Interview - PHP's Creator, Rasmus Lerdorf

PHP today

SP: To what would you attribute PHP's success? Do you feel that PHP has any major weaknesses (in comparison to other languages)?

RL: People like PHP because it solves their Web problem. As such, I don't see any weaknesses. It does the job it was designed to do.

Some people might argue that certain aspects of PHP are not as mature as those in other languages. The OOP support in PHP is an example. But in the end this has very little to do with solving the Web problem and more to do with aesthetics and language purism.

SP: Are you still actively involved in PHP development today?

I am still quite involved. I don't spend 20 hours a day on it like I did in the first couple of years, but I still fix bugs, argue with the other developers about features, and occasionally jump in and add the odd new bit here and there.

SP: Which Web server runs PHP the best? Apache - or something else? And which platform runs PHP the best? Linux/Intel, Solaris/SPARC, or another?

RL: This all comes down to what gets the most attention, I think. Most people use Linux/Intel with Apache. This means that bugs on that platform are discovered by the developers themselves early on, and the end-user is unlikely to hit something that the developers haven't run into already. Other mainstream UNIX platforms such as Solaris/SPARC and FreeBSD/Intel with Apache are right up there as well.

SP: PHP is usually paired with MySQL. How much co-operation is there between the two teams in terms of development?

RL: We know the MySQL folks very well. The first database code in PHP was written for the MySQL predecessor called mSQL. The MySQL API was completely compatible with mSQL's when it came out, so right from the early days of MySQL, PHP had good support for it. The pairing works because PHP and MySQL tend to take a minimalistic and very direct approach to solving problems.

In terms of cooperation at the development level, there isn't that much actually. But not much is needed. PHP provides a thin layer that simply exposes the MySQL API to the PHP user. We bundle the MySQL client library with PHP, but that library is completely maintained by the MySQL team with little involvement from us -- except when they break the build, of course.

SP: Do you think PHP is becoming a replacement for Perl?

No, Perl is a general-purpose scripting language. PHP is specifically geared to the Web problem.

SP: What are your views on Magic Quotes and Register Globals?

RL: Register Globals is one of the features that brought people to PHP. The simplicity of creating Web applications when form and other variables were automatically available could not be beaten.

I was personally not in favour of turning Register Globals off by default. It adds very little to the overall security of an application. If people do not check data coming from the user then with or without Register Globals enabled that application is going to be insecure.

The only time having Register Globals off helps is when you forget to initialize a variable before you use it and someone who knows your code exploits that. By changing the error reporting level you can have PHP find these cases for you automatically. So in the end, all I think turning Register Globals off has done is make writing PHP apps more complicated.

And it has of course also generated 10-20 questions/bug reports per day from users who are confused about this change.

Magic Quotes stems from the days when PHP was used almost exclusively for database-driven applications. These applications would take form input and stick it into a database. Even today, a large chunk of the PHP scripts out there do little more than this.

You always have to escape quotes before you can insert a string into a database. If you don't, you get an ugly SQL error and your application doesn't work. After explaining this simple fact to people for the 50th time one day I finally got fed up and had PHP do the escaping on the fly. This way the applications would work and the worst that would happen is that someone would see an extra \ on the screen when they output the data directly instead of sticking it into the database.

Often people didn't even notice this extra \ since it did not cause any fatal SQL errors and thus I wouldn't get confused emails asking me what was going on. This was a very good thing.

Even today you still see the odd site where it is obvious that the author didn't realize that data needed to be escaped before being inserted into a DB, and you see the odd extra \ here and there. Each of those is a support message we didn't have to answer.

The clueful who don't like this feature can simply turn it off and handle all escaping themselves. And the clueful who write portable apps can simply check the setting using get_magic_quotes_gpc() and add an addslashes() call when appropriate.

SP: Do you think there is a successful balance between the commercial and open source elements of the PHP community?

RL: I think it works out ok. The various commercial entities pay individuals to work on parts of PHP -- and that benefits everybody.

SP: What's been the most surprising or innovative use of PHP you've seen on the Internet?

RL: I keep seeing new and weird things, the latest being Wez Furlong's ActiveScript SAPI module, which lets you do client-side PHP like this:

<html>  
 ...  
 <script language="ActivePHP">  
   function clickit() {  
     $GLOBALS["window"]->open("http://www.php.net");  
   }  
 </script>  
 ...  
 <img src="..." onclick="clickit();" />  
</html>

Alan Knowles' PHPMole IDE for PHP written in PHP-GTK is quite impressive as well. There are plenty of other cool PHP things out there, but these are probably the furthest from what I started out doing.