenSwoole, this goes away thanks to concurrency, but I will leave that out. It could genuinely be a game-changer if this was natively supported in the engine/language.
Also, if it wasn't scalable, we wouldn't see all these big names still using it. Think about that for a second.
Syntax/No Standard
Another criticism about PHP is that it lacks a "standard" for writing it, but honestly, I think it's one of the language's greatest strengths. Yes, the code can look terrible to others if not neatly organized, but it strongly empathizes that you code on your own terms. If you think readability is important, you can write PHP in the object-oriented format. If it's not important, and you want something that works, you're free to write it disgustingly and don't feel bad about it.
Another thing is the syntax. This is one I can see both sides of the coin, and I agree that some things don't make much sense if you're coming from a more structured language. The language not having a set standard makes it inconsistent, but it is not hard to learn if you don't overthink it. As long as you know what $ does, you should be okay.
This is one of the criticisms I never fully understood as a PHP dev for many years, but I do get where people are coming from if they came from a language like C# or JavaScript. It's very different, but PHP lets you code in your object-oriented style just like any other language once it's understood, and actually, this has been the de-facto way to do it since 2012.
So, write how you want to write. Just know shitty code may have consequences on performance, but it should be fine if it gets the job done at that time. Then, post that shitty code on r/ProgrammerHumor a few years later since you left it in production because "it works." Tut tut.
Frameworks
PHP is also home to my absolute favorite web framework, Laravel. This takes PHP's rough around the edges style and makes it a joy to use with its simple, elegant syntax and cleanliness. As of the writing of this post, Laravel is the most popular web backend framework (by GitHub stars) and has about 186 million installs total, with 190,000+ installs a day.
With Laravel, everything you need to build a modern application is ready for you. Need to build an authentication system? Just install Laravel Breeze or Jetstream, run a few commands, and it does the rest. Everything from writing controllers, database migrations, configuration, providers, and routes take no time and is a joy to write with readability and simplicity.
public function registerUser(Request $request){
$validator = Validator::make($request->all(), [
'email' => 'required|string|email|max:255|unique:users',
'password' => 'required|string|min:12|confirmed',
]);
if($validator->fails()){
return redirect()->back()->withErrors($validator)->withInput();
}
$user = User::create([
'email' => $request->email,
'password' => Hash::make($request->password)
]);
Mail::to($user->email)->send(new WelcomeEmail($user));
return redirect()->route('welcome::verify');
}For example, the above is a basic request to register a user. First, we call Validator to make sure everything is right, then just call our User model to create a new one, Hash function to generate a password hash, use Mailable to send a welcome email, and redirect to a verify screen we set up in our routes. The kicker is this is just at a basic level, and it can be even simpler than this; it's all up to you.
For more things on all things Laravel, this resource will tell you the "why" behind it and concise instructions on getting started.
But Laravel is not the only player out there. There's also Symfony, which is a very popular PHP framework. It's not nearly as "built-in" as Laravel but offers similar functionalities in an object-oriented structure. I recommend looking at both to see what fits your needs in a PHP application.
Conclusion
So, in conclusion, sorry, haters, you are wrong. PHP is not a dead language. Does it have problems? Hell yeah, a majority of other languages do as well. However, PHP is still widely used in the industry, and it still puts food on the table for a lot of web developers, myself included. The one thing people need to understand is figuring out what's best for the job.
In some cases, PHP may not make much sense, but in others (which is a lot), PHP or Laravel/Symfony is perfect for the task at hand. As for what I use personally, I am primarily a Laravel developer but have also fallen in love with Go Fiber as a framework for building high-performance web apps and taking advantage of Go's native concurrency deployed at a production-scale serving many intensive requests. PHP's lack of such features didn't make it adequate, so I didn't use it. I don't call Ruby dead because I don't get its even simpler syntax; Rails is still a very popular web framework. People are still looking for COBOL developers because big corporations refuse to modernize mainframes.
Instead of dismissing PHP as bad because it didn't do what I wanted it to do, I acknowledged that it was not right for the task and used something more appropriate, and it worked well. I also found myself in places where vice versa was true. Didn't need to waste time building a low traffic app in Go when all I have to do is install Laravel, a few packages, and get going quickly with a few commands that create all the things I need. The flexibility of PHP also lets me write on my own terms, even if it's not to standards, and it does the task you assign it. That is something I cherish, and why even though I work with alternatives, I always come back to PHP when it's appropriate and use it primarily at my job for our Laravel application. PHP continues to grow and thrive, and it will forever do so thanks to the community and businesses continuing to improve the language, such as the PHP Foundation.
Long live PHP!