DEV Community

Cover image for PHP vs Node?

PHP vs Node?

Muhammad on August 04, 2019

I have done quite many projects with clients in PHP, but now I have moved away from PHP to Node. I would like to know what do you guys have to say...
Collapse
 
xowap profile image
Rémy 🤖

PHP lets you create bugs and security issues super easily. The only consistent thing about PHP is its inconsistency. It is so bad that Facebook created Hack to make it usable. The only powerful thing about PHP is that it's Turing-complete, buy hey so is brainfuck.

That summarily covers my opinion of PHP.

Collapse
 
matthieu_rolland profile image
Matthieu Rolland • Edited

You can create bugs and security issues super easily with nodejs too.

In modern backend environments php is not used naked anyway, most of the time your framework will be based on secure and field tested components (mostly coming from Symfony). Laravel is based on symfony for example, you can also very easily create your own custom and secure framework using symfony components.

I would say that PHP is still quite valid as a backend OOP programming language. Especially with PHP 7.

NodeJS can replace php for the best in many areas where php used to be chosen by default, for a lack of better alternative, but that doesn't make php irrelevant. Not everything needs to be a micro service, and many projects use both php and NodeJS.

Collapse
 
solarliner profile image
🇨🇵️ Nathan Graule

PHP is uniquely bad in that the people behind it continuously make bad choices in designing the language. T_PAAMAYIM_NEKUDOTAYIM has existed since PHP 3 and is still visible as part of parsing errors today. It should be renamed T_DOUBLE_COLON but somehow still hasn't been, and the manual entry makes it seem like it's a cute and quirky feature of the language. Oh look! You have to know a very specific subset of Hebrew to work your way around the code!

php.net/manual/en/language.oop5.pa...

PHP doesn't abort execution and show a 500 on error. No. Instead it just sends the half-finished paged with an error at the top that is guarenteed to break the page.

PHP wasn't designed with you running a server process, and any framework that tries to use PHP this way undermines itself completely by having to spend 98% of its development time working against the fact that they're trying to run a modern 3D game on top of SNES-like architecture. PHP was made to be the OG serverless language, running per-requests instead of as a daemon process. But even that very core feature of PHP was butchered.

No attempt has been made to standardize the signatures of standard library functions. Sometimes snake_case, sometimes pascalCase, sometimes nocase, sometimes the verb is first, sometimes the noun is - and for array functions, sometimes the array goes in first, and sometimes last!

PHP is the only language with a configuration file assigned to it. Not a list of language features to turn on/off, no. Configuration that will change the way the language works. Which means you can't take the code from one server to the next and expect things to work. You also have to take into account the configuration of PHP itself.

While JavaScript has its share of "wat"s itself, comparison in PHP, and more generally type coersion in PHP is a PITA, and that's a huge euphemism. Oh, and while JavaScript's == is weird but understandable, PHP's ==, oh boy...

These aren't usage errors, where the developer wrongly assumes something about the code itself and unexpected behavior emerges. These are weirdness coming from the language itself, which makes it extra hard to wrap your head around how to use the language itself, and as a result makes you more prone to errors.

Finally, someone will say "oh but language X or Y also has these quirky features". Oh it's okay then, some other language is weird in this aspect, therefore it's okay to put it in PHP. Therefore PHP really is Frankenstein's Monster of programming languages.

Thread Thread
 
xowap profile image
Rémy 🤖

Oh yes. That and more.

On a sidenote I thought that T_PAAMAYIM_NEKUDOTAYIM was fixed in recent versions but it seems that it was actually not. 🤦

I'm surprised there is no other languages in the error messages though

Collapse
 
th3n00bc0d3r profile image
Muhammad

Yes, i really felt that NodeJS can replace PHP, i have had failovers in PHP where my website was attacked and stuff, but as far as NodeJS is going its going pretty smooth but because i came from PHP, i really find that PHP is a good language to start with in making good programming concepts.

Collapse
 
bertdida profile image
Herbert Verdida • Edited

Your comment reminds me these words from Rasmus, I quote "PHP is perfectly consistent, just not in the way you expect".

Collapse
 
matthieu_rolland profile image
Matthieu Rolland

I would be curious to know the details of this security issue you spent hours on, and why the same mistakes couldn't have been made in NodeJS.

In other words, are you judging php because of the poor quality code that was written by the community years ago?

How many popular npm packages have been known for having major security issues?

