PHP is a
server-side scripting language designed primarily for
web development but also used as a
general-purpose programming language. Originally created by
Rasmus Lerdorf in 1994,
[4] the PHP
reference implementation is now produced by The PHP Development Team.
[5] PHP originally stood for
Personal Home Page,
[4] but it now stands for the
recursive acronym PHP: Hypertext Preprocessor.
[6]
PHP code may be embedded into
HTML or HTML5
markup, or it can be used in combination with various
web template systems,
web content management systems and
web frameworks. PHP code is usually processed by a PHP
interpreter implemented as a
module in the web server or as a
Common Gateway Interface (CGI)
executable. The
web server
software combines the results of the interpreted and executed PHP code,
which may be any type of data, including images, with the generated
web page. PHP code may also be executed with a
command-line interface (CLI) and can be used to implement
standalone graphical applications.
[7]
The standard PHP interpreter, powered by the
Zend Engine, is
free software released under the
PHP License. PHP has been widely ported and can be deployed on most web servers on almost every
operating system and
platform, free of charge.
[8]
The PHP language evolved without a written
formal specification or standard until 2014, leaving the canonical PHP interpreter as a
de facto standard. Since 2014 work has gone on to create a formal PHP specification.
[9]
History
Early history
PHP development began in 1995 when
Rasmus Lerdorf wrote several
Common Gateway Interface (CGI) programs in C,
[10][11][12] which he used to maintain his
personal homepage. He extended them to work with
web forms and to communicate with
databases, and called this implementation "Personal Home Page/Forms Interpreter" or PHP/FI.
PHP/FI could help to build simple, dynamic
web applications. To accelerate
bug
reporting and to improve the code, Lerdorf initially announced the
release of PHP/FI as "Personal Home Page Tools (PHP Tools) version 1.0"
on the
Usenet discussion group
comp.infosystems.www.authoring.cgi on June 8, 1995.
[13][14] This release already had the basic functionality that PHP has as of 2013. This included
Perl-like variables, form handling, and the ability to embed HTML. The
syntax resembled that of Perl but was simpler, more limited and less consistent.
[5]
Lerdorf did not intend the early PHP to become a new programming
language, but it grew organically, with Lerdorf noting in retrospect: "I
don’t know how to stop it, there was never any intent to write a
programming language […] I have absolutely no idea how to write a
programming language, I just kept adding the next logical step on the
way."
[15] A development team began to form and, after months of work and
beta testing, officially released PHP/FI 2 in November 1997.
The fact that PHP lacked an original
overall design but instead developed organically has led to inconsistent
naming of functions and inconsistent ordering of their parameters.
[16] In some cases, the function names were chosen to match the lower-level libraries which PHP was "wrapping",
[17] while in some very early versions of PHP the length of the function names was used internally as a
hash function, so names were chosen to improve the distribution of hash values.
[18]
PHP 3 and 4
PHP 3.0 is the successor of PHP/FI 2.0
[19].
Zeev Suraski and
Andi Gutmans rewrote the
parser in 1997 and formed the base of PHP 3, changing the language's name to the
recursive acronym PHP: Hypertext Preprocessor.
[5][20] Afterwards, public testing of PHP 3 began, and the official launch came in June 1998
[21]. Suraski and Gutmans then started a new
rewrite of PHP's core, producing the
Zend Engine in 1999.
[22] They also founded
Zend Technologies in
Ramat Gan, Israel.
[5]
On May 22, 2000, PHP 4, powered by the Zend Engine 1.0, was released.
[5]
As of August 2008 this branch reached version 4.4.9. PHP 4 is no longer
under development nor will any security updates be released.
[23][24]
PHP 5
On July 13, 2004, PHP 5 was released, powered by the new Zend Engine II.
[5] PHP 5 included new features such as improved support for
object-oriented programming,
the PHP Data Objects (PDO) extension (which defines a lightweight and
consistent interface for accessing databases), and numerous performance
enhancements.
[25] In 2008 PHP 5 became the only stable version under development.
Late static binding had been missing from PHP and was added in version 5.3.
[26][27]
Many high-profile open-source projects ceased to support PHP 4 in new
code as of February 5, 2008, because of the GoPHP5 initiative,
[28] provided by a consortium of PHP developers promoting the transition from PHP 4 to PHP 5.
[29][30]
Over time, PHP interpreters became available on most existing
32-bit and
64-bit operating systems, either by building them from the PHP source code, or by using pre-built binaries.
[31] For the PHP versions 5.3 and 5.4, the only available
Microsoft Windows binary distributions were 32-bit
x86 builds,
[32][33] requiring Windows 32-bit compatibility mode while using
Internet Information Services (IIS) on a 64-bit Windows platform. PHP version 5.5 made the 64-bit
x86-64 builds available for Microsoft Windows.
