This seems to be built on an open-souce PHP->CLR compiler called Peachpie[1]. Interesting project. I don't have any PHP codebase that I still maintain but looking forward to trying it with some scripts I've written back in the days. I wonder if it would be faster than PHP 7 - which is already very fast (ok, just found these: http://www.peachpie.io/benchmarks ).
Just noticed a similar comment below - the openssl library which PHP is strugling with with every update. Peachpie uses the one in OS through the .NET being updated e.g. by Windows Update. So maybe "most secure" is too strong, but it is definitely more secure.
Never had any problems with PHP and openssl. Did I miss something or is this specific to the windows platform? (It's been a while since I updated PHP on a Windows system the last time).
>I also admire the platform but most secure? Comes off a bit too strong.
There aren't a lot of .NET exploits for a variety of reasons. Its pretty much the Java of the MS world so a lot of issues more liberal languages have, it doesn't, especially in regards to buffer overflows. Its attack surface is also pretty low as it only really inter-operates, by default, with a limited number of MS applications and is frequently the most common setup, while PHP supports anything and everything. Http.sys also seems like a more secure product than openssl.
That said, its also the minority platform so it benefits from a lack of effort to target it. I also worry that the closed nature of the platform could lead to someone(s) building up an army of zero days while the more open stuff gets discovered and disclosed faster. I'm not sure how realistic that fear is.
At my job we're always scrambling with our FOSS architecture in regards to emergency patching. The MS stuff is more or less 'do monthly patches and forget.'
"an attacker would have to send a specially crafted HTTP request to the affected system"
"Disable IIS kernel caching"
That's definitely not client-side at all. IIS is the thing that uses http.sys, and classic ASP.NET apps (not the new Core stuff) are usually deployed with IIS.
The number of config permutations in openssl is staggering, and that has to have an effect on the overall test coverage - which probably affects the number of bug that pass through testing.
I've been following the peachpie project for a while. The effort they put in is very impressive.
They choose to heavily modify the C#/VB compiler (Roslyn) to handle php syntax. Microsoft should be investing time into helping them succeed, it would be great to see the Roslyn compiler platform become more broadly used.
It's so smart to do that, Roslyn provides a good design, keeping a rich syntax tree that can help for language tooling (auto-completion), so Language Server for VSCode is for free and all backends too.
I work at a large company and we are starting to branch out into other languages. the problem is most of our infrastructure in .NET. Something like this would be really cool as it would allow us to utilize PHP while not asking too much of infrastructure team. I might put in an OSS approval request for this.
Most of my work in the past few years has been migrating .NET projects to PHP for enterprise clients. Especially with PHP 7, the performance is good, it's easier to hire for, and the total cost of ownership is lower. The doomsayers predicting poor security are wrong - it is just as possible to build a secure PHP system as a secure .NET system, and just as easy to build an insecure one.
Of course, it depends on the project and the company, so this isn't a universal truth. But there are definitely a lot of companies out there spending a fortune on a .NET stack that are looking to move to a PHP open source stack for good reasons.
We literally spend millions on licensing Share Point to do what WordPress can do much better and easier. I'm not saying we're going to start writing everything in PHP, but being able to experiment with WP could affect the bottom line in a big way.
It might be a personal thing, but if I had to choose between working for a customer A with SharePoint and customer B with WP, I wouldn't hesitate to choose customer A, even with SharePoint 2007.
Honestly, I think I'll take 'average' php code over 'average' .NET code, I just did a 18 mo. stint at a .NET enterprise environment after 8+ yrs of PHP(Drupal, so maybe the bar is higher, not saying it is, but maybe).
I don't have any substantive evidence for this, but I suspect you'd see very different characteristics among people who work on SharePoint and, say, MVC/WebAPI.
I started out as a PHP web developer and started developing in .NET when it was released. At this stage, I've been developing applications in .NET for 15 years. Whenever I have to look at a PHP project or ASP classic project, the code quality is usually much worse than other languages. ASP and PHP make it really, really easy to do things wrong.
There are a lot of creative ways around strict typing in c#, I spend my days dealing with them. I just finished working on a section that managed to combine the speed of c# with the expressiveness of assembly...
I would look at sitecore. It's still .net, but it is closer to wordpress in that you wouldn't necessarily build a sharepoint in it, but you can build pretty much anything else in it.
Disclaimer, I work on the UX/UI side of a company that focuses solely on sitecore.