Collapse
 
xowap profile image
Rémy 🤖

In short,

<?php

require($_GET['template_name']);

Of course that was hidden over several layers of call stack so it was not so obvious, and the hours were mostly spent making an assessment of the server to know if anybody used it.

I'm not particularly fan of NodeJS but it's just that this kind of mistakes are super-easy to make in PHP despite all the goodwill of frameworks.

My problem with PHP is that the PRNG is unsafe, the way weak typing works is unsafe, the absence of unicode handling is unsafe, the fact that PHP is a templating language is unsafe, the silent failures are unsafe, ... Everything in PHP is unsafe.

It's just an example within an ocean but let's compare JS and PHP on weak typing.

if (0 == "bonjour") {
    // Will be reached in PHP but not in JS
}

By converting strings to integers and not the opposite, the typing system removes information and possibly creates security issues (this specific thing was used in phpBB to become administrator by modifying your session ID).

Of course you can ban == in your code but what about dependencies? What about some things in the standard library which will keep on doing == instead of === because it's more within the philosophy of PHP?

Of course NPM is not perfect and there is tons of flaws in it but the fact is that PHP is fucking terrifying.

Thread Thread
 
matthieu_rolland profile image
Matthieu Rolland

JavaScript has numerous similar oddities, that could lead to unwanted behaviour when the code is written by someone who doesn't know the language:

medium.com/@daffl/javascript-the-w...

In what language is it a good practice to compare a string to 0 in order to prove that it's empty or null anyway?

I agree that PHP is weakly typed, but the main issue here is the developer. I work with PHP developers and no one writes this kind of code.

PHP's reputation is mainly due to the fact that in the past many php softwares were written by script kiddies. People I hear dismissing PHP as a whole have no experience of modern PHP development.

Thread Thread
 
xowap profile image
Rémy 🤖

JS is a good comparison because it's a really strong amateur language as well. And I'm not saying that it has no issues but rather that PHP makes very dangerous things very easy to do.

Of course, PHP improved a lot and many low-hanging fruits have been fixed. However let's have a look at this security issue form phpBB back in 2005. Yes it's old and yes a linter would fix it. But if someone wrote that code today the issue would still be there.

If you take the code, it goes like this (in short):

$sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();

$auto_login_key = $userdata['user_password'];

if( $sessiondata['autologinid'] == $auto_login_key )
{
    // You're admin
}

So yes the stripslashes() is a funny reminder of a time that is actually over since PHP managed to get rid of magic_quote_gpc but that's not the point.

Some raw data from the user goes through unserialize(). Which means that $sessiondata['autologinid'] is from any type that the user deems. On the other hand, $auto_login_key is a string.

To answer your question, who would compare 0 to a string? Well, some hacker using unforseen side-effects in some code that looks very reasonable otherwise. Putting 0 in autologinid is equivalent to writing:

// Before implicit cast
if( 0 == "somekey" )

// After implicit cast
if ( 0 == 0 )

You're going to tell me that now we have JSON and frameworks and many wonders that help us not do this kind of things. But if you never saw a junior write a $_GET in some Laravel/Symfony code then you have not been looking. And the same goes for all protections brought by these frameworks, they are just too easy to bypass.

Now to be honest I don't like PHP and I don't like JS (especially on the back-end) so that's really more of an anti-PHP argument than a pro-Node one.

Collapse
 
biros profile image
Boris Jamot ✊ /

PHP is not for beginners, it's true. All people I know that agree with you don't know PHP.

It requires a strong tooling to be effective and be confident with your code. But it's still a valuable choice for backend apps.

Collapse
 
xowap profile image
Rémy 🤖

PHP was actually helpful when I was a beginner in 2003 but actually better options came out and kind of exposed the fact that PHP will encourage dangerous behaviors. In fact, I can specifically thank phpBB for teaching me all the common security mistakes you can imagine.

Last week I spent hours fixing potential remote code execution issues in a very popular piece of PHP and that makes me very sad. Because this kind of problem is VERY easy to have.

Of course you can artificially throw away 3/4 of the language and base everything upon more or less decent community-built tools while praying that none of your juniors will create a colossal hole in your code but knowing the alternatives that's really not the choice I'd make.

Thread Thread
 
biros profile image
Boris Jamot ✊ / • Edited

As I said, it's definitely not for juniors. As an experienced PHP developer, I'm responsible for delivering safe apps with secured Apache configuration, built with clean code and tested in a pipeline. It's more difficult in PHP than in any other language, but I learnt so much more than if I had chosen the last all-in-one ready-to-go JS framework.
But if I had to choose a programming language to start my career today, it wouldn't be PHP.

