Development / Security

PHP 7 Boasts Doubled Performance Though Security Concerns Linger

7 Dec 2015 11:12am, by

PHP 7, the latest version of the scripting language many developers love to hate, has been released, promising huge performance gains.

Yet the much-delayed release comes just in time to deal with a scathing report on security vulnerabilities in previous versions.

PHP 7 has been focused on performance and memory utilization. Zend Technologies, the company behind the original Zend Engine and which led the PHP Next-Gen project on which PHP 7 is based, is boasting performance improvements of between 50 percent and 200 percent on real-world apps without changing a line of code.

It’s been spurred on by advances to Facebook’s HHVM, a JIT (Just-in-Time) compiler that converts PHP syntax to machine code and boasts comparable or even speeds in some instances.

“The big thing is performance. Most code will run twice as fast as before, with some caveats,” says PHP creator Rasmus Lerdorf, now-distinguished engineer at e-commerce site Etsy, “If you spend some time in a database, we’re not going to be able to speed you up that much. For most people, their code will be twice as fast, meaning they could turn off half the servers in their data centers, which is a really big deal, especially for larger companies using PHP. In reality, they probably won’t do that; they’ll just have more headroom to add more features.”

Despite some reports that this version took eight years, Lerdorf says that’s not so.

“We’ve had a long delay between PHP 5 and PHP 7, mostly because we had a bit of a failed tangent, trying to build PHP6, which had a Unicode core. It was too complicated, too slow, too memory intensive. So we had to kill that off, and we had a lot of PHP 5.x releases in those years. This version, PHP 7, has taken about two years,” he said of the scripting language created more than 20 years ago.

“One of the things that prompted the changes we made in PHP 7 was we were working on a JIT and it was not giving us the performance improvement that we needed because we were just moving too much memory around. So we had to take a step back and rewrite the code and optimize the internals to make all the internals smaller and make it much more memory efficient. That step alone gave us this 2x performance increase, which was a little bit surprising, actually. It was impressive, so we figured, ‘Let’s get this out the door’ because we’re ready with it and people can make good use of it.”

The JIT will take some time, he says, but could come in version 7.1, due out next year, or 7.2

The phpng branch has been focused on such issues as how the language works with data structures, data types, and memory allocation. The project’s developers consulted with Intel to make better use of hash lines and modern CPU features like registers.

Andi Gutmans, who was CEO of PHP tools vendor Zend until its acquisition by Rogue Wave Software, in a blog post on the new release writes of the “heroism” of working on 18 months on a project that proved a disappointment, then spending another five months to turn it around.

“The new version made everything fly. It also eliminated major bottlenecks which gave us many new ideas we could work on and it just kept on getting faster, and faster, and faster…!” he wrote.

The new features in PHP 7 include scalar and return type declarations, as well as the null coalesce operator ?? and the spaceship operator <=> for comparing two expressions, both which require less code to perform specific evaluations.

It also brings:

  • Consistent 64-bit support
  • Many fatal errors are now exceptions
  • Removal of old and unsupported SAPIs and extensions

There are plenty of lovers and haters of PHP on Hacker News, but also talk of the amount of support required for clients using older versions. This could pose a problem for them.

“Basically, we’ve dropped a lot of stuff that was available in PHP 4, so if your code is about 15 years old and you haven’t touched it since then, chances are it won’t run on PHP 7 unmodified,” Lerdorf said. “If you’re writing your code in the past 10 years, like on PHP 5, there will be almost no changes. Anything written in the past 10 years should run unmodified.”

Security criticism

PHP remains widely used– it ranked No. 6 on the TIOBE Index of the most popular programming languages in November. By some estimates, it’s the basis of 80 percent of websites, powering some of the most popular applications including WordPress, Drupal, Magento and more.

While PHP’s not alone in taking harsh criticism in Veracode’s new State of Software Security report, previous versions take a pummeling.

Using cloud-based scans and code analysis of more than 50,000 applications in the past 18 months, it found that 86 percent of applications written in PHP contained at least one cross-site scripting (XSS) vulnerability and 56 percent came with at least one SQL injection bug

And four out of five apps written in PHP, Classic ASP, and ColdFusion failed at least one of the OWASP (Open Web Application Security Project) Top 10 benchmarks. Of the range of programming languages studied, .NET and Java fared the best.

Chris Wysopal, founder and CTO of Veracode, told Dark Reading: “When I see a breach, one of the things that sticks out in my head is ‘I’ll bet that was a PHP site.'”

Lerdorf said PHP7 offers security improvements, including a filtered unserialized function and an easy set of functions to easily get crytographically secure random numbers.

“Everything a developer needs to write safe code is available in PHP,” he says. “One of the great things about PHP is its shallow learning curve and broad appeal — it’s widely accessible, which also means people who may not have the strongest science or security backgrounds are writing and deploying potentially unsafe code. But it’s this freedom that’s led to some of the most interesting things, including Etsy (which uses PHP). If only hardened developers were able to create dynamic websites, the web as a whole would be a terribly boring place!”

However, a major PHP user, the popular blogging site WordPress.com, recently unveiled a new interface, a project code-named Calypso, that replaces PHP with JavaScript, with Node.js as the code for the back end. It also plans to use the technology for its Mac desktop and mobile apps.

In a blog post describing the 20-month project, Matt Mullenweg, founder of Automattic, the company behind WordPress.com, says, “We realized that the tech wasn’t going to take us to the next decade.”

And Zend Technologies was recently bought out by Rogue Wave Software, which has brought a mixed bag of opinions about what that might mean for PHP.

Feature Image: Grafitti sticker, sign post, Brooklyn.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.