PHP 7 review: PERFOMANCE AND Security
Usage statistics indicate that PHP accounts for over 80 percent of all websites, topping 240 million sites according to the Netcraft web server survey (2013). PHP 7 (2015) is the most important revolution for PHP since the release of PHP 5 in 2004. The speed of PHP 7 and security improvements alone make upgrading to PHP 7 worthwhile. In this post, we will discuss these improvements in more details.
WHAT IS PHP
- Officially, PHP is a scripting language that is especially suited for web development (server-side scripting), but experienced PHP developers can also use it for command line scripting and writing desktop applications). PHP is also an interpreter of PHP code to the operating system (like Linux or Windows) installed on the server.
- You need three things to make a PHP-based application work: the PHP parser (CGI or server module), a web server and a web browser; you need to run the web server, with a connected PHP installation. To execute PHP code on the server, one needs to install PHP package or Facebook HHVM package.
- As a part of the real-world web applications, PHP code should work in conjunction with a web server. PHP has a built-in web server but it is not recommended for use on a production hardware server. As a rule, developers use Apache web server, Nginx web server or any other servers that support FastCGI or CGI protocols.
PHP 7 review: Upgrading For Perfomance Reasons
PHP 7 is based on the PHPNG engine (or Zend Engine 3.0) that speeds up PHP applications more than the previous PHP interpreter (Zend Engine 2.0). Thanks to PHPNG, your apps see up to 2x faster performance and 50% better memory consumption than PHP 5.6, allowing you to serve more concurrent users without adding any additional hardware. This means that your server returns pages to your users twice as fast. It also means that a single server can handle twice as many requests and you could need half as many servers in order to serve the same number of customers at the same speed as they did before. It has an impact in terms of real-world dollars.
Etsy is a popular PHP-based online marketplace for handmade and vintage goods that has been in operation since 2005 (29 million items listed on its website, 54 million registered users, among them 1.4 million active sellers, and 19.8 million active buyers). Initially it was written in PHP 5, and later, was switched to HHVM (Virtual Machine for PHP). After migration to PHP 7, Etsy was significantly better from such perspectives as the memory and system/user CPU usage, homepage/listing delivery speed and number of hosting servers. Up until the end of August 2016, Tumblr has upgraded its servers and web app’s code from PHP 5 to PHP 7. As it has been reported, almost immediately Tumblr’ developers saw the latency drop by half, and the CPU load on the servers decrease by at least 50%, often more. Not only did their servers start serving pages twice as fast, they are also doing it using half the amount of CPU resources.
Tumblr is a popular PHP-based microblogging and social networking website that has been in operation since 2007 (the website has about 555 million monthly visitors and hosts over 320.5 million blogs). Up until the end of August 2016, Tumblr has upgraded its servers and web app’s code from PHP 5 to PHP 7. As it has been reported, almost immediately Tumblr’ developers saw the latency drop by half, and the CPU load on the servers decrease by at least 50%, often more. Not only did their servers start serving pages twice as fast, they are also doing it using half the amount of CPU resources.
Badoo is a popular PHP-based dating social network that operates in 180 countries since 2006 (331 million users). Initially, it was written in PHP 4, and was later switched to mainly PHP 5. Up until the start of 2016, an app server cluster at Badoo consists of a bit more than 600 servers. After migration to PHP 7, by cutting CPU usage in half, Badoo freed up around 300 servers ($100,000 a year in hosting cost savings) and got a visual performance boost at the same time (overall response time improved by about 40%)!
The Zend Performance Team ran performance benchmarks on popular PHP apps to compare PHP 5.6, PHP 7, and HHVM 3.7. For most real-world applications such as eCommerce and CMS platforms, PHP 7 offers a significant performance boost. With execution time more than twice as fast compared to PHP 5.6 and 30 percent lower memory consumption, servers running PHP 7 are able to serve up to three times as many Magento requests as those running PHP 5.6. Drupal 8 runs 72 percent faster and WordPress only executes 25M CPU instructions on a PHP 7 runtime compared to just under 100M to do the same job on older PHP versions. Zend Performance team also tested how various PHP frameworks perform under PHP 7.
PHP 7 review: Upgrading For Security Reasons
Each released branch of PHP is fully supported for two years from its initial stable release. During this period, bugs and security issues that have been reported are fixed and are released in regular point releases. After this two year period of active support, each branch is then supported for an additional year for critical security issues only. Releases during this period are made on an as-needed basis: there may be multiple point releases, or none, depending on the number of reports. Once the three years of support are complete, the branch reaches its end of life and is no longer supported.