Yeah it was a bit odd for me too, coming from PHP and node land. Most of the editing should be done in the experience editor.. which is fairly WYSIWYG in context editing. Concrete5 still does that part of it better. Sitecore has a lot of engagement value scoring and content a/b testing built into it.
I'm rewriting a legacy ASP application to PHP right now, and this isn't my first. Though the code is not .NET, .NET was the obvious upgrade path yet it was decided that moving to PHP was preferable for a variety of reasons. You already know the non-technical reasons (inexpensive Linux servers, easy to find devs, MySQL licensing vs MS SQL Server licensing, etc) but PHP 7 is extraordinarily performant and (as a VIM user I cannot believe that I'm saying this) with a good IDE such as PhpStorm it is an absolute pleasure to write and maintain.
Being able to use PHP for templating on .NET would be really nice. Webforms suck. Razor is okay, but the syntax isn't as easy for non-programmers to understand.
Not the person you asked but I also develop .NET Core on a mac. I like .NET because I can use C# which is my favourite language, and the new ASP.NET Core framework is very clean, modern and straight to the point. There's very little magic and it's performant and productive.
Dapper for data access is also fantastic for the same reasons.
I laughed at that. As much as I still shun MS platforms, I have never heard anything good about PHP as a language other than "it worked and was available at the time". Why someone would migrate in this direction is beyond me ;-) but that's just my opinion of course.
Hack is more than that. Hack solves every little stupid mistake PHP has as a language. It is a good language developed by smart people, has rules to avoid pitfalls and rules to make things more certain. It retains only the syntax of PHP, but in strict mode, hack can be compared to any other good language.
Aren't C# devs at least as easy to find as php devs already? This would vary regionally I suppose. I'd worry about the future availability of php devs if node/.NET keep growing as open source web backend platforms.
Yes, there are objectively better languages than PHP in terms of design and consistency, but even I'll admit it's difficult to match the shear volume of FOSS libraries, applications, and the huge number of people who know it if you're targeting the web.
Besides, if Peachpie expands the .NET ecosystem to include PHP's, isn't that a win for developers who may be stuck with that platform? I'm not a .NET developer, so I'm sure to be missing something here.
Yet half the web runs PHP. Why? PHP offers good functionality out of the box. Unlike these languages where you will need a hundred-thousand dependencies to build a cms. That is also why porting PHP to .net is not as simple as porting any of these.
How so? A PHP runtime running WP on .NET needs to be bug-for-bug compatible with the real thing (and I've heard early PHP APIs aren't exactly a paragon of API design).
Also, why would php-on-net be updated more often than one of the most used runtimes on the web?
True, I've been noted, for example, about issues with openssl library, which is updated with every update of PHP ... while Peachpie uses the one provided within .NET which might be more frequently updated by Windows Update.
This is amazing and from the comments I've heard that Microsoft is around supporting the development of this? Is there any MS material mentioning this effort? I'm really impressed by your work
What's the benefit over running a standard PHP-Interpreter?
Haven't used PHP or WordPress since 2010 so I might have missed something but to me this looks more like a tech demo then something one would use in a production environment.
For some of the operations highlighted, which are (naturally?) selected to impress. For others, the multiple is in single digits.
WordPress doesn't run 100X faster on Peachpie, but it'd be very interesting to see "real" benchmarks. Even a 2X improvement (vs the latest PHP 7, of course) would be compelling.
Yes, and look at the avg response times. It looks likely that the webserver can't handle the load. The number of concurrent requests should be limited.
While I do know that Azure is owned by Microsoft I'm not so sure on why it's such a valid argument.
In the end it's not like they're actively trying to ruin languages other than C# on their servers? Especially since that would ruin it for a lot of customers?
I would guess that .NET is more optimised on Azure, whereas PHP is not. So you're comparing an optimised installation of .NET against an unoptimised installation of PHP. In general, a benchmark saying "compares various metrics" is pretty meaningless.
I know, but is there any proof of this? And how can we be sure that the .NET environment is better optimised than the PHP environment? I would find it weird for them to shoot themselves in the foot like that. Since if someone were to make a decent blog post that showed proof they'd only have C# programs on Azure...
This all being said they're pretty transparent with their benchmarks. They supply all the code that they've used and are even comparing it to another project which aims to do the same.
I guess I'm just a bit angry because people are just saying "It's unfair" while they can easily do the tests themselves and then call someone out for it.
It's less about being unfair, more about it lacking much value as a benchmark.
The context of the parent to which I originally replied was suggesting that .NET was 100x faster than PHP 7. So I'm pointing out that claim is rather like saying "I'm faster than Usain Bolt". You're right that I don't think the original article was making such a claim.
