RealTime IT News

Is PHP The Cure For The 'Broken' Web?

TORONTO -- "The Web is broken and it's all your fault."

Those are the words that Rasmus Lerdorf, the creator of PHP, said to kick off his keynote at the php|works conference under way here.

He said the current state of the Internet includes a litany of broken items, but with a little help from PHP there may well be some hope for the Web yet.

Lerdorf originally created PHP in 1995 and in addition to being a PHP developer at Yahoo, remains very active in the PHP community.

PHP by a variety of measures is likely the most popular scripting language in use on the Web today

"The Web is pretty much broken, we can all go home now," Lerdorf said somewhat sarcastically to the capacity crowd. "Luckily most people don't realize that it's broken."

Part of the reason Lerdorf considers the Web "broken" is that it is inherently insecure for a variety of reasons. One of those reasons sits at the feet of developers.

"You don't know that you have to filter user input," Lerdorf exclaimed.

Lerdorf advised PHP developers that nothing that comes across the wire is to be trusted. Header "stupidity," as Lerdorf referred to it in Apache HTTP Web server, can also be the root cause for the broken Web.

Then there is Microsoft's Internet Explorer, which has "stupidity" issues with character set detection, arbitrary header injection, host header spoofing and request splitting.

"IE is completely broken in so many ways," Lerdorf said.

With some PHP commonsense, a few of the reasons why IE is broken can be overcome.

When it comes to Character Set detection, Lerdorf advises developers to always make sure that they actually specify a default charset in their PHP applications.

PHP 5 includes all manner of functionality to help developers filter requests, to help prevent the "broken Web.

"You have to filter everything and then poke a few holes to let things through, "Lerdorf advised.

Rich Web applications, such as those built with AJAX and Web services, are key to the modern Internet.

Yet performance and ease of development have been somewhat broken.

Lerdorf noted that rich Web applications, such as those that Yahoo deploys, need to have excellent response times and need to be able to handle a high number of users.

Lerdorf demonstrated to the developer crowd how to optimize rich application delivery performance on a basic 1.8 GHz AMD Athlon CPU server running Ubuntu Linux.

The PHP creator began with a baseline that showed his application running with default settings only handle 17 requests per second.

By the end of his optimization discussion, the same hardware running the same application could handle 1,100 requests per second and had a less than 10 millisecond response time.

One performance enhancement that Lerdorf suggested based on code analysis was to use MySQL instead of PostgreSQL for the database.

"If you can fit your problem into what MySQL can handle it's very fast," Lerdorf said. "You can gain quite a bit of performance."

For the items that MySQL doesn't handle as well as PostgreSQL, Lerdorf noted that some features can be emulated in PHP itself, and you still end up with a net performance boost.

Parsing and compiling speed can also be significantly boosted with the use of anopcode cache.

In PHP, as with most scripting languages, code is parsed from human-readable to machine-readable instruction. The machine-readable script is known in PHP as opcodes.

An opcode cache stores or caches the compiled code in shared memory so that the code compilation for similar operations only needs to happen once.

PHP 6, which is still in development, will have opcode cache built in by default.

For current PHP 5 users, there are various opcode cache implementations that can be used, including the Alternative PHP Cache (APC), which is what Lerdorf recommended.

"Every single server has it [APC] at Yahoo, and it handles billions of requests per day," Lerdorf said.

PHP 5.2 also makes it easier for developers to develop and deploy Web services, even those that use SOAP , which Lerdorf described as being difficult to use and "way too complex."

With SimpleXML, which is a PHP extension allowing for "simple" XML data manipulation, a lot of the complexity of Web Services can be abstracted.

As an example, Lerdorf showed a one-line RSS parser that he wrote that pulled data via SimpleXML.

He went on to demonstrate how it was equally as easy to expose PHP as a Web Service even via SOAP.