Collapse
 
havarem profile image
André Jacques

I found it interesting how people bash on PHP and don't seem to realize they bash on not even the wrongest part of the language. I worked a lot with PHP, from 5 and a little with 7. PHP is a One to One prototype from the underlying C library, making as consistent as C and C++. Here is a video that explains why youtube.com/watch?v=wCZ5TJCBWMg. In summary, PHP came at the right place at the right time and grew at the right pace, leaving behind inter-module consistency.

It also explains that yes, PHP was not and is not the fastest, but their strategy at the time was way better than faster and more "thoroughly though" languages like Perl and Python. And please, Javascript has been developed in such a hurry that it is way more of a mess than PHP (in my opinion).

And I never used it, but I thought HipHop from Facebook was a PHP compiler (don't know about Hack!).

What is the worst part of PHP for me:

  • weak/strong comparator (such as == or ===) ;
  • method overloading only possible using arrays ;
  • the way it implies if something is a string or a number or whatever ;
  • the memory footprint (at least with 5) ;

So for me, any loosely typed language makes it easier to create bugs. In such a case, there is always linters.

Collapse
 
xowap profile image
Rémy 🤖

I mostly agree with you! My main point would be: why keep on working on Frankenstein while there is so many straightforward alternatives.

For the record, in 2010 I strongly stepped in favor of PHP for my projects, but things changed so that PHP doesn't make sense anymore (in my opinion, everyone thinks whatever they want)

Thread Thread
 
havarem profile image
André Jacques

That is exactly why I left the Web for Embedded system. I don't know for you, but I was a little tired of doing the same thing over and over again (CRUD stuff). Challenges in Web development, IMHO, is not in the code anymore but in the infrastructure.

Dealing with the 5 desktop browsers, the 18 mobile device formats (plus many browsers) was for me the bigger pain. It has been 2 years since I didn't do any web development per se, so maybe it got better.

All the Web is "hurried development" such as PHP, Javascript and "hey look a new device lets put a browser in it!" (like a refrigerator O_o). Browser version comes out every what, 3-4 weeks. This is pure madness.

C and C++ are not perfect, but at least when I work on an STM32 there is only one place my code will run, for one purpose. And I came to realize that embedded system, even though challenging and low-level, can bring high-value quickly to a device.

Collapse
 
charlesnjau profile image
CharlesNjau

With a clear and valid example please illustrate strate your point cause it seems to me that bugs can introduced regardless of the language used used unless there is another valid point please state it and produce a valid example

Collapse
 
gijovarghese profile image
Gijo Varghese

Nice joke

Collapse
 
cmiles74 profile image
Christopher Miles • Edited

I think it's interesting that we haven't mentioned that PHP (typically) runs in the context of a larger web server, and that NodeJS does not. In my experience Node applications typically provide a web server (like Express) and are then proxied through a webserver that serves a larger site, like Nginx or Apache.

Perhaps this is why we see many Node applications outside of a web server (command line tools, console utilities, etc.) and rarely see PHP being used for much aside from websites.

I'm not sure that NodeJS is all that much faster than PHP. While I suspect that NodeJS code might be faster at certain tasks, I suspect that PHP will be more performant in general.

Collapse
 
vicoerv profile image
Vico

I have this problem that remain unsolved until now. There is mod-php in apache to manage php, but I don't know how to handle node serve like mod-php in apache does. do you have any suggestions?
For now I create increment port from 3000 to 300X and then proxied to port 80 to apache, (in my server there's multiple node server running proxied to apache) and i think it's not effective

Collapse
 
th3n00bc0d3r profile image
Muhammad

I think for node, i would consider PM2.

Its a process manager for Node

PM2 Process Manager

pm2 start your_app.js -i max

This will auto detect whatever number of CPUs you have and will manage it accordance to it. You can customize but gotto refer the docs.

I think from PHP to node was a hard shift, but not i see not that harder, its like best of both worlds, i suppose.

Thread Thread
 
vicoerv profile image
Vico • Edited

thank you for explanation, do you have idea for handling port?