We will produce these benchmarks soon, but HHVM is pretty difficult to configure and we have not focused on optimizing our compiler much yet, so the performance is likely to change drastically over the coming months.
Hard to say. We want to test it thoroughly before releasing version 1.0. Also, we are still missing a few key functions/constructs of PHP, such as eval() or PDO. A rough timeline would be "a few months" :)
The core code is OK, security wise. Comparible to similar projects, I guess.
The two major issues are that typically PHP runs with permission to modify the WordPress directory, which is useful for automatic upgrades, but means any exploit in any plugin, theme, etc. instantly becomes, "can replace WordPress".
The other is that all themes and plugins are completely unsandboxed, and the quality is extremely variable.
The permissions thing can be fixed, by running a very stripped down wp-php user with only read access to the code, and only write access to wp-contents/uploads (and a logging dir). Then you do automatic upgrades with wp-cli and (real) cron from a user with write access.
The quality of plugins and themes is not easily fixed.
The API for writing plugins and themes doesn't help. It's archaic, spaghetti, and doesn't have any kind of coherenc. Global functions like wp_is_home(), the_loop(), get_sitename(), etc.
I've come across themes which bundle joomla inside them as they're really joomla themes with a shim.
> WordPress also works with PHP 5.2.4+ and MySQL 5.0+, but these versions have reached official End Of Life and as such may expose your site to security vulnerabilities
> PDO ships with PHP 5.1, and is available as a PECL extension for PHP 5.0
Unless you mean "hosts that disabled PDO"… I think they can safely be ignored.
Most Linux/BSD distributions seem to separate out "core" PHP extensions (those that are distributed with php source, not via peel) into individual packages.
So while PDO may not be installed by a plain `apt-get install php5` or similar, I doubt the now deprecated `mysql` extension is installed by "default" in those scenarios either.
Edit: this approach also means that the PDO extension in php.ini will be commented, because its loaded by a package specific ini file e.g. /etc/php/7.0/fpm/conf.d/* which are generally symlinks to /etc/php/7.0/mods-available/
I don't really understand your point. WordPress is ubiquitous. Until today I've never heard of MODX Revolution.
Commented out in php.ini does mean disabled - as in not enabled. PDO isn't enabled by default in FreeBSD you still need to install a separate package for PDO.
His/Her point was that if someone is still using shared hosting (where they can't change the extensions available) it would be very rare to find one that doesn't have PDO enabled.
> Commented out in php.ini does mean disabled - as in not enabled.
> show me if security is improved!
> (which for Wordpress can't be that hard)
that is, to say that the concept of 'WordPress Security' isn't a single simple thing to 'improve'. Unfortunately. If you wrote a set of 10 jillion tests and proved that wordpress core has no possible security vulnerabilities (humour me), that still would not fix 'WordPress Security'.
From a theoretical point of view, you're absolutely right, and I agree with you.
From a practical point of view, WordPress is often 'good enough', and 'works well enough', and has 'few enough security issues', for many people.
Improving security is great, but it's a complex, perhaps impossible problem.
We're hosting a private-facing WordPress with several custom post types and some custom fields using ACF Pro. Then we pull directly out of the database with some not-too-complex and fast SQL queries and build a static site with Jekyll. The whole thing is about 200 lines of Ruby + a bunch of configuration for each post type. I'm working on making this a little more generic, because this thing really smokes.
In migrating to this, I'm doing a similar process with our previous mess of a WordPress site by pulling from the DB and writing JSON. WP All Import + ACF plugin takes care of the rest.
All uploads are now served out of S3 buckets and our editors write Kramdown now instead of HTML and inline CSS. We can easily A/B test or Multi-Armed Bandit now too.
It would have been a lot easier if the Wordpress REST API weren't a piece of junk. SQL is consistent at least.
How are you handling all the rendering that WP needs to do on a post (e.g. shortcodes, special HTML formatting, etc)? ... or are you just forcing your users to write Kramdown and leaving out things like shortcodes? IMO, the worst parts about Wordpress are: 1) complete coupling of data to PHP and 2) the absurdly terrible DB schema.
I disabled the default toolbar with shortcodes and replaced it with my own with Kramdown versions. I hooked the Add Media button to output Kramdown instead of HTML as well. Also we're having our editors write Kramdown.
Lastly, when pulling all the data, I determine if the post is HTML or Kramdown and use the Kramdown library to parse the HTML.
