PHP is Dead

A living memorial to a dying language

Days since declared dead: 5,024

Meanwhile, 77% of the web still runs PHP... • PHP stands for 'PHP: Hypertext Preprocessor' which stands for 'PHP: Hypertext Preprocessor: Hypertext Preprocessor'... • WordPress alone powers 43% of the internet. Yes, that's PHP. • PHP was originally called 'Personal Home Page Tools.' Peak 1995. • In PHP, 'T_PAAMAYIM_NEKUDOTAYIM' is the error for '::'. It's Hebrew. Because why not. • PHP has both array_key_exists() and in_array(), and they take arguments in opposite orders. • The PHP elephant mascot is called 'elePHPant.' They were proud of that. • MySQL_real_escape_string exists because mysql_escape_string wasn't escaping things... for real.

← Back to the graveyard

PHP: the language where everything is a footgun

H

hn_commenter +890

PHP is the only language where I've seen a function called mysql_real_escape_string. Because apparently mysql_escape_string wasn't escaping things... for real.

S

security_nerd +1100

And then they deprecated both in favor of prepared statements, which they should have done from the start. Decades of SQL injection vulnerabilities later.

O

old_timer +760

Don't forget addslashes(). Three different ways to incorrectly prevent SQL injection before someone thought 'maybe we should just separate the query from the data.'

7,600 pts Source: manual

View original →