[34]
PHP 6 and Unicode
PHP has received criticism due to lacking native
Unicode
support at the core language level, instead only supporting byte
strings. In 2005, a project headed by Andrei Zmievski was initiated to
bring native Unicode support throughout PHP, by embedding the
International Components for Unicode (ICU) library, and representing text strings as
UTF-16 internally.
[35]
Since this would cause major changes both to the internals of the
language and to user code, it was planned to release this as version 6.0
of the language, along with other major features then in development.
[36]
However, a shortage of developers who understood the necessary
changes, and performance problems arising from conversion to and from
UTF-16, which is rarely used in a web context, led to delays in the
project.
[37]
As a result, a PHP 5.3 release was created in 2009, with many
non-Unicode features back-ported from PHP 6, notably namespaces. In
March 2010, the project in its current form was officially abandoned,
and a PHP 5.4 release was prepared containing most remaining non-Unicode
features from PHP 6, such as traits and closure re-binding.
[38] Initial hopes were that a new plan would be formed for Unicode integration, but as of 2014 none had been adopted.
PHP 7
During
2014 and 2015, a new major PHP version was developed, which was
numbered PHP 7. The numbering of this version involved some debate.
[39]
While the PHP 6 Unicode experiment had never been released, several
articles and book titles referenced the PHP 6 name, which might have
caused confusion if a new release were to reuse the name.
[40] After a vote, the name PHP 7 was chosen.
[41]
The foundation of PHP 7 is a PHP
branch that was originally dubbed
PHP next generation (
phpng). It was authored by Dmitry Stogov, Xinchen Hui and Nikita Popov,
[42] and aimed to optimize PHP performance by refactoring the Zend Engine to use more compact
data structures with improved
cache locality while retaining near-complete language compatibility.
[43] As of 14 July 2014,
WordPress-based
benchmarks, which served as the main benchmark suite for the phpng
project, showed an almost 100% increase in performance. Changes from
phpng are also expected to make it easier to improve performance in the
future, as more compact data structures and other changes are seen as
better suited for a successful migration to a
just-in-time (JIT) compiler.
[44] Because of the significant changes, the reworked Zend Engine is called
Zend Engine 3, succeeding Zend Engine 2 used in PHP 5.
[45]
Because of major internal changes in phpng, it must receive a new
major version number of PHP, rather than a minor PHP 5 release, according to PHP's release process.
[46]
Major versions of PHP are allowed to break backward-compatibility of
code and therefore PHP 7 presented an opportunity for other improvements
beyond phpng that require backward-compatibility breaks, including
wider use of
exceptions,
[47][48] reworking variable syntax to be more consistent and complete,
[49] and the deprecation or removal of various legacy features.
[50][51]
PHP 7 also introduced new language features, including return type declarations for functions,
[52]
which complement the existing parameter type declarations, and support
for the scalar types (integer, float, string, and boolean) in parameter
and return type declarations.
[53]
Release history
Key
| Color |
Meaning |
Development |
| Red |
Old release |
No development |
| Yellow |
Stable release |
Security fixes |
| Green |
Stable release |
Bug and security fixes |
| Blue |
Future release |
New features |
| Version |
Latest[54] |
Release date |
Supported until[55] |
Notes |
| 1.0 |
1.0.8 |
8 June 1995 |
|
Officially called "Personal Home Page Tools (PHP Tools)". This is the first use of the name "PHP".[5] |
| 2.0 |
2.0.1 |
1 November 1997 |
|
Officially called "PHP/FI 2.0". This is the first release that could
actually be characterised as PHP, being a standalone language with many
features that have endured to the present day. |
| 3.0 |
3.0.18 |
6 June 1998 |
20 October 2000[55] |
Development moves from one person to multiple developers. Zeev Suraski and Andi Gutmans rewrite the base for this version.[5] |
| 4.0 |
4.0.6 |
22 May 2000 |
23 June 2001[55] |
Added more advanced two-stage parse/execute tag-parsing system called the Zend engine.[56] |
| 4.1 |
4.1.2 |
10 December 2001 |
12 March 2002[55] |
Introduced "superglobals" ($_GET, $_POST, $_SESSION, etc.)[56] |
| 4.2 |
4.2.3 |
22 April 2002 |
6 September 2002[55] |
Disabled register_globals by default. Data received over the network is not inserted directly into the global namespace anymore, closing possible security holes in applications.[56] |
| 4.3 |
4.3.11 |
27 December 2002 |
31 March 2005[55] |
Introduced the command-line interface (CLI), to supplement the CGI.[56][57] |
| 4.4 |
4.4.9 |
