No. A LOT has changed in the world of PHP over the years. And to be honest, I give credit to amazing frameworks like Laravel [0] for giving PHP a massive facelift (I consider Taylor Otwell one of my software heroes). Overall though, modern PHP software is much cleaner and more secure than whatever you knew from years ago.
Moreover, I'd like to point out that even if the vast majority of PHP-backed websites are based on WordPress, WordPress is not an example of good PHP practices at all. Its code-base and coding standards are old and horrible.
Agreed re WordPress, although I haven’t seen their code in YEARS, so maybe their codebase has evolved too.
Re Taylor, if I was a billionaire (or at the very least, extremely wealthy), he’s one of those folks I’d write a no-strings-attached blank check to go build anything he wants—just a brilliant and overall great human. I used to be very active in the Laravel community many years ago, and even way back then, before Laravel was super famous (first Laracon days), I remember meeting Taylor and being thoroughly impressed. Over the years, on multiple occasions, I’ve heard folks at relatively large organizations say they adopted PHP solely because of Taylor and Laravel. Recently, when I saw someone mention in a post that Taylor has a Lambo now, I was so happy for him—it feels great to see him thrive after making the type of impact that he has.
Unfortunately, not so much. They still follow PHP 5-days style, for example they still haven't adopted the short array syntax [], they always use array() which is horrible in my opinion.
The code base is horrible, but the front-facing experience is not so bad (unless you start installing lots of plugins, which tend to add different interface styles and lots of banners everywhere in the admin panel).
Concerns with PHP are less about security and more about language design, at least that’s my take after 22 years of dealing with it off and on (full-time “on” for several years).
Speaking as someone who has pentested a few PHP codebases over the years, rather than as a developer, It's a bit like C. That is, it's an absolute footgun in the wrong hands, and a lesser footgun in experienced hands.
For experienced devs following best practices and using modern frameworks it's "mostly fine", and that's the side of things that's been improved over the years, but most of the old rakes are still there to be stood on.
Most notably, in 5.4.0 (in 2012!) they removed register_globals and magic_quotes. (Which had both been deprecated and off-by-default for a while before, I believe.)
The former was notoriously insecure, as what it did was promote anything passed in as a cookie, GET, or POST variable into a global-scoped variable inside your script. Since PHP didn't require any sort of declaring-your-variables-before-using-them, it was pretty easy to wind up with scripts written in a way that would allow this an unwise amount of access to the script's internals.
The latter automatically escaped special characters with backslashes in all the aforementioned user-provided variables so you could pass them straight into mysql queries. It was, however, optional and so caused errors because code got written relying on it and then ran on servers with it disabled, allowing SQL injection attacks... or double-escaping things in code written the other way around.
Also a pentester here. I find C and PHP to be quite different. Somehow, C applications always have catastrophic issues pop up, sooner or later, where you can make it execute random code at least under some circumstances. PHP applications can be the same if the team is inexperienced or doesn't get the necessary time to apply best practices, but I've also seen plenty of PHP applications where we didn't find significant issues with the server-side aspects.
PHP applications are fun to test because most teams found another set of solutions to the same problems (it has so much history that wheels have been reinvented a lot), so you get to see new things. They're also typically larger than newer and new-style services written in a shiny new language, which haven't had time to accumulate as many features and are often written as a microservice (smaller components where one/each dev can know all the ins and outs, allowing to have a total overview so that security controls can much more easily be implemented in a unified way).
No it is not. Arguably, it never were. I mean yes, PHP had security bugs. So did all other platforms - including, for example, the Java one that led to Equifax compromise, which is as close as "everybody just lost their privacy" as any single break-in can get. I'd argue that PHP's security stance as a platform was never substantially worse than any comparable platform.
However, you get two additional factors: a) it's easy, therefore it attracts beginners and b) it's popular, therefore a lot of software uses it. More various software - more security issues. More software implemented by beginners - a lot more security issues. That was inevitable - any platform that was as low entry barrier and as popular and that appeared in the same time, when the web was exploding, but the understanding of how to manage security on the web was lagging behind - would have absolutely the same going on.
But, blaming the tool because a lot of people didn't use it correctly - and, also, because due to its novelty there weren't proper education and frameworks that made it easy to do the right thing - makes little sense. There's nothing security-challenged in PHP. It's just that PHP was there when security-challenged programmers started to build websites. Most of them grew up now and know how to do it right. Either in PHP or in any other language.
PHP itself has also come along way. I don't know if it's because of it's reputation that it seems to evolve faster than most languages.
I recently used PHP to construct my personal site/blog. I didn't use any frameworks but I did use it's statically typed/strongly typed features that that is very different from how I would have coded in PHP years ago.
Not related to security, but I was quite surprised to see how far PHP has come since I used it many years ago: [PHP doesn't suck (anymore)](https://youtu.be/ZRV3pBuPxEQ)
Security really was (still is?) a WordPress concern. PHP itself isn't really a security issue, security will come from the code you write rather than the language itself
The curse of popularity. Relatively more people using something, means higher absolute amounts of garbage being made with it. I wouldn't say modern javascript tooling gives you some obscenely high number of foot guns to target practice with, at least compared to the other web-capable options. (PHP, Python, Ruby, etc)
Yeah, JS does less with it’s stdlib, which I think means a lot of people end up using mostly decent packages from npm instead of writing extra garbage themselves.
I also participate in discussions like any other regular user, but I can't look away when I see somebody butcher the english language like that (and it isn't even my first language). It takes me 10 seconds to correct someone, and hopefully the corrected person makes less mistakes in the future. Nobody loses here, I don't see any harm in this, there are only good outcomes. Once you realize how many people can't write you start to see it everywhere. Maybe I'm just autistic, maybe I care too much.
That's my quirk
> It takes me 10 seconds to correct someone, and hopefully the corrected person makes less mistakes in the future.
Or the corrected person does it right 99 times out of 100 and was in a hurry (honestly not sure why that went wrong).
I agree with the sentiment of wanting to correct people, but it’s not always going to be correct.
Also, if you are going to do it, it works better if you at least pretend to be natural about it. I certainly would respond better.
To be fair, I’m pretty drunk right now so I don’t particularly care, but I’d probably be extremely annoyed if I were sober (even though you are technically right, I have a big dislike of people jumping on mistakes).
Maybe it’s worth seeing if there is a history of repeat mistakes? Then you could confidently correct someone.
If you only care enough to just leave a short impersonal comment on each instance, just leave off.
Sometimes I'm posting from my phone, and it autocorrects it wrongly. I know the difference between it's and its, but I'm not going to go back and clean up simple typos that don't prevent understanding of what I was trying to say.
Believe me, it sometimes prevents people from understanding. Not very common, but I had a couple of cases when I had to re-read a sentence until I finally understood what the author has meant.
PHP is on my mental list of forever-security-challenged tech, but it got on that list a long time ago. It’s 2023, is that still a reasonable concern?