Thread Thread
 
th3n00bc0d3r profile image
Muhammad

I think if you start it with a your.json file, you could kinda hack around like this.

pm2 start your_file.json

your_file.json

{
  "apps": [
    {
      "exec_mode": "fork_mode",
      "script": "path/to/app.js",
      "name": "myfirstapp",
      "env": {
        "PORT": 3000,
        "NODE_ENV": "production"
      },
      "error_file": "path/to/error.log",
      "out_file": "path/to/output.log"
    },
    {
      "exec_mode": "fork_mode",
      "script": "path/to/app.js",
      "name": "mysecondapp",
      "env": {
        "PORT": 3001,
        "NODE_ENV": "production"
      },
      "error_file": "path/to/error.log",
      "out_file": "path/to/output.log"
    }
  ]
}

Let me know, what you find.

Thread Thread
 
vicoerv profile image
Vico

oh i see, that was great idea. Thank you!

Collapse
 
peon501 profile image
Matas Lesinskas

Gosh. I would pick php at any time of day. Node.js isn't made for large projects...
Who think php is trash and insecure are just stupid and never learned how to work with php or any other server side lang.
Good luck with js back end.lol.
I cant read this comment section...

Collapse
 
marcus-sa profile image
Marcus S. Abildskov • Edited

Nodejs isn't made for large projects? Who are you kidding?
You just sound like my college who's afraid to learn something new because it goes beyond your area of expertise.
There's a reason mostly every company moves from PHP to Nodejs or .NET.
TS + Node is far superior than PHP.
github.com/nestjs/nest

Collapse
 
peon501 profile image
Matas Lesinskas

Btw I have basics with node.js socket.io and Iam quite good at net. I wrote realtime pos system on it, but I would not use node where I dont need(I mean execute exit process software).

Collapse
 
charlesnjau profile image
CharlesNjau

Thank you very much for highlighting this

Collapse
 
joeberetta profile image
Joe Beretta

A week ago I started learning Node and I feel myself in my plate). First step was ExpressJs. It's cool tool, but Restify is better for me. In my opinion, Node is better for me (Cause I've moved to backend from frontend and it was not painful)

Collapse
 
karlredman profile image
Karl N. Redman

PHP and Node attempt to solve the same problem from different points of view. PHP considers the server-first perspective while node considers the client-first perspective (generally speaking). Node has the advantage of having a larger common (COMMON) user base and the disadvantage of being a bigger target for abuse. PHP libs have been around a long time and are less likely to have new hacks against them but have a history of exploits because of managing applications.

Before I get flamed! ....

I agree that anything you want to do in php is also possible via node. Javascript is simply more popular in hireing circles etc. PHP is considered a downtrend technology because of it's limitations relative to (server side) python, etc. IMHO PHP perceived limitations don't make it better or worse than javascript -just different.

I guess the point I'm trying to make is that if I inherited a PHP project I wouldn't bother to force it to be node based unless necessary. Otherwise I'd probably start a new project with node (or python depending on the situation).

Collapse
 
th3n00bc0d3r profile image
Muhammad

Agreed, this is a debate that needs a common answer because as 2 or more devs get together that first think comping out is PHP vs Node.

 
vicoerv profile image
Vico

hello, thank you for make it clear

as you can see here

<VirtualHost *:80>
    ProxyPreserveHost On

    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/
</VirtualHost>

it only run one service, my company is SaaS so probably in one vps there will be tens of different project and to run different project with manual port handling will take more time

Collapse
 
shegunbabs profile image
Shegun Babs

I think the comparism isn't fair enough. PHP is a programming language while Node isn't. Node is a runtime environment to run Javascript on the backend. So any comparism between the two will be off context.
Each language has its strengths and weaknesses that is why I hate to compare languages.
If the language isn't relevant anymore then you won't find it around.

 
xowap profile image
Rémy 🤖

Oh well, I assumed that frameworks would make sure that req.param('name') is a valid unicode string while $_GET['name'] can be any string of bytes but maybe I'm expecting too much?

In any case, you can write stupid code in all languages. But to be specific to the $_GET issue, it's so easy to break encapsulation using it (because it's global). Same thing with $_REQUEST, what is the point of this except getting X-whatever-scripting attacks from all sides?

PHP is just next-level compared to anything else in terms of possible misuses.

Collapse
 
kalium profile image
kalium.xyz

Node is great for prototyping any type of application, PHP is great for templates.

You might have wrongly tagged this with #docker though its good advice to run your projects inside containers as there have been some trojans in NPM packages which won't be very effective when running in a container. if you use node please make sure you know who made your dependencies and transient dependencies, you are trusting them! Also always set your dependencies to fixed versions and use package-lock.json!

