Recki-CT – A compiler for PHP, written in PHP (opens in new tab)

(github.com)

20 pointsarmenb11y ago14 comments

14 comments

This looks awesome. PHP doesn't get a lot of love but it is really improving a lot and obviously still dominates the web... Glad the turkish bug is finally done with.

Would be really nice to see security augmentations to the language. The vast majority (maybe 9/10) sites I look at where no framework was used, the site is missing have no CSRF tokens, very poor XSS protections, and RCEs are pretty common too. I think this would really improve the language.

krapp11y ago

I find it odd that a language whose entire purpose is mixing code in with html doesn't come with the ability to automatically escape any echoed string by default. If you're not using something like Twig you have to wrap each variable in htmlspecialchars or something.

The argument that 'PHP is a framework' may be valid, but as a framework, raw PHP kind of sucks.

goykasi11y ago

PHP is simply a scripting language. It has numerous other uses besides just "mixing code in with html"; it wouldn't make sense to have something like enabled by default. For example, all console scripts would need to disable it.

1 more reply

frozenport11y ago

There is something to be said about security by obscurity. I don't want to see any security implementation because is means shared vulnerabilit.

steakejjs11y ago

What? I don't understand what you mean. PHP is not any more insecure than other languages. Some extremely secure sites run PHP....so security augmentations would not be obscurity.

An example would be built in CSRF protections through something like a form builder

1 more reply

devNoise11y ago

Does anyone have an idea for some of Recki-CT's use cases? I get that compiled PHP will be faster. This seems useful for PHP scripts you would run from the command line. Using the resulting binary as a CGI with Apache would incur the fork/exec cost that the PHP module avoided.

maxerickson11y ago

Some explanation here:

http://blog.ircmaxell.com/2014/08/introducing-recki-ct.html

(it's vaguely redundant with the readme, but there is some additional stuff)

bastawhiz11y ago

There are plenty of extremely large PHP applications that would certainly benefit from compilation. Before HHVM, Facebook compiled all of their PHP to C++, which was distributed as a giant binary.

dang11y ago

A dupe of https://news.ycombinator.com/item?id=8244014.

mappu11y ago

>This means that global variables, dynamic variables (variable-variables, variable function calls, etc) and references are not allowed.

Globals, sure, bad practice. Ideally we wouldn't have any. Dynamic variables make sense to exclude, it turns static analysis into the halting problem. Luckily they're a bad practice too since 5.3 introduced closures.

But references?

EDIT: It's by Anthony Ferrara! and some other pretty big names in the PHP community

j / k navigate · click thread line to collapse

14 comments

steakejjs11y ago

This looks awesome. PHP doesn't get a lot of love but it is really improving a lot and obviously still dominates the web... Glad the turkish bug is finally done with.

krapp11y ago

The argument that 'PHP is a framework' may be valid, but as a framework, raw PHP kind of sucks.

goykasi11y ago

1 more reply

frozenport11y ago

There is something to be said about security by obscurity. I don't want to see any security implementation because is means shared vulnerabilit.

steakejjs11y ago

What? I don't understand what you mean. PHP is not any more insecure than other languages. Some extremely secure sites run PHP....so security augmentations would not be obscurity.

An example would be built in CSRF protections through something like a form builder

1 more reply

devNoise11y ago

maxerickson11y ago

Some explanation here:

http://blog.ircmaxell.com/2014/08/introducing-recki-ct.html

(it's vaguely redundant with the readme, but there is some additional stuff)

bastawhiz11y ago

There are plenty of extremely large PHP applications that would certainly benefit from compilation. Before HHVM, Facebook compiled all of their PHP to C++, which was distributed as a giant binary.

dang11y ago

A dupe of https://news.ycombinator.com/item?id=8244014.

mappu11y ago

>This means that global variables, dynamic variables (variable-variables, variable function calls, etc) and references are not allowed.

But references?

EDIT: It's by Anthony Ferrara! and some other pretty big names in the PHP community

j / k navigate · click thread line to collapse