Is using older versions of PHP really bad?

I frequently read about PHP Frameworks and noticed how they are slagged for not using the latest PHP Version.

Surely coding can be modified in older versions to prevent any problems or just not use any deprecated features?

This also applies to using php_mysql() instead of the latest database extensions.

My understanding is that PHP is an interpreted server side scripting language that renders HTML to a browser. Therefore all user input can be sanitized to prevent any security breaches.

True, but there are buffer overflows or issues with PHP in and of itself. That is more than enough reason to keep upgrading.

It is true that most of those vulnerabilities may require access to the server over SSH, but some might not.

For sure.

To pick one that’s regularly beaten down upon, it’s possible for a developer to write PHP5.5+ compliant code in CodeIgniter as long as their server environment supports it.

That’s the crux though - how do you get widespread adoption of the new PHP versions?

Hosting companies take the lead and say “Hey there customers - we’re only going to run PHP 5.6 from next month. Sorry about breaking your web sites but I’m sure you can fix them in time”?

Very very unlikely.

Developers could insist on their hosts providing it?

Quite unlikely - some would but not near enough to significantly reduce the substandard PHP server population

Popular open source products such as frameworks and CMSes draw a line in the sand and say “Hey you guys, our next version will be PHP5.5+ only. You’ll only get bug and security fixes for the old versions for another month or two. If you want to upgrade, you’ll probably also have to upgrade your hosting”.

Also quite unlikely without a proper evangelist on the OSS project. Breaking backwards compatibility means potentially losing a very significant portion of your current user base.

So the long and the short of it is that the frameworks and CMSes that continue to support versions of PHP that are no longer actively supported (i.e. no bugs fixed, no vulnerabilities patched) continue to exert something of a drag on our progress as a community of programmers.

Plus those of us that were around in the bad old days of PHP3 and 4 (like me!) are probably really very keen to distance ourselves from that pretend plaything of a programming language.

It’s not just about having the latest and greatest to play with (although that’s a big part of the attraction! :wink: ), it’s also about leaving the bad stuff behind.

Case in point - if CodeIgniter’s minimum version was at least PHP5.3.7, it would mean that all CI developers would have the ability to follow industry best practice in the treatment of passwords through Anthony Ferrara’s password compatibility library (if not able to use the password_hash function in PHP5.5+ directly)

As a community (generalising massively here!!) we kinda want both the hosting companies and the open source projects to pull themselves up in sync. Not easily achieved. So we think ragging on the open source guys to up their game will have a trickle down effect on the hosting companies…

Imagine what would happen if Wordpress suddenly declared that their minimum version was to be PHP5.5+

“Hello hosting co. Do you have PHP5.5?”
“Errr, no sorry”
“Rats, I’ll have to take my business elsewhere then…”

Millions of servers would get upgraded in super quick time. :smile:

I tend to think of things like CodeIgniter as being like water wings. Fine when you’re starting out as they’ll keep you from drowning. Once you become a more competent swimmer though, they hold you back.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.