Millions of PHP applications (up to 86 percent according to W3Techs data) are relying on unsupported versions that expose the business to a multitude of well-documented security vulnerabilities.
PHP 7 offers better security improvements compared to PHP 5, including a filtered un-serialized function and a set of functions to easily get cryptographically secure random numbers. We should keep in mind that we have to advice our clients to upgrade PHP distribution on an operational server. And, of course, new PHP-based web applications should be developed with the newest versions of PHP.
Scalar type declarations and return type declarations improve the quality of PHP-based applications and save money for customers
PHP 7 also introduced new features: scalar type declarations and return type declarations.These features makes the maintenance of large pieces of code significantly easier by multiple developers and writing more robust tests. For the owner of the large PHP-based application it means more quality with less money spent in a long-term perspective.
Specifying the data type available in PHP 7 has a number of advantages, which are the additional arguments of switching from PHP5 to PHP7.
Scalar type and return type declarations in PHP 7 makes it easier to test the application and helps to find hidden and not so evident bugs, which can cause great problems in future.
- It makes it easier for programmers in the team to understand the code the data type of the functions are specified. In the absence of explicit declaration, developers will have to follow the function to see what type of argument the function is expecting (time-consuming operations leading to the hidden costs).
- PHP standard deviation “type juggling” in PHP 5 can lead to the loss of data without any notification. For example, in a financial system, this is absolutely unacceptable (See EXAMPLE 1). Type declarations produces an error in such cases.
- Type declarations in PHP 7 removes the burden of writing functions that checks the data type of arguments before processing (time-consuming operations leading to the hidden costs).
We found it is quite useful to share thoughts of different developers about the benefits of using scalar type declaration and return type declaration, which goes with PHP7.
Uncover bugs and inconsistencies
Ondrej Mirtes: We started adding that declare(strict_types=1) to the files in our codebase on the day we deployed PHP 7 to our servers and it has already uncovered a lot of bugs and inconsistencies, most often passing different parameters than was intended to invoked functions and methods.
Control things that legacy code did not allow
Joseluis Laso: Until PHP 5.x we could only "pseudo-declare" these types using PHPdoc or comments, but those are declarations that do not have any implication at runtime. With this new form of declaration, we can write more robust applications by detecting early programming mistakes caused by passing values of the wrong types to and from functions. I want to forget the past years that I had to use my intuition to figure out what types of arguments a function expects or what I can expect as a return value. Every day I write hundreds of lines of PHP code and try to apply the best practices that I know: PSR, naming conventions, and programming principles. Years ago, I embraced Symfony as my professional development framework. Instantly, I felt fine using it because it allows me to control things that legacy code does not. For me, a developer that uses PHP on a daily basis and sees Java as a reference for OOP languages, this is great progress for PHP.
Anthony Ferrara: If you declare function foo(int $abc) and pass in a non-integer, it will raise an error. There are tons of advantages to this approach. You get type safety. This means that you can finally statically analyze code! You can detect bugs where you accidentally take a string from one function and pass it as an integer to another. With static analysis, you can be told that “Hey, it looks like you're using a string where you're expecting a number. This might not do what you expect, we suggest either changing the type from a string, or doing some validation first”.
Easy static analysis
Larry Garfield: Explicitly specifying the types in a language-parser-accessible way also opens the doors to more powerful tooling. Programs — either PHP itself or a 3rd party analysis tool — can examine the source code to find possible optimizations or bugs based on the type. We can tell just by looking at the function signatures that it’s wrong, without looking at the code inside. This means a program can figure that out, too, and warn us before we even try running it. And because a program can keep track of a lot more moving parts than we can it could scan the entire code base and find bugs caused by incompatible types in different parts of the program… all without ever executing it! This process is called “static analysis”, and it is an incredibly powerful way to evaluate programs to locate and fix errors.
The quicker you will discover problems - the faster you can develop
Mathias Beke: The more you use type declarations, the less time you will have to spend debugging your code. The most useful advantage of type checking is that you don’t need to manually check for Null values being passed to functions or returned by functions. PHP type declarations encode the pre- and post-condition you have to implement manually, otherwise. So the more typed functions you have, the quicker you will discover problems, and the faster you can develop! Especially when developing with others, you want strong preconditions, so the callee is more restricted in what he may pass to your function. Having stronger post-condition restricts what you can return, and makes it easier for the callee.