11 July 2005 |
7 August 2008[55] |
Fixed a memory corruption bug, which required breaking binary compatibility with extensions compiled against PHP version 4.3.x.[58] |
| 5.0 |
5.0.5 |
13 July 2004 |
5 September 2005[55] |
Zend Engine II with a new object model.[59] |
| 5.1 |
5.1.6 |
24 November 2005 |
24 August 2006[55] |
Performance improvements with introduction of compiler variables in re-engineered PHP Engine.[59] Added PHP Data Objects (PDO) as a consistent interface for accessing databases.[60] |
| 5.2 |
5.2.17 |
2 November 2006 |
6 January 2011[55] |
Enabled the filter extension by default. Native JSON support.[59] |
| 5.3 |
5.3.29 |
30 June 2009 |
14 August 2014[55] |
Namespace support; late static bindings, jump label (limited goto), closures, PHP archives (phar), garbage collection for circular references, improved Windows support, sqlite3, mysqlnd as a replacement for libmysql as underlying library for the extensions that work with MySQL, fileinfo as a replacement for mime_magic for better MIME support, the Internationalization extension, and deprecation of ereg extension. |
| 5.4 |
5.4.45 |
1 March 2012 |
3 September 2015[55] |
Trait support, short array syntax support. Removed items: register_globals, safe_mode, allow_call_time_pass_reference, session_register(), session_unregister() and session_is_registered(). Built-in web server.[61] Several improvements to existing features, performance and reduced memory requirements. |
| 5.5 |
5.5.38 |
20 June 2013 |
21 July 2016[55] |
Support for generators, finally blocks for exceptions handling, OpCache (based on Zend Optimizer+) bundled in official distribution.[62] |
| 5.6 |
5.6.32 |
28 August 2014 |
31 December 2018[63] |
Constant scalar expressions, variadic functions, argument unpacking, new exponentiation operator, extensions of the use statement for functions and constants, new phpdbg debugger as a SAPI module, and other smaller improvements.[64] |
| 6.x |
N/A |
Not released |
N/A |
Abandoned version of PHP that planned to include native Unicode support.[65][66] |
| 7.0 |
7.0.25 |
3 December 2015[2] |
3 December 2018[63] |
Zend Engine 3 (performance improvements[44] and 64-bit integer support on Windows[67]), uniform variable syntax,[49] AST-based compilation process,[68] added Closure::call(),[69] bitwise shift consistency across platforms,[70] ?? (null coalesce) operator,[71] Unicode codepoint escape sequence,[72] return type declarations,[52] scalar type (integer, float, string and boolean) declarations,[53] <=> "spaceship" three-way comparison operator,[73] generator delegation,[74] anonymous classes,[75] simpler and more consistently available CSPRNG API,[76] replacement of many remaining internal PHP "errors" with the more modern exceptions,[47] and shorthand syntax for importing multiple items from a namespace.[77] |
| 7.1 |
7.1.11 |
1 December 2016[78][79] |
1 December 2019[63] |
void return type,[80] class constant visibility modifiers,[81] nullable types,[82] iterable pseudo-type,[83] catching multiple exception types.[84] |
| 7.2 |
7.2.0 RC 5 |
30 November 2017[85] |
30 November 2020[63] |
|
Beginning on June 28, 2011, the PHP Group implemented a timeline for the release of new versions of PHP.
[46]
Under this system, at least one release should occur every month. Once
per year, a minor release should occur which may include new features.
Every minor release should at least be supported for two years with
security and bug fixes, followed by at least one year of only security
fixes, for a total of a three-year release process for every minor
release. No new features, unless small and self-contained, are to be
introduced into a minor release during the three-year release process.
Mascot
The elePHPant, PHP mascot.
The mascot of the PHP project is the
elePHPant, a blue
elephant with the PHP logo on its side, designed by Vincent Pontier
[86] in 1998.
[87] The elePHPant is sometimes differently colored when in
plush toy form.
Syntax
The following
"Hello, World!" program is written in PHP code embedded in an
HTML document:
<!DOCTYPE html>
<html>
<head>
<title>PHP Test</title>
</head>
<body>
<?php echo '<p>Hello World</p>'; ?>
</body>
</html>
However, as no requirement exists for PHP code to be embedded in HTML, the simplest version of
Hello World may be written like this, with the closing tag omitted as preferred in files containing pure PHP code
[88]
The PHP interpreter only executes PHP code within its
delimiters. Anything outside its delimiters is not processed by PHP, although non-PHP text is still subject to
control structures described in PHP code. The most common delimiters are
<?php to open and
?> to close PHP sections. The shortened form
<?
also exists. This short delimiter makes script files less portable,
since support for them can be disabled in the local PHP configuration
and it is therefore discouraged.
