> ...in 20 years, I've never encountered a situation in which I needed something PHP does that something else didn't.
Fine, but just a few paragraphs later you actually describe what PHP does that other things don't: allows less experienced/skilled programmers to get something to work quickly and deploy it easily. That actually has tremendous value to a lot of businesses.
> ...mopping up some hacked or otherwise messed up doo-dad or other, because the person who put it there couldn't.
Maybe the person who put it there just ranks way below you in terms of skill. Or maybe they had budget and time constraints and an anxious customer in a hurry to get something working on a $10/month shared hosting setup.
> I feel injured by this. I feel robbed.
With all respect, grow up. If you take code this personally -- especially someone else's code -- you show an immature and elitist attitude toward your profession.
> This kind of expertise arbitrage, where the skill level you need to set something up initially is nowhere near the skill level you need to fix it when it breaks, is pervasive in the software industry...
Yes, the entire profession of programming rests on what you call expertise arbitrage. It may derive from the difference between my expertise and my client's, or my expertise and the previous developer. We make money from the arbitrage. If you don't like that kind of work don't take on those jobs.
> If an attacker can smuggle a PHP file onto your document root, then they can execute it. If they can do that, then they own you. This attack vector cannot be eliminated. If you use PHP, you will always be fighting it. Forever.
If someone can smuggle a file into your document root or anywhere else on your server, you have a problem no matter what language. You can mitigate this risk easily with well-understood practices for PHP and server configuration. I have worked mostly with PHP for almost 20 years and have actually never seen this happen, though I have found sites that could allow it (and I fixed the problem easily). No one is constantly fighting this problem forever.
> Once again, this situation is not unique to PHP, it's just that PHP is where you're most likely to see it. This issue also isn't strictly about document roots, but more about the level of control over what code gets executed. It's the difference between a default-deny policy and default-allow.
People who work with web apps see more problems with PHP because PHP dominates the web application space by a very wide margin. The last time I saw a web app with huge security holes (200 failures in an automated security audit) it was Ruby/Rails, not PHP.
> PHP web apps can be made to run outside the document root just like anything else, and indeed this is how modern MVC frameworks operate. Sure they can, but then you obviate the point of using it. If you aren't going to be plunking files into your document root for immediate execution, you may as well use some other stack.
Sure. You miss an even more important reason for choosing PHP: the relatively mature library/frameworks available, and the huge number of PHP programmers relative to other web-ready languages. If I sell my client on a Haskell or Smalltalk solution because I hate PHP, I may have done my client a serious disservice because they will have a harder time finding someone capable of working on that. Or maybe you mean Java or Node.js or .Net, all of which have their own security and deployment issues.
> What kind of jobs though? Mopping-up jobs, of course. Moreover, on the other side of that job is an employer, who is more than happy to take advantage of all this competition. If you aren't working at Facebook, the Wikimedia Foundation, Automattic or Acquia, it's probably worth asking yourself, dear PHP developer, if you are being played.
Nope. First, 90% of programming amounts to what you call "mopping up" and what the rest of us call maintenance and enhancement. Limiting yourself to green-fields projects in your preferred language won't lead to employment for most programmers. And you misunderstand how competition for jobs works -- PHP developers can and do make just as much as people working with other stacks.
> Expertise arbitrage, though, irrespective of its substrate, is very real and very much a liability. This to me makes one's choice of stack more than just a matter of taste: it's an object of organizational design.
What does that even mean?
> And if that isn't good enough, I can tell you from experience that banning PHP will eliminate aeons of monotonous tweezing out of Russian dick-pill spam.
No, it won't. Banning open email relays would help with that particular problem, but that has nothing to do with PHP. Programmers will always vary greatly in skill level and we will always have a lot of low-quality software running in production. Get over yourself.
