Upcoming Hardening in PHP

Original Article ↗ Hacker News Discussion ↗

Exploitation vs Fixing Vulnerabilities

  • Several comments note that finding and demonstrating exploits is more rewarding and glamorous than writing patches, both socially and financially (bug bounties, selling 0‑days).
  • Some argue “ethical hackers” should at least propose mitigations or patches, not just showcase chains.
  • Others push back: reporting a bug is already unpaid charity; doing the fix, fighting for acceptance, or engaging with project politics is extra effort many won’t take.

PHP-Specific Attack Surface & Hardening

  • Some issues (e.g., stream filter chains, php://filter) are seen as uniquely dangerous PHP features that turn local file inclusion into remote code execution.
  • Others say these are only exploitable with already-dangerous patterns (attacker-controlled file_get_contents etc.), and that a “properly secured application” shouldn’t be affected—yet admit such features are “fun and useful” for exploits.
  • Comparisons are drawn with Log4Shell: overly powerful, generic features added in a less security-conscious era.

Language Quality, Governance, and Upgrades

  • Harsh criticism: PHP core development historically “amateur,” with ad‑hoc features, messy code, and many breaking changes, including across minor versions.
  • Counterpoint: PHP long had strong backward compatibility; code from PHP 4 can often still run, and upgrading PHP apps is claimed to be easier than many other ecosystems.
  • Multiple practitioners describe painful real-world migrations (PHP 4/5 → 7 → 8), especially when frameworks and deprecated constructs are involved.
  • Tools like Rector are cited as essential for large upgrades—very helpful, but not foolproof.
  • Governance is said to have improved via the RFC process and new funding (PHP Foundation, corporate backing), though some note a single paid maintainer once created a funding cliff.

Security vs Performance Trade-offs

  • A rejected hardening proposal that cost ~0.6% performance sparks debate.
  • Some accept the trade-off: performance at scale is expensive, and features can already be disabled in serious deployments.
  • Others argue a secure platform should prioritize safety over such a small slowdown; not all issues can be mitigated via configuration.

PHP Performance and Ecosystem Comparisons

  • Disagreement over PHP speed: some call it “really slow,” others say it’s very fast for an interpreted language and faster than Python in many cases.
  • Several point out Python’s apparent speed in ML is due to C/Fortran libraries (NumPy, etc.), not the Python interpreter.
  • PHP’s FFI and PECL extensions are mentioned as a path to similar native-speed libraries, though some see Python’s pip ecosystem as more mature.
  • Multiple comments note that in typical web apps, the database is the real bottleneck, not PHP vs Python.

Strictness, Typing, and Tooling

  • One subthread proposes stricter argument-count checking for user-defined functions (rejecting extra arguments like builtins do), via syntax (void sentinel), attributes, or global directives.
  • Advocates say this would catch bugs and align behavior with builtins; opponents worry about breaking existing code and patterns (e.g., func_get_args, callbacks, dynamic dispatch).
  • Some suggest deprecating extra arguments over a major-version cycle, or making stricter behavior opt-out via attributes.
  • Static analysis tools (PHPStan, Psalm, Sonar) are touted as already catching many such issues; some say their use should be non-negotiable, while low-level library authors complain they conflict with performance-oriented idioms.

PHP Version Usage and Modern Features

  • Anecdotes show active codebases from PHP 5.2 to 8.3 in production.
  • Framework ecosystems like Laravel, Symfony, and Drupal are described as aggressively adopting modern PHP features (attributes, enums, fibers, readonly, polyfills).
  • Legacy code and older frameworks (e.g., Symfony 1) are highlighted as major barriers to upgrading the underlying PHP version.

Miscellaneous & Off-Topic

  • Some comments assert PHP is “too permissive” and joke that uninstalling it is the best hardening.
  • One off-topic comment includes a Node.js/Express example for survey CRUD using a JSON file, unrelated to PHP but showing simple backend patterns.
  • Another remark credits PHP, Visual Basic, and Excel as key technologies in the “computerization” of the world.