Collapse
 
vimmer9 profile image
Damir Franusic • Edited

I know I'm playing with fire here so please keep in mind that starting and endless discussion is not my intention.

I prefer PHP over Javascript. They are both programming languages and choosing one over the other is a mater of personal preference. People keep mentioning Node.js but that's a runtime for javascript with mod_php being the same equivalent for php interpreter in Apache. They are made for different purposes; Node.js apps are standalone apps which are better suited for persistent long lasting connections for example, while php is meant for exec-and-exit situations like single page renderings, etc. I have even written shell scripts in php just because syntax is more to my liking than bash.

You could also do a long running apps, persistent connections and numerous other insane endeavours with php, but maybe with a lot more effort than doing the same thing in Node.

Once again, I am not a fan of Javascript but have used it on both client (React) and server (Next). Beginners will for sure find asynchronous Node programming much harder than php. I don't understand how php syntax if more complicated than javascript 🤔

PHP is constantly being updated and has come a long way and although It's been a while since I last used it, I'm sure the security issues are much less frequent nowadays.

Maybe I'm just biased since php was my first web language, but it deserves some respect and it certainly doesn't deserve all the flame coming from javascript-only developers.

P.S.
Anyone remember Tomcat App Server? 😉

 
th3n00bc0d3r profile image
Muhammad

Lolx rules are rules we didnt make em so we gotta follow em... I think what you might be embarking is creation if a new language above a language...

The evolution of assembly to java and beyond now

Thread Thread
 
xowap profile image
Rémy 🤖

Yes, although it's mostly a front-end issue. On the back-end if you try to access DB data in a non-async way you'll quickly realize that the data is simply not there. I've been handed large amounts of amateur JS and there was MANY issue but not really that one.

The kind of issues that PHP enables are more like "let's execute this unfiltered user input" which is way more dramatic than a randomly-bugged front-end component.

Collapse
 
akshatjen profile image
AJ

Any Go developers having a laugh here?? xD

Collapse
 
lysofdev profile image
Esteban Hernández

I find PHP's syntax to be very confusing when compared to other modern, programming languages.

Collapse
 
charlesnjau profile image
CharlesNjau

How is its confusing I just fail to understand if know java and c/c++ php is just the same

Collapse
 
lysofdev profile image
Esteban Hernández

Using arrows instead of periods was enough to confuse me. lol

Collapse
 
jdsllk7 profile image
Kosamu

I'm a 2 year old Node.js dev & a 5 year old Php dev. I think what makes a good programming language is it's ability to attract programmers & consequently make them stay.
That's Node.js for me.
Note: learning node.js from a php background is challenging @ first because it has somewhat completely new concepts but once you get the hang of it you'll realize there's a module for almost anything you want.

Collapse
 
motss profile image
Rong Sen Ng

I still find setting up a PHP server not as easy and straightforward as a Node server. Is that true for most of you?

Collapse
 
anwar_nairi profile image
Anwar

Depends if you build it up from a bare nude OS or not. Anyway I never set up a NodeJS capable web server, only did it for PHP and it was as easy as chaining commands. Got my website up and running, set up some cron for my Laravel Queue jobs, just a breeze.

Also have the same experience with a Xampp local config (and thinking on switching to Docker containers for my next project).

Collapse
 
th3n00bc0d3r profile image
Muhammad

I think it really depends on what environment you are setting up. There are many scripts now written to single install all what you need, it does come with extra but you get past the headache.

Collapse
 
motss profile image
Rong Sen Ng

Cool. Thanks for the clarification.

Collapse
 
sonyarianto profile image
Sony AK

with help of Docker now this should be easy

Collapse
 
th3n00bc0d3r profile image
Muhammad

I agree but what can you say... Its just how it goes and how it has gone with perception

Collapse
 
muhamadzolfaghari profile image
muhamad zolfaghari • Edited

NodeJS. VS Poorly Heat Pattern!
Null or defines equal VS PHP

Collapse
 
donnisnoni profile image
Don Alfons Nisnoni • Edited

I agree with you... but i tired press $ on keyboard for variable... unless you...

and you got lot of discussion when you try make post about 'node vs php'

 
th3n00bc0d3r profile image
Muhammad

Thanks for the response Jorge, i dorecommended pm2 because if the process fails of some error it just restarts it. Hope you'd agree