PHP needs 'use strict;'

| 7 Comments
I have heard so often that Perl is a bad language and you should never use it. Recently a college friend of mine switched to PHP, and was trying to convince me that PHP was the best thing in the world. They have all sorts of pre-built applications and libraries that make it easy to do things (sounds a little like the CPAN).

I told him about my one major roadblock with PHP. My problem is in the following code, and yes this code actually caused me trouble, this isn't a hypothetical situation:

I was dealing with a table of customer information. I had imported some production data into the test instance, and was working away. After some time, I found that any record I touched, the Zip code was replaced with an empty string ''.
I checked where the assignment was happening:

$ZipCode = $GET['ZipCode'];
(or however you get things from GET parameters, its been so long.)

I checked the SQL update statement:
$sql  = "UPDATE customers set ZipCode = $ZipCode WHERE ...";

I checked the database:
SELECT ZipCode FROM customers WHERE ...

The code to display the page:
print "Zip code: $ZipCode\n";
... still displayed just fine.

And the code for the text field:
print "Zip code: <input type='text' maxlength='10' value='$ZIPCode' />\n";

Now if you see the problem after the first time through, then you are more fortunate than I.

For those that don't see the problem here, there is a case sensitivity issue here between $ZipCode and $ZIPCode.

I spent half a day working on this problem that would have been solved in Perl with 'use strict' or VB with 'option use explicit' or would have never happened in C or C++ or just about any compiled language.


My friend told me that this is solved by being careful, and having good coding standards. I agree that it may be mitigated by good coding standards, but what will prevent me from fat-fingering the word $ZipoCode, or any of the possible permutations on that. No amount of code standards fix a fat fingered spelling. This is fixed at run time with the interpreter saying 'WHOA JIMMY, WHATCHA DOIN?' If PHP had something like 'use strict' then I might very well be a very sloppy PHP programmer right now, but alas my senior developer suggested that I try re-writing what I had in a different language and see if that is better.

So, in conclusion: I do not consider a language useful or 'good' until it has something that can tell me explicitly that I am using two variables here:
$ZipCode
$ZIPCode
and not just fill one with an empty string an move on.

I am not against PHP, but I cannot recommend it as a language to solve any problem until this is solved.

As a Perl programmer, I am comfortable in my little nest that I have created, but I feel that must not ignore all the other languages out there simply because I like my language. You probably know the phrase: "When all you have is a hammer, all your problems begin to look like nails." As such I want to keep open to learning other languages, but the lack of variable name declaration is one way to keep me away.

7 Comments

Well said.

I think the most interesting thing about MySQL these days is that it has a "strict mode" as well.

Which means that when people ask about errors in MySQL channels a common question is "Are you using strict?" :)

Sadly, Python and Ruby suffer from the same problem, which really blows my mind, since these languages are otherwise good languages.

While I have a million reasons not to use PHP, this one reason alone is a big reason I'd avoid Python and Ruby.

Unfortunately, $ZIPCode vs $ZipCode is not your only problem. You are using string substitution where you should be using a placeholder:

$sql = "UPDATE customers set ZipCode = $ZipCode WHERE ...";

should be

$sql = "UPDATE customers set ZipCode = ? WHERE ...";

This makes the statement generic (it can be executed many times with different zipcodes) and safer (proper quoting rules will be used). Imagine what would happen if the user puts "0; drop table customers; --" in the zipcode field. The first will drop the table, the second will issue an error saying that the type was wrong.

This brings up another thing in Perl as good as the strict pragma: taint mode. Read perldoc perlsec for information about it.

This is problem with any programming language - case sensitivity is just a given, and it takes some time to become careful enough to make sure things are spelt correctly. An IDE with code completion also helps.

About this Entry

This page contains a single entry by leonard published on July 31, 2009 10:15 AM.

blog wierdness was the previous entry in this blog.

Why In the world do you want to be a programmer? is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.