Everything migrated from the old site was automatically converted to Kramdown this same way and had to have some minor cleanup work done on each post. Not a small task on our main WordPress site with 7000+ posts/pages.
The interesting part was that wp_autop() happens at render time, so to get Kramdown to parse the HTML correctly, you actually have to RegExp replace '\n\n' with '<br /><br />' first to preserve paragraphs.
Some of them are just bizarre. We have like 14 different WordPress sites with varying degrees of customization. Oddly, some of our most basic WordPress sites (basically zero plugins) would return _no results_ when querying for Posts. Especially in our Multisite instances. Especially in our sites that hook parse_request. Some others would return inconsistent results for the same queries. Custom post types would most-consistently not return sensible results. Entries in the wp_postmeta table stored via ACF Pro seemed essentially inaccessible.
Most annoying though is that the API returns paginated posts but without returning data about how many posts there are or what page you're on. IIRC, there was a hard limit on returning max 100 posts per query. Might have been higher but significantly less than the number of posts we have. It was a total nonstarter unless we could guarantee that we could make and return enough queries to return all the posts before anything changed. With a 40+ content team that's impossible.
Sorry that I can't be more accurate than that right now.
Side note: I don't know if this has been said before, but ACF Pro is like the single most essential WordPress plugin for dev teams who know what they're doing. That plugin combined with some dev time replaces the need for like 99% of anything else that we would need to install. Please consider doing whatever it takes to make that plugin part of WP Core. Installing it on any site is a really sensible thing to do. That said, their field labels ("field_<somedigits>") really should be replaced with a GUID.
You're seriously out of touch if you think the WP Core is not secure. You must realize they have a very competent team (https://automattic.com/), not to mention thousands of OSS developers that continually contribute. Does your company, or does this small team of techs even come close?
What you're missing is that these security exploits are discovered, patched and disclosed. The same can't be said about most tech services / products. Security through obscurity is not a viable strategy.
What has this to do with security through obscurity??
WP security is like Whac-A-Mole, you patch one serious issue and two more pop up. It has been like this for years which shows that the developers don't have the correct mindset to write internet facing code.
I pointed you to a SQL injection / remote execution vulnerability in the WP core, in 2017 for gods sake.
Perhaps, but WP also has a large user base from which to pull from so I would hope vulnerabilities get discovered and patched quickly. However, I think it's quite telling that such a popular project still has issues with SQL injection even with so much active development apparently going on.
Remarkable, but as bleeding-edge tech I think it's disingenuous to include PHP5.6, which is now only on security support. I know many PHP sites run this version and even older ones, but I think the audience for a project like this are PHP7 developers.
That said, I was really impressed by the improvement on require performance. The requests/sec also seem to have big gains.
I also wonder what security improvements other are expecting from this? Isn't unsecure code unsecure regardless of language?
Ah ok. In terms of security I don't tend to think of memory safety, etc. especially since PHP processes die fast. I thought everyone was talking about SQL injections and the like so I was very confused
Several years ago I used to run a WordPress blog on IIS 7 using FastCGI. The performance wasn't great but acceptable for a small blog. Wonder how this compares.
He's quoting Jurassic Park. The idea is that the technology does something that would normally be considered highly unusual or even ridiculous to consider, like running a very complicated code base through a transpiler to make it run on another tech stack. Generally speaking, this kind of comment would be a compliment. Sort of along the lines of "wow, that's absolutely crazy, you did something no one would have thought possible, good work".
It's a much more light-hearted comment than you seem to think it is.
I don't care what he's quoting and to see this as 'light-hearted' (without any further elaboration on the part of the OP) is extrapolation.
FWIW the comment in the movie is also a negative one.
> John Hammond: I don't think you're giving us our due credit. Our scientists have done things which nobody's ever done before...
> Dr. Ian Malcolm: Yeah, yeah, but your scientists were so preoccupied with whether or not they could that they didn't stop to think if they should.
> John Hammond: Condors. Condors are on the verge of extinction...
> Dr. Ian Malcolm: [shaking his head] No...
> John Hammond: If I was to create a flock of condors on this island, you wouldn't have anything to say.
> Dr. Ian Malcolm: No, hold on. This isn't some species that was obliterated by deforestation, or the building of a dam. Dinosaurs had their shot, and nature selected them for extinction.
> John Hammond: I simply don't understand this Luddite attitude, especially from a scientist. I mean, how can we stand in the light of discovery, and not act?