[89][90] However, there is no recommendation against the use of the echo short tag
<?=.
[91] Prior to PHP 5.4.0, this short syntax for
echo() only works with the
short_open_tag configuration setting enabled, while for PHP 5.4.0 and later it is always available.
[89][92][93] The purpose of all these delimiters is to separate PHP code from non-PHP content, such as
JavaScript code or HTML markup.
[94]
The first form of delimiters,
<?php and
?>, in
XHTML and other
XML documents, creates correctly formed XML processing instructions.
[95] This means that the resulting mixture of PHP code and other markup in the server-side file is itself well-formed XML.
Variables are prefixed with a
dollar symbol, and a
type does not need to be specified in advance. PHP 5 introduced
type hinting that allows functions to force their parameters to be objects of a specific class, arrays, interfaces or
callback functions. However, before PHP 7.0, type hints could not be used with scalar types such as integer or string.
[53]
Unlike function and class names, variable names are case sensitive. Both double-quoted ("") and
heredoc strings provide the ability to interpolate a variable's value into the string.
[96] PHP treats
newlines as
whitespace in the manner of a
free-form language, and statements are terminated by a semicolon.
[97] PHP has three types of
comment syntax:
/* */ marks block and inline comments;
// as well as
# are used for one-line comments.
[98] The
echo statement is one of several facilities PHP provides to output text,
e.g., to a web browser.
In terms of keywords and language syntax, PHP is similar to the C style syntax.
if conditions,
for and
while loops, and function returns are similar in syntax to languages such as C, C++, C#, Java and Perl.
The following is an example of PHP for loop:
<?php
for ($x = 0; $x <= 100; $x++) {
echo "The number is: $x <br>";
}
?>
Data types
PHP stores integers in a platform-dependent range, either a 64-bit or 32-bit
signed integer equivalent to the
C-language long type.
Unsigned integers are converted to signed values in certain situations;
this behavior is different from that of other programming languages.
[99] Integer variables can be assigned using decimal (positive and negative),
octal,
hexadecimal, and
binary notations.
Floating point numbers are also stored in a platform-specific range. They can be specified using floating point notation, or two forms of
scientific notation.
[100] PHP has a native
Boolean type that is similar to the native Boolean types in
Java and
C++. Using the Boolean type conversion rules, non-zero values are interpreted as true and zero as false, as in
Perl and C++.
[100]
The null data type represents a variable that has no value;
NULL is the only allowed value for this data type.
[100]
Variables of the "resource" type represent references to resources
from external sources. These are typically created by functions from a
particular extension, and can only be processed by functions from the
same extension; examples include file, image, and database resources.
[100]
Arrays can contain elements of any type that PHP can handle,
including resources, objects, and other arrays. Order is preserved in
lists of values and in
hashes with both keys and values, and the two can be intermingled.
[100] PHP also supports
strings, which can be used with single quotes, double quotes, nowdoc or
heredoc syntax.
[101]
The Standard PHP Library (SPL) attempts to solve standard problems and implements efficient data access interfaces and classes.
[102]
Functions
PHP
defines a large array of functions in the core language and many are
also available in various extensions; these functions are well
documented in the online PHP documentation.
[103] However, the built-in library has a wide variety of naming conventions and associated inconsistencies, as described under
history above.
Custom functions may be defined by the developer, e.g.:
function myAge($birthYear) { // defines a function, this one is named "myAge"
$yearsOld = date('Y') - $birthYear; // calculates the age
return $yearsOld . ' year' . ($yearsOld != 1 ? 's' : ''); // returns the age in a descriptive form
}
echo 'I am currently ' . myAge(1981) . ' old.'; // outputs the text concatenated
// with the return value of myAge()
// As the result of this syntax, myAge() is called.
In 2017, the output of the above sample program is 'I am currently 36 years old.'
In lieu of
function pointers,
functions in PHP can be referenced by a string containing their name.
In this manner, normal PHP functions can be used, for example, as
callbacks or within
function tables.
[104] User-defined functions may be created at any time without being
prototyped.
[103][104] Functions may be defined inside code blocks, permitting a
run-time decision as to whether or not a function should be defined. There is a
function_exists
function that determines whether a function with a given name has
already been defined. Function calls must use parentheses, with the
exception of zero-argument class
constructor functions called with the PHP operator
new, in which case parentheses are optional.
Until PHP 5.3, support for
anonymous functions and
closures did not exist in PHP. While
create_function() exists since PHP 4.0.1, it is merely a thin wrapper around
eval() that allows normal PHP functions to be created during program execution.
