The Only Argument You Will Ever Need Against PHP

I will begin by disclosing that I have never used PHP on a project, because I have never needed to. By the time PHP had its breakout moment, I had moved on from making Web apps to making infrastructure, and in 20 years, I've never encountered a situation in which I needed something PHP does that something else didn't.

I nevertheless have thousands of hours of PHP experience, from mopping up some hacked or otherwise messed up doo-dad or other, because the person who put it there couldn't.

I feel injured by this. I feel robbed. This kind of expertise arbitrage, where the skill level you need to set something up initially is nowhere near the skill level you need to fix it when it breaks, is pervasive in the software industry, and will continue to pervade as long as there are libraries, frameworks, and high-level languages. This not a problem unique to PHP, though I do believe the gap in PHP is characteristically wide.

Anyway, that's not even the main argument. This is:

The reason why PHP is so popular is because second to JavaScript, you couldn't ask for an easier introduction to programming. Why? Because you type in the code and you upload the file and you load the webpage in your browser and you see what you just made go and it's amazing. Oh, and other people can see it too. Instant gratification. It's also free, it's batteries-included, and for two decades you've been able to find dirt-cheap shared hosting that carries it at no extra charge.

This business of upload the file and it just runs is central to my beef with PHP. My aforementioned thousands of hours of mopping are almost uniquely attributable to this feature. If an attacker can smuggle a PHP file onto your document root, then they can execute it. If they can do that, then they own you. This attack vector cannot be eliminated. If you use PHP, you will always be fighting it. Forever.

I suppose this is where Hacker News cruises in on a hoverboard and tut-tuts at me, between jets of vape steam, that well actually, PHP web apps can be made to run outside the document root just like anything else, and indeed this is how modern MVC frameworks operate. Sure they can, but then you obviate the point of using it. If you aren't going to be plunking files into your document root for immediate execution, you may as well use some other stack.

Well, there may be one other reason. PHP apologists like to gloat that unlike more esoteric programming languages, they always have plenty of job opportunities. What do you call a PHP developer? Employed. What kind of jobs though? Mopping-up jobs, of course. Moreover, on the other side of that job is an employer, who is more than happy to take advantage of all this competition. If you aren't working at Facebook, the Wikimedia Foundation, Automattic or Acquia, it's probably worth asking yourself, dear PHP developer, if you are being played.

PHP made a heck of a lot of sense in 1998. In 2018, when you can throw literally anything into a container and run it on a cloud instance that costs less than the shared hosting account did, the unique value proposition of PHP isn't as clear. Even as a first language: that crown has been taken by JavaScript.

Expertise arbitrage, though, irrespective of its substrate, is very real and very much a liability. This to me makes one's choice of stack more than just a matter of taste: it's an object of organizational design.

And if that isn't good enough, I can tell you from experience that banning PHP within your organization will eliminate aeons of monotonous tweezing out of Russian dick-pill spam. It's up to you.