> Dr. Ian Malcolm: What's so great about discovery? It's a violent, penetrative act that scars what it explores. What you call discovery, I call the rape of the natural world.
I actually stand by the sentiment. Wordpress is a virus, and like jQuery, it has negatively impacted the development scene of the language is lives in. PHP, on the cusp of becoming a more respectable language (I freely admit my love for PHP, to this day, even though I primarily work in Java and Python now), was taken over by WP "developers" who flooded the market and sell themselves as engineers when all they can do is copypasta a few wordpress idioms.
I don't hate on wordpress itself, its a fine, though early on troubled codebase. The predatory community it has created, the security issues it continues to create, and the low-barrier to entry that floods the market with a ton of really bad code isn't something I would want to bring into another language's world.
And here's where the light-hearted part comes in... I know that projects like these would NEVER actually cause that kind of effect on their language because nobody would take it seriously... but the analogy of what COULD happen (you know, fictional, like ridiculous unrealism of the base concept of the movie) was apt.
I fail to understand why in a world so caught up in negativity and rigidness, people chose to not allow themselves to enjoy or notice light-hearted humor, and actively defend their stance against it, as if somehow eliminating light hearted jest is a benefit to a world already buried in such negativity...
The person posting this went out of his way to try to do some good. Instead of taking them down with cheap shots: What have you done to give the PHP world (better?) options?
If everybody that railed on others creations would instead spend the time to provide better alternatives then we wouldn't be having this discussion. But cheap shots are cheap and work is hard.
You could, but you'd be ignoring the realities on the ground:
Wordpress powers a vast chunk of the web[1], whether we like that or not, and frameworks such as Symphony a good bit of the remainder.
For the love that Clojure, Rust etc get on HN their over-representation should not lead you to believe that 'PHP has had it's shot', PHP hasn't had it's shot by a long shot...
The reasonably good news here is that PHP code tends to have a rather short life-span so the bulk of it should die off relatively fast once there is an actual alternative.
That's the puzzling bit: even Ruby, python and all the other 'better' languages still don't have the deploy situation worked out to the point that PHP has.
Well, considering the fact that PHP post v4 is trying to become Java, it made sense that at some point it would be able to run on the JVM or its step-cousin CLR.
By the way, does anyone know of a similar project where the JVM is targeted instead?
"project zero" was an effort from ibm to run php on jvm, but it's been several years since anything was done (have to assume it's abandoned).
i remember in 2003 wondering if something to allow php to run on jvm would be useful/viable - couldn't convince too many folks in the local user group that the idea had any merit.
We haven't benchmarked WordPress yet, as we haven't even started doing any optimization work. It's faster than expected though, but we'll produce a proper benchmark soon.
>NPM is already supported by default for quite some time in VisualStudio
I should have been more clear. I mean MS should work with Node/LAMP people to invest in one package manager more than the other. Like they did with TypeScript, they didn't just build a tool that linux people never used, they made useful tooling and also spent a lot of time bringing Google and others into the fold.
It makes sense to back npm because (guessing) it's used more than nu-get is used by VS devs. However if nu-get has a stronger ecosystem, stronger user base, etc choose it.
Having competition is usually good, but sometimes it just means it's more work to have to learn more/work more to get the same thing done (if you work across environments). Take instant messaging protocols, lots of competition but not even having cooperation has made the result terrible. Incompatibility everywhere, reinventing the wheel, etc.
To be sure some things are better not unified. We have multiple, un-unified browser engines and implementations which is critical. It improves competition, innovation and quality while still allowing surface level standardization in html/css/etc.
I try to look at each set of competing projects independently and ask: Overall is this helping, or it is mostly just wasting time as clients are forced to learn multiple techs.
No, please, no. It'd be nice if somebody would get back to maintaining nuget packages for front-end stuff, the way it was a few years ago, before everyone collectively threw in the towel, shrugged, and said, "I guess npm isn't that painful. You know, compared to having forks shoved in my eyeballs, it's quite nice."
Yes. I had hoped node.js would fill the role of a cheap generic hosting platform with taste. But while it works well for me on VMs/cloud, managed hosting for node.js is nowhere near PHP in terms of ubiquity.
[1]: http://www.peachpie.io/
[edit] If the author is looking, a few nitpicks from the website:
- A blank page is shown if browser doesn't load 3rd party scripts by default
- After enabling them, the scroll wheel doesn't work
- Typo: "free completely to use" -> "completely free to use"
- "Run PHP apps on the most secure platform available, Microsoft .NET" -> I also admire the platform but most secure? Comes off a bit too strong.