[105] PHP 5.3 added syntax to define an anonymous function or "closure"
[106] which can capture variables from the surrounding scope:
function getAdder($x) {
return function($y) use ($x) {
return $x + $y;
};
}
$adder = getAdder(8);
echo $adder(2); // prints "10"
In the example above,
getAdder() function creates a closure using passed argument
$x (the keyword
use imports a variable from the lexical context), which takes an additional argument
$y,
and returns the created closure to the caller. Such a function is a
first-class object, meaning that it can be stored in a variable, passed
as a parameter to other functions, etc.
[107]
Unusually for a dynamically typed language, PHP supports type
declarations on function parameters, which are enforced at runtime. This
has been supported for classes and interfaces since PHP 5.0, for arrays
since PHP 5.1, for
"callables" since PHP 5.4, and scalar (integer, float, string and boolean) types since PHP 7.0.
[53]
PHP 7.0 also has type declarations for function return types, expressed
by placing the type name after the list of parameters, preceded by a
colon.
[52] For example, the
getAdder function from the earlier example could be annotated with types like so in PHP 7:
function getAdder(int $x): \Closure {
return function(int $y) use ($x) : int {
return $x + $y;
};
}
$adder = getAdder(8);
echo $adder(2); // prints "10"
echo $adder(null); // throws an exception because an incorrect type was passed
$adder = getAdder([]); // would also throw an exception
By default, scalar type declarations follow weak typing principles. So, for example, if a parameter's type is
int,
PHP would allow not only integers, but also convertible numeric
strings, floats or booleans to be passed to that function, and would
convert them.
[53]
However, PHP 7 has a "strict typing" mode which, when used, disallows
such conversions for function calls and returns within a file.
[53]
Object-oriented programming
Basic
object-oriented programming functionality was added in PHP 3 and improved in PHP 4.
[5]
This allowed for PHP to gain further abstraction, making creative tasks
easier for programmers using the language. Object handling was
completely rewritten for PHP 5, expanding the feature set and enhancing
performance.
[108] In previous versions of PHP, objects were handled like
value types.
[108]
The drawback of this method was that code had to make heavy use of
PHP's "reference" variables if it wanted to modify an object it was
passed rather than creating a copy of it. In the new approach, objects
are referenced by
handle, and not by value.
PHP 5 introduced private and protected
member variables and methods, along with
abstract classes,
final classes,
abstract methods, and
final methods. It also introduced a standard way of declaring
constructors and
destructors, similar to that of other object-oriented languages such as
C++, and a standard
exception handling model. Furthermore, PHP 5 added
interfaces
and allowed for multiple interfaces to be implemented. There are
special interfaces that allow objects to interact with the runtime
system.
Objects implementing ArrayAccess can be used with
array syntax and objects implementing
Iterator or
IteratorAggregate can be used with the
foreach language construct. There is no
virtual table feature in the engine, so
static variables are bound with a name instead of a reference at compile time.
[109]
If the developer creates a copy of an object using the reserved word
clone, the Zend engine will check whether a
__clone() method has been defined. If not, it will call a default
__clone() which will copy the object's properties. If a
__clone()
method is defined, then it will be responsible for setting the
necessary properties in the created object. For convenience, the engine
will supply a function that imports the properties of the source object,
so the programmer can start with a by-value
replica of the source object and only override properties that need to be changed.
[110]
The following is a basic example of
object-oriented programming in PHP:
class Person
{
public $firstName;
public $lastName;
public function __construct(string $firstName, string $lastName = '') { // optional second argument
$this->firstName = $firstName;
$this->lastName = $lastName;
}
public function greet(): string {
return 'Hello, my name is ' . $this->firstName .
(($this->lastName != '') ? (' ' . $this->lastName) : '') . '.';
}
public static function staticGreet(string $firstName, string $lastName) {
return 'Hello, my name is ' . $firstName . ' ' . $lastName . '.';
}
}
$he = new Person('John', 'Smith');
$she = new Person('Sally', 'Davis');
$other = new Person('iAmine');
echo $he->greet(); // prints "Hello, my name is John Smith."
echo '<br />';
echo $she->greet(); // prints "Hello, my name is Sally Davis."
echo '<br />';
echo $other->greet(); // prints "Hello, my name is iAmine."
echo '<br />';
echo Person::staticGreet('Jane', 'Doe'); // prints "Hello, my name is Jane Doe."
The
visibility of PHP properties and methods is defined using the
keywords public,
private, and
protected. The default is public, if only
var is used;
var is a synonym for
public. Items declared
public can be accessed everywhere.
protected limits access to
inherited classes (and to the class that defines the item).
private limits visibility only to the class that defines the item.
[111]
Objects of the same type have access to each other's private and
protected members even though they are not the same instance. PHP's
member visibility features have sometimes been described as "highly
useful."
[112] However, they have also sometimes been described as "at best irrelevant and at worst positively harmful."
[113]
Implementations
The original, only complete and most widely used PHP implementation is powered by the
Zend Engine
and known simply as PHP. To disambiguate it from other implementations,
it is sometimes unofficially referred to as "Zend PHP". The Zend Engine
compiles PHP
source code on-the-fly into an internal format that it can execute, thus it works as an
interpreter.
[114][115]
It is also the "reference implementation" of PHP, as PHP has no formal
specification, and so the semantics of Zend PHP define the semantics of
PHP itself. Due to the complex and nuanced semantics of PHP, defined by
how Zend works, it is difficult for competing implementations to offer
complete compatibility.
PHP's single-request-per-script-execution model, and the fact that
the Zend Engine is an interpreter, leads to inefficiency; as a result,
various products have been developed to help improve PHP performance. In
order to speed up execution time and not have to compile the PHP source
code every time the web page is accessed, PHP scripts can also be
deployed in the PHP engine's internal format by using an
opcode cache, which works by
caching the compiled form of a PHP script (opcodes) in
shared memory to avoid the overhead of
parsing and
compiling the code every time the script runs. An opcode cache,
Zend Opcache, is built into PHP since version 5.5.
[116] Another example of a widely used opcode cache is the
Alternative PHP Cache (APC), which is available as a
PECL extension.
[117]
While Zend PHP is still the most popular implementation, several other implementations have been developed. Some of these are
compilers or support
JIT compilation,
and hence offer performance benefits over Zend PHP at the expense of
lacking full PHP compatibility. Alternative implementations include the
following:
- HipHop Virtual Machine
(HHVM) – developed at Facebook and available as open source, it
converts PHP code into a high-level bytecode (commonly known as an intermediate language), which is then translated into x86-64 machine code dynamically at runtime by a just-in-time (JIT) compiler, resulting in up to 6× performance improvements.[118]
- Parrot – a virtual machine designed to run dynamic languages efficiently; Pipp transforms the PHP source code into the Parrot intermediate representation, which is then translated into the Parrot's bytecode and executed by the virtual machine.
- Phalanger – compiles PHP into Common Intermediate Language (CIL) bytecode
- HipHop – developed at Facebook and available as open source, it transforms the PHP scripts into C++
code and then compiles the resulting code, reducing the server load up
to 50%. In early 2013, Facebook deprecated it in favor of HHVM due to
multiple reasons, including deployment difficulties and lack of support
for the whole PHP language, including the
create_function() and eval() constructs.[119]
Licensing
PHP is
free software released under the
PHP License, which stipulates that:
[120]
Products derived from this software may not be called "PHP", nor may
"PHP" appear in their name, without prior written permission from
group@php.net. You may indicate that your software works in conjunction
with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo".
This restriction on use of "PHP" makes the PHP License incompatible with the
General Public License (GPL), while the Zend License is incompatible due to an advertising clause similar to that of the original
BSD license.
[121]
Development and community
PHP includes various
free and open-source libraries in its source distribution, or uses them in resulting PHP binary builds. PHP is fundamentally an
Internet-aware system with built-in modules for accessing
File Transfer Protocol (FTP) servers and many database servers, including
PostgreSQL,
MySQL,
Microsoft SQL Server and
SQLite (which is an embedded database),
LDAP servers, and others. Numerous functions familiar to C programmers, such as those in the
stdio family, are available in standard PHP builds.
[122]
PHP allows developers to write
extensions in
C
to add functionality to the PHP language. PHP extensions can be
compiled statically into PHP or loaded dynamically at runtime. Numerous
extensions have been written to add support for the
Windows API, process management on
Unix-like operating systems, multibyte strings (
Unicode),
cURL, and several popular
compression formats. Other PHP features made available through extensions include integration with
IRC, dynamic generation of images and
Adobe Flash content,
PHP Data Objects (PDO) as an abstraction layer used for accessing databases,
[123][124][125][126][127][128][129] and even
speech synthesis. Some of the language's core functions, such as those dealing with strings and arrays, are also implemented as extensions.
[130] The
PHP Extension Community Library (PECL) project is a repository for extensions to the PHP language.
[131]
Some other projects, such as
Zephir, provide the ability for
PHP extensions to be created in a high-level language and compiled into
native PHP extensions. Such an approach, instead of writing PHP
extensions directly in C, simplifies the development of extensions and
reduces the time required for programming and testing.
[132]
The PHP Group consists of ten people (as of 2015):
Thies C. Arntzen,
Stig Bakken,
Shane Caraveo,
Andi Gutmans,
Rasmus Lerdorf,
Sam Ruby,
Sascha Schumann,
Zeev Suraski,
Jim Winstead,
Andrei Zmievski.
[133]
Zend Technologies provides a
PHP Certification based on PHP 5.5
[134] exam for programmers to become certified PHP developers.
Installation and configuration
There
are two primary ways for adding support for PHP to a web server – as a
native web server module, or as a CGI executable. PHP has a direct
module interface called
Server Application Programming Interface (SAPI), which is supported by many web servers including
Apache HTTP Server,
Microsoft IIS,
Netscape (now defunct) and
iPlanet. Some other web servers, such as OmniHTTPd, support the
Internet Server Application Programming Interface (ISAPI), which is a
Microsoft's web server module interface. If PHP has no module support for a web server, it can always be used as a
Common Gateway Interface (CGI) or
FastCGI processor; in that case, the web server is configured to use PHP's CGI executable to process all requests to PHP files.
[135]
PHP-FPM (FastCGI Process Manager) is an alternative FastCGI
implementation for PHP, bundled with the official PHP distribution since
version 5.3.3.
[136]
When compared to the older FastCGI implementation, it contains some
additional features, mostly useful for heavily loaded web servers.
[137]
When using PHP for command-line scripting, a PHP
command-line interface (CLI) executable is needed. PHP supports a CLI SAPI as of PHP 4.3.0.
[138] The main focus of this SAPI is developing
shell
applications using PHP. There are quite a few differences between the
CLI SAPI and other SAPIs, although they do share many of the same
behaviors.
[139]
PHP has a direct module interface called SAPI for different web servers;
[140] in case of PHP 5 and Apache 2.0 on Windows, it is provided in form of a
DLL file called
php5apache2.dll,
[141]
which is a module that, among other functions, provides an interface
between PHP and the web server, implemented in a form that the server
understands. This form is what is known as a SAPI.
There are different kinds of SAPIs for various web server extensions.
For example, in addition to those listed above, other SAPIs for the PHP
language include the
Common Gateway Interface (CGI) and
command-line interface (CLI).
[140][142]
PHP can also be used for writing desktop
graphical user interface (GUI) applications, by using the
PHP-GTK extension. PHP-GTK is not included in the official PHP distribution,
[135]
and as an extension it can be used only with PHP versions 5.1.0 and
newer. The most common way of installing PHP-GTK is compiling it from
the source code.
[143]
When PHP is installed and used in
cloud environments,
software development kits (SDKs) are provided for using cloud-specific features. For example:
Numerous configuration options are supported, affecting both core PHP features and extensions.
[146][147] Configuration file
php.ini is searched for in different locations, depending on the way PHP is used.
[148] The configuration file is split into various sections,
[149] while some of the configuration options can be also set within the web server configuration.
[150]
Use
A broad overview of the LAMP software bundle, displayed here together with
Squid.
PHP is a general-purpose scripting language that is especially suited to
server-side web development, in which case PHP generally runs on a
web server. Any PHP code in a requested file is
executed by the PHP runtime, usually to create
dynamic web page content or dynamic images used on websites or elsewhere.
[151] It can also be used for
command-line scripting and
client-side graphical user interface (GUI) applications. PHP can be deployed on most web servers, many
operating systems and
platforms, and can be used with many
relational database management systems (RDBMS). Most
web hosting
providers support PHP for use by their clients. It is available free of
charge, and the PHP Group provides the complete source code for users
to build, customize and extend for their own use.
[8]
PHP acts primarily as a
filter,
[152]
taking input from a file or stream containing text and/or PHP
instructions and outputting another stream of data. Most commonly the
output will be HTML, although it could be
JSON,
XML or
binary data such as image or audio formats. Since PHP 4, the PHP
parser compiles input to produce
bytecode for processing by the
Zend Engine, giving improved performance over its
interpreter predecessor.
[153]
Originally designed to create dynamic
web pages, PHP now focuses mainly on
server-side scripting,
[154] and it is similar to other server-side scripting languages that provide dynamic content from a web server to a
client, such as
Microsoft's Classic ASP,
Sun Microsystems'
JavaServer Pages,
[155] and
mod_perl. PHP has also attracted the development of many
software frameworks that provide building blocks and a design structure to promote
rapid application development (RAD). Some of these include
PRADO,
CakePHP,
Symfony,
CodeIgniter,
Laravel,
Yii Framework,
Phalcon and
Zend Framework, offering features similar to other
web frameworks.
The
LAMP architecture has become popular in the web industry as a way of deploying web applications.
[156] PHP is commonly used as the
P in this bundle alongside
Linux,
Apache and
MySQL, although the
P may also refer to
Python,
Perl, or some mix of the three. Similar packages,
WAMP and
MAMP, are also available for
Windows and
macOS,
with the first letter standing for the respective operating system.
Although both PHP and Apache are provided as part of the macOS base
install, users of these packages seek a simpler installation mechanism
that can be more easily kept up to date.
As of April 2007, over 20 million Internet domains had web services hosted on servers with PHP installed and
mod_php was recorded as the most popular
Apache HTTP Server module.
[157] As of May 2017, PHP was used as the server-side programming language on 83% of 10 million most popular websites.
[158] Web content management systems written in PHP include
MediaWiki,
[159] Joomla,
[160] eZ Publish,
eZ Platform,
SilverStripe,
[161] WordPress,
[162] Drupal,
[163] and
Moodle.
[164] Websites written in PHP, in
back-end and/or user-facing portion, include
Facebook,
[165] Digg,
[166] Tumblr,
[167] Dailymotion,
[168] and
Slack.
[169]
For specific and more advanced usage scenarios, PHP offers a well defined and documented way for writing custom extensions in
C or
C++.
[170][171][172][173][174][175][176] Besides extending the language itself in form of additional
libraries,
extensions are providing a way for improving execution speed where it
is critical and there is room for improvements by using a true
compiled language.
[177][178]
PHP also offers well defined ways for embedding itself into other
software projects. That way PHP can be easily used as an internal
scripting language for another project, also providing tight interfacing with the project's specific internal
data structures.
[179]
PHP received mixed reviews due to lacking support for
multithreading at the core language level,
[180] though using threads is made possible by the "pthreads"
PECL extension.
[181][182]
As of January 2013, PHP was used in more than 240 million
websites (39% of those sampled) and was installed on 2.1 million
web servers.
[183]
Security
In 2013, 9% of all vulnerabilities listed by the
National Vulnerability Database were linked to PHP;
[184]
historically, about 30% of all vulnerabilities listed since 1996 in
this database are linked to PHP. Technical security flaws of the
language itself or of its core libraries are not frequent (these
numbered 22 in 2009, which was about 1% of the total, although PHP
applies to about 20% of programs listed.)
[185] Recognizing that programmers make mistakes, some languages include
taint checking to automatically detect the lack of
input validation which induces many issues. Such a feature is being developed for PHP,
[186] but its inclusion into a release has been rejected several times in the past.
[187][188]
There are advanced protection patches, such as
Suhosin and
Hardening-Patch, that are especially designed for web hosting environments,
[189] primarily due to these environments being seen as places where carelessly written code may run.
There are certain language features and configuration parameters
(primarily the default values for such runtime settings) that make PHP
applications prone to security issues. Among these,
magic_quotes_gpc and
register_globals[190]
configuration directives are the best known; the latter made any URL
parameters become PHP variables, opening a path for serious security
vulnerabilities by allowing an attacker to set the value of any
uninitialized global variable and interfere with the execution of a PHP
script. Support for "
magic quotes" and "register globals" has been deprecated as of PHP 5.3.0, and removed as of PHP 5.4.0.
[191]
Another example for the runtime settings vulnerability comes from failing to disable PHP execution (via
engine configuration directive)
[192]
for the directory where uploaded images are stored; leaving the default
settings can result in execution of malicious PHP code embedded within
the uploaded images.
[193][194][195] Also, leaving enabled the dynamic loading of PHP extensions (via
enable_dl configuration directive)
[196] in a
shared web hosting environment can lead to security issues.
[197][198]
Also, implied
type conversions
that result in incompatible values being treated as identical against
the programmer's intent can lead to security issues. For example, the
result of the comparison
"0e1234" == "0" comparison is
true because the first compared value is treated as
scientific notation having the value (
0×101234), i.e.
zero. This feature resulted in authentication vulnerabilities in
Simple Machines Forum,
[199] Typo3[200] and
phpBB[201] when
MD5 password hashes were compared. Instead, either the function
strcmp or the identity operator (
===) should be used;
"0e1234" === "0" results in
false.
[202]
In a 2013 analysis of over 170,000
website defacements, published by
Zone-H, the most frequently (53%) used technique was exploitation of
file inclusion vulnerability, mostly related to insecure usage of the PHP functions
include,
require, and
allow_url_fopen.
[203][204]
Criticism
Despite being a programming language that powers 80% of the web
[205],
PHP has faced a lots of criticism. PHP has been criticized the many
reasons, the most common reasons have always been not being strictly
type caste and lacking high scalability. Many languages have been
predicted to replace PHP in past but user base of PHP is still
considerably large as in 2017. Despite all the criticism PHP has
outlived the expectation of many
[206] and is used by some of the most famous CMS like
Wordpress and frameworks like
Laravel.
The reason for this is considered regular developments that have been
done in PHP that have matured PHP as a programming language to be very
easy to design